LinkedIn Password Disaster

18.06.2012 by Martin Kuppinger

I first thought about ignoring this topic for my blog. However, there have been so many press releases, blogs, and other comments on it which have been just wrong or absurd that I finally decided on posting a little about it.

First of all, the LinkedIn Password Disaster reinforces the old rule that you shouldn’t reuse passwords (at least not too much).

Second, it is another proof of the fact that the security skills of developers are on average far too low. There are not enough developers with strong security skills, but many developers with a lack of good skills in security which are developing security features anyway. LinkedIn obviously had a lack of security experts in its architecture, development, and operational teams. Security has to be part of application development from the very beginning. It is not something  which can be added afterwards.

However, even IT education largely fails in that area. Instead of having IT security as one of the most important parts of any IT education, it is still seen as something for some experts. That’s wrong. IT Security has to be a core subject of any IT education. And it should be a mandatory examination subject for everyone studying informatics.

Unfortunately, that helps only in the mid-term or long-term. Just last week I had the discussion about whether it makes sense to acquire a company of experienced app developers without security skills to develop security apps. Every expert involved agreed that this doesn’t make sense. It is pretty hard to impart security skills while it’s comparatively easy to impart app development skills. So the battle for the relatively few security experts out there will continue.

Another important aspect is that certification will hopefully gain momentum. That doesn’t always help. There were cases some years ago where sites that had been security certified by the German TÜV were hacked. Nevertheless, such beginner’s mistakes in security like the ones at LinkedIn could be avoided by certifications.

Besides these points, what really caught my attention and led to this post were the press releases of vendors of OTP technologies (one time passwords) and other security technologies which promised a better world when using their technologies. However even while passwords are a weak mechanism, when looked at realistically, there is no short-term replacement. Yes, federation (in a somewhat different form from today’s approaches) will change a lot over time. But I don’t see that things like OTP or others will really work for the use cases of sites like LinkedIn. So I think we will have to live with passwords. It’s up to companies like LinkedIn to avoid the biggest mistakes on their side. And it’s up to us to avoid the biggest mistakes on our side.

 


  • Angela

    I saw the description for the LinkedIn fiasco webinar about lessons learned. I disagree that a hacker having access to a hashed list of passwords isn't a big deal. What this provides is a way for a hacker to crack those passwords at their leisure. I have to assume that if they got the password data, they also got usernames. From there, it's a very easy step to start looking for other assets on the web with those usernames and start using the cracked passwords to try for access to other web properties. This was demonstrated in painful point by the ApacheFoundation.org hack last year. The fact is that many people use the same passwords for web sites as they do for other assets. A chat forum got hacked at Apache and one of their sysadmins used the SAME password on their internal servers. Escalation of privileges occurred and a painful attack rapidly turned into a mission critical one.

    So yes, I think that password hash access is a very big deal.

Services
© 2014 Martin Kuppinger, KuppingerCole