English   Deutsch   Русский   中文    

LinkedIn Password Disaster

Jun 18, 2012 by Martin Kuppinger

I first thought about ignoring this topic for my blog. However, there have been so many press releases, blogs, and other comments on it which have been just wrong or absurd that I finally decided on posting a little about it.

First of all, the LinkedIn Password Disaster reinforces the old rule that you shouldn’t reuse passwords (at least not too much).

Second, it is another proof of the fact that the security skills of developers are on average far too low. There are not enough developers with strong security skills, but many developers with a lack of good skills in security which are developing security features anyway. LinkedIn obviously had a lack of security experts in its architecture, development, and operational teams. Security has to be part of application development from the very beginning. It is not something  which can be added afterwards.

However, even IT education largely fails in that area. Instead of having IT security as one of the most important parts of any IT education, it is still seen as something for some experts. That’s wrong. IT Security has to be a core subject of any IT education. And it should be a mandatory examination subject for everyone studying informatics.

Unfortunately, that helps only in the mid-term or long-term. Just last week I had the discussion about whether it makes sense to acquire a company of experienced app developers without security skills to develop security apps. Every expert involved agreed that this doesn’t make sense. It is pretty hard to impart security skills while it’s comparatively easy to impart app development skills. So the battle for the relatively few security experts out there will continue.

Another important aspect is that certification will hopefully gain momentum. That doesn’t always help. There were cases some years ago where sites that had been security certified by the German TÜV were hacked. Nevertheless, such beginner’s mistakes in security like the ones at LinkedIn could be avoided by certifications.

Besides these points, what really caught my attention and led to this post were the press releases of vendors of OTP technologies (one time passwords) and other security technologies which promised a better world when using their technologies. However even while passwords are a weak mechanism, when looked at realistically, there is no short-term replacement. Yes, federation (in a somewhat different form from today’s approaches) will change a lot over time. But I don’t see that things like OTP or others will really work for the use cases of sites like LinkedIn. So I think we will have to live with passwords. It’s up to companies like LinkedIn to avoid the biggest mistakes on their side. And it’s up to us to avoid the biggest mistakes on our side.

Google+

top
Author info

Martin Kuppinger
Founder and Principal Analyst
Profile | All posts
KuppingerCole Blog
By:
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
Register now
Spotlight
Internet of Things
It is its scale and interoperability that fundamentally differentiate the Internet of Things from existing isolated networks of various embedded devices. And this scale is truly massive. Extrapolating the new fashion of making each and every device connected, it is estimated that by 2020, the number of “things” in the world will surpass 200 billion and the IoT market will be worth nearly $9 trillion.
KuppingerCole EXTEND
KC EXTEND shows how the integration of new external partners and clients in your IAM can be done while at the same time the support of the operational business is ensured.
Links
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing

 GenericIAM
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2015 KuppingerCole