As you already know, the LinkedIn passwords were supposedly leaked and became available online in form of hashed data. Or they were not, but it doesn’t really matter.
What really matters for you as for web developer is to see mistakes of LinkedIn developers and learn from them.
1. Website Performance
When people learned, that their passwords were jeopardized and these passwords could be the keys to other systems as well, they rushed to change the password. All at once. And LinkedIn has about 161 millions of users so far. No, of course there are thousands of dead accounts and people who haven’t heard about the problem yet, but still – many millions of people logged into their accounts, went to the profile settings and started the password changing procedure.
As the result, many people couldn’t do that, because the machines, responsible for that feature, were too busy. If you were among those who tried to change his password the day it hit the news, you could see that Ajax window, saying it’s waiting for the operation to complete. I did it from second attempt, since my password was one year old anyway.
Lesson learned: when you are building web system for a large amount of users, prepare for the scenario when everybody and his dog is rushing to change his password.
2. Mobile Security
When I change my Google password, or password in any other system, my smartphone is requiring me to enter it again, because the token it used to access my account was invalidated. Of course, the mobile application doesn’t store the password locally, but it uses the secure token instead. The secure token has the expiration date and could be invalidated by both client and server.
When your client changes his password from website, all tokens should be invalidated. There is no other option. If the smartphone is stolen, and I change my Gmail account password, I know for sure that thief could not reach my e-mail and connected services anymore.
It’s not so with LinkedIn. Even though I changed my password yesterday, I didn’t have to input it into my Android device – the security token is still valid and I receive private messages, able to connect people and so on.
Lesson learned: when you are securing the entrance, secure all the doors. Think about penetration scenarios when one of the doors failed. Time spent on unpleasant analysis is the time saved on sorrow.