I first thought about ignoring this topic for my blog. However, there have been so many press releases, blogs, and other comments on it which have been just wrong or absurd that I finally decided on posting a little about it.
First of all, the LinkedIn Password Disaster reinforces the old rule that you shouldn’t reuse passwords (at least not too much).
Second, it is another proof of the fact that the security skills of developers are on average far too low. There are not enough developers with strong security skills, but many developers with a lack of good skills in security which are developing security features anyway. LinkedIn obviously had a lack of security experts in its architecture, development, and operational teams. Security has to be part of application development from the very beginning. It is not something which can be added afterwards.
However, even IT education largely fails in that area. Instead of having IT security as one of the most important parts of any IT education, it is still seen as something for some experts. That’s wrong. IT Security has to be a core subject of any IT education. And it should be a mandatory examination subject for everyone studying informatics.
Unfortunately, that helps only in the mid-term or long-term. Just last week I had the discussion about whether it makes sense to acquire a company of experienced app developers without security skills to develop security apps. Every expert involved agreed that this doesn’t make sense. It is pretty hard to impart security skills while it’s comparatively easy to impart app development skills. So the battle for the relatively few security experts out there will continue.
Another important aspect is that certification will hopefully gain momentum. That doesn’t always help. There were cases some years ago where sites that had been security certified by the German TÜV were hacked. Nevertheless, such beginner’s mistakes in security like the ones at LinkedIn could be avoided by certifications.
Besides these points, what really caught my attention and led to this post were the press releases of vendors of OTP technologies (one time passwords) and other security technologies which promised a better world when using their technologies. However even while passwords are a weak mechanism, when looked at realistically, there is no short-term replacement. Yes, federation (in a somewhat different form from today’s approaches) will change a lot over time. But I don’t see that things like OTP or others will really work for the use cases of sites like LinkedIn. So I think we will have to live with passwords. It’s up to companies like LinkedIn to avoid the biggest mistakes on their side. And it’s up to us to avoid the biggest mistakes on our side.