How much experience is enough?

I’ve lost count of the number of times where I have seen it said
that “Only experienced xxxx should try to do
yyyy.” For example, “Only experienced security experts
should try to build secure authentication systems.” Or, “Only
experienced walkers should attempt to tackle this route through the
mountains.”

In all kinds of different fields, we’re warned that certain
activities shouldn’t be approached by the inexperienced. How do you
know when you’re no longer too inexperienced? It seems that the
more you learn, the more you realise how much you don’t know. I
think this is a good thing but there’s a danger that only the
inexperienced ever try to solve the difficult problems yet they
probably don’t have the skills to succeed.

Eric Lippert starts

a series of posts on security
with the disclaimer, “This
blog posting is for informational purposes only; don’t think that
after you’ve read this series, you have enough information to build
a secure authentication system!
“. That’s good advice but I
wonder how much you have to know to have enough information to
build a secure authentication system.