Brian Krebs has a nice article/interview with Thomas Ptacek in regards to recent password theft issues (LinkedIn, etc). Definitely worth a read and does some nice teaching (I didn’t know password hash and cryptographic hash were two different things). The main point is how often developers don’t know security mechanisms. To me, though, that’s not so much a knock to them as developers, but rather our whole process to development. It’s hard/difficult to expect developers to know all this stuff and yet remain rockstars in their own arena. More knowledge, more time, more experience is really key, along with some positive encouragement and support. Oversight by the experts would help as well (and the desire for companies to ask for that help). Oh, and 2F auth….