Why Johnny Cant Store Passwords Securely? A Usability Evaluation of Bouncycastle Password Hashing

Lack of usability of security Application Programming In- terfaces (APIs) is one of the main reasons for mistakes that programmers make that result in security vulnerabilities in software applications they develop. Especially, APIs that pro- vide cryptographic functionalities such as password hashing are sometimes too complex for programmers to learn and use. To improve the usability of these APIs to make them easy to learn and use, it is important to identify the usability issues exist on those APIs that make those harder to learn and use. In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API to identify usabil- ity issues in it that persuade programmers to make mistakes while developing applications that would result in security vulnerabilities. We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution us- ing Bouncycastle API. From data we collected, we identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. Results of our study provided useful insights about how security/cryptographic APIs should be designed, developed and improved to provide a better experi- ence for programmers who use them. Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them.

💡 Research Summary

The paper investigates the usability of the SCrypt password‑hashing functionality provided by the BouncyCastle cryptographic library. Recognizing that insecure implementations often stem from developers’ difficulties in using complex security APIs, the authors designed a qualitative user study to uncover concrete usability problems that could lead to insecure password storage.

Ten experienced Java developers were recruited through GitHub, ensuring participants had real‑world programming experience. Each participant was given a two‑hour task: modify a simple web application that initially stores passwords in plain text so that it securely hashes passwords using BouncyCastle’s SCrypt implementation. Participants worked remotely, thinking aloud while their screens and audio were recorded. After the task, they completed a cognitive‑dimensions questionnaire to capture their mental models of the API.

The SCrypt API in BouncyCastle exposes a static method `SCrypt.generate(byte