I'm giving a seminar on whether specification is a useful tool to help developers remember how to store passwords correctly (it technically is, but practically isn't) and whether current approaches for password storage are working (nope). It's an extended version of the talk I gave at ICSE this year.
Links to the seminar, and the paper itself below: