Zurück zur Startseite

Human Factors on Secret Security

Published April 6, 2026 · Reading time approx. 6 minutes

Dr. Alexander Krause
Dr. Alexander Krause IT Security Consultant & Researcher at CISPA Helmholtz Center for Information Security

Secrets underpin digital security. API keys, cryptographic keys, passwords — they protect systems, data, and identities. But what happens when the people managing these secrets fail at it systematically? That's the central question of the doctoral thesis "Human Factors on Secret Security", submitted in 2025 at Leibniz Universität Hannover for a doctorate in computer science.

The thesis comprises three case studies covering three types of secrets. The common thread: developers and users face tasks for which neither adequate tools nor clear processes exist.

Code Secrets: When API Keys End Up in the Repository

The first case study examines how developers handle leaked credentials in source code repositories. The methodology combines a survey of 109 developers with 14 in-depth interviews — a mixed-methods approach pairing quantitative breadth with qualitative depth. Results were presented at USENIX Security 2023.

30.3% of respondents had dealt with leaked code secrets. Not a fringe occurrence.

The study exposes weaknesses at every level: prevention, detection, response. Developers generally know that secrets don't belong in code — but execution fails due to missing automation, unclear responsibilities, and everyday time pressure. Risk assessment after a leak proves especially difficult. How critical is an exposed API key? Has it already been exploited? Many can't answer that.

A key finding concerns tool adoption: for developers to actually use secret scanners, the barrier to entry has to be minimal. Complex configurations or high false-positive rates mean tools simply get ignored. The study demonstrates that a security tool's success depends less on its detection rate than on how smoothly it fits into existing workflows.

Cryptographic Updates: A Multi-Year Waiting Game

The second case study tackles a topic that's received little research attention so far: how do developers update cryptographic components in production systems? Twenty-one interviews with experienced developers paint a sobering picture. Results will be presented at USENIX Security 2025.

Structured processes? They don't exist.

Instead, improvisation rules. Developers stumble across outdated algorithms when external audits flag them or dependencies suddenly throw warnings. Systematic monitoring of cryptographic components is rare across organizations. Three core problems emerge:

  • Knowledge gaps: Cryptography is a specialized field. Many developers lack sufficient understanding of the algorithms they use to make informed update decisions. Which algorithm is outdated? What's a secure replacement? These questions often go unanswered.
  • Documentation failures: Where specific cryptographic primitives are deployed is seldom documented. That turns even the inventory phase into a major effort.
  • Backward compatibility: Existing data must remain readable. Encrypted databases, signed documents, stored tokens — a cryptographic update can't break any of it. This tension between security and functionality is the primary reason updates take so long.

The timelines speak for themselves: some updates wrap up in days. Others drag on for over a decade. The looming post-quantum cryptography (PQC) migration stands out as a particular challenge. Quantum computers threaten established schemes like RSA and ECC, but switching to quantum-safe algorithms demands changes at every layer — from network protocols to data persistence. Without clear migration paths and better tooling, this transition will be a shot in the dark for many organizations.

Password Updates: The Chaos Across 111 Websites

The third case study shifts perspective. Rather than interviewing developers, it systematically analyzes the password change processes of 111 top-ranked websites. Five researchers evaluated sites between September 2024 and February 2025.

The results are maddening.

Just navigating to the password change form is a challenge. There's no standardized terminology — "Change password," "Security settings," "Manage account," "Login credentials" — every platform invents its own labels. For users, that means searching instead of finding. For password managers and automated tools, things get even worse.

Minimum requirements for new passwords are shockingly low in some cases. Several websites accept passwords as short as six characters — well below NIST recommendations. Breached password detection is virtually nonexistent: only a single website out of 111 actually blocked passwords that had appeared in known data breaches.

The W3C's .well-known/change-password standard, designed to let browsers and password managers link directly to the password change page, has seen almost no adoption. And there's another problem for automation: dynamically generated field identifiers (id and name attributes that change on every page load) break autofill and password manager integration. What might be intended as bot protection ultimately hurts users.

Why Are Developers the Central Weak Link?

All three studies reveal the same pattern from different angles. Developers sit at the center of security-critical processes — and they're systematically set up to struggle. Not because they're incompetent, but because the right tools, processes, and knowledge base aren't there.

The pattern is the same everywhere, just the gap differs: with code secrets, automation is missing; with cryptographic updates, expertise; with password processes, standards. What connects all three domains is the gap between security research and developer practice.

Usability turns out to be the decisive lever. Security mechanisms only gain traction when they integrate into existing workflows without creating friction. A secret scanner that catches 90% of leaks but slows the build by two minutes gets disabled. A cryptographic update that's theoretically sound but breaks backward compatibility gets postponed. A password policy that would be secure but sends users through a maze of settings pages gets circumvented.

What Are the Consequences?

The thesis identifies several areas for action:

Better tools with low adoption barriers. Secret scanners, cryptographic inventory tools, and standardized password APIs need to be simple enough that using them costs less effort than skipping them.

Standardization. The inconsistency in password change processes illustrates how lack of standardization undermines security. Standards like .well-known/change-password exist but aren't adopted. The same applies to cryptographic migration paths — without standardized approaches, every update remains a solo project.

Research-to-practice transfer. Findings from security research often don't reach developers. Papers get published at conferences, but the results rarely make it into documentation, frameworks, or IDE plugins — the places where developers would actually encounter them.

Organizational anchoring. Neither secret management nor cryptographic maintenance can depend on individual developer initiative. Clear responsibilities, documented processes, and regular review cycles are needed.

Looking Ahead

The PQC migration is coming, and it'll amplify the problems from the second case study. Organizations that already don't know which cryptographic schemes run in their systems will face severe difficulties transitioning to quantum-safe algorithms.

At the same time, attack surfaces keep growing. More code, more APIs, more secrets, more opportunities for leaks. The automation of software development through AI-powered code generators could exacerbate the problem — or become part of the solution, if these tools bake in security considerations from the start.

This thesis provides the empirical foundation for these discussions. It shows where the leverage points are — and that technical solutions alone won't suffice as long as the human factor goes unaddressed.

The full dissertation is freely available: Krause, A. (2025). "Human Factors on Secret Security: Case Studies on Code Secret Leakage, Cryptographic Updates, and Password Update Procedures." Leibniz Universität Hannover.

This article is an AI-generated summary of the doctoral thesis "Human Factors on Secret Security: Case Studies on Code Secret Leakage, Cryptographic Updates, and Password Update Procedures" (Leibniz Universität Hannover, 2025). The content has been editorially reviewed.

Want to strengthen the human factor in your IT security? Contact me for consulting on secret management, cryptography, or password policies.