On June 6, 2012 LinkedIn was hacked and user accounts — names and passwords — were compromised.
Follow LinkedIn’s advice on addressing the matter.
There are just two things I want to say about this.
1. Service Providers should build hardened systems up-frontAny service provider that has a security architecture that stores names and passwords on a server somewhere has an unacceptable system design.
There is simply NO excuse for letting this happen — EVER.
LinkedIn management is acting like hashing and salting passwords is some new thing that they are all over as a result of the compromise.
This is silly, hashing and salting should have happened in the first place, not as an afterthought.
2. One More Reason for IDMaaSIf LinkedIn was using IDMaaS for its Identity Management instead of its own “yet-another-funky-id-system” — it would not be standing knee deep in PR feces with egg on its face.
This is because the designers of IDMaaS services are specialized in Identity and security. That is all they do. No social connecting, no email or friending. Just managing Identity in the cloud.
Specialized core services for all of your systems design in the cloud fits in with best practices of good systems design. It is just too expensive and hard for every company to have the required expertise to design hardened systems in today’s IT environment.
SummaryThe sooner we can start building on an Identity Metasystem design, the better.
Even scarier than LinkedIn being hacked — you can almost guarantee that many other cloud-based services you are using have a similar “yet-another-funky-id-system” design for IdM.
Scarier still — these systems probably won’t get fixed until they are compromised.