English   Deutsch   Русский   中文    

LinkedIn Password Disaster

Jun 18, 2012 by Martin Kuppinger

I first thought about ignoring this topic for my blog. However, there have been so many press releases, blogs, and other comments on it which have been just wrong or absurd that I finally decided on posting a little about it.

First of all, the LinkedIn Password Disaster reinforces the old rule that you shouldn’t reuse passwords (at least not too much).

Second, it is another proof of the fact that the security skills of developers are on average far too low. There are not enough developers with strong security skills, but many developers with a lack of good skills in security which are developing security features anyway. LinkedIn obviously had a lack of security experts in its architecture, development, and operational teams. Security has to be part of application development from the very beginning. It is not something  which can be added afterwards.

However, even IT education largely fails in that area. Instead of having IT security as one of the most important parts of any IT education, it is still seen as something for some experts. That’s wrong. IT Security has to be a core subject of any IT education. And it should be a mandatory examination subject for everyone studying informatics.

Unfortunately, that helps only in the mid-term or long-term. Just last week I had the discussion about whether it makes sense to acquire a company of experienced app developers without security skills to develop security apps. Every expert involved agreed that this doesn’t make sense. It is pretty hard to impart security skills while it’s comparatively easy to impart app development skills. So the battle for the relatively few security experts out there will continue.

Another important aspect is that certification will hopefully gain momentum. That doesn’t always help. There were cases some years ago where sites that had been security certified by the German TÜV were hacked. Nevertheless, such beginner’s mistakes in security like the ones at LinkedIn could be avoided by certifications.

Besides these points, what really caught my attention and led to this post were the press releases of vendors of OTP technologies (one time passwords) and other security technologies which promised a better world when using their technologies. However even while passwords are a weak mechanism, when looked at realistically, there is no short-term replacement. Yes, federation (in a somewhat different form from today’s approaches) will change a lot over time. But I don’t see that things like OTP or others will really work for the use cases of sites like LinkedIn. So I think we will have to live with passwords. It’s up to companies like LinkedIn to avoid the biggest mistakes on their side. And it’s up to us to avoid the biggest mistakes on our side.


Author info

Martin Kuppinger
Founder and Principal Analyst
Profile | All posts
KuppingerCole Blog
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Register now
Customer-Centric Identity Management
As more and more traditional services move online as part of the digital transformation trend, consumer-centric identity management is becoming increasingly vital business success factor. Customers aren’t just physical persons, they are also the devices used by customers, they are also intermediate organisations and systems which operate together to enable the provisioning of the service.
KC EXTEND shows how the integration of new external partners and clients in your IAM can be done while at the same time the support of the operational business is ensured.
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2016 KuppingerCole