ufpIdentity - LinkedIn Passwords

I've been following the problems at LinkedIn and elsewhere (eHarmony, Last.fm and League of Legends EU) for a week now. My takeaway from the ensuing discussions is that there are three fundamental misunderstandings about security as it relates to web logins.

1. Staying one step ahead of the bad guys

It's not really about MD5, SHA1 or BCrypt, it's about staying one step ahead of the bad guys and having good security practices. We still don't know how the passwords were leaked. It wouldn't matter if the passwords were all in plaintext if they never got out. Even using BCrypt, clear passwords might be accidentally left in logs, backups might be sitting around that have sensitive information, and insiders, with the right access, can pretty much do anything.

2. Users expect us to do it right

Blaming users for their handling of passwords is a cop-out; the actual problem is bad security practices and the "set it and forget it" development mentality around protecting private user data. I say this because research and practical experience show that users will always take the path of least resistance when it comes to passwords. It is our failing, not theirs, that these leaks are happening. But to correct our negligence, we recommend that users create ridiculously complex, unique passwords, or that they buy yet another Internet security product.

I believe this is wrong. Users have a valid expectation that we care for their data, and we are failing to meet that expectation.

3. Usability is key

Current alternatives to passwords fail the usability test, which we know from #2 above is critical. If I can't explain it to my dad (non-technical and loves to post to forums), it fails the usability test. It's all well and good for us to jump through enrollment and redirection hoops, but no regular user has a clue about how (or why) to get an identity provider, or why they are suddenly on one site when they were trying to login to another. Until we present a simple alternative, the vast majority of users are going to rely on passwords for a very long time.