How much experience is enough?

less than 1 minute read

I’ve lost count of the number of times where I have seen it said that “Only experienced xxxx should try to do yyyy.” For example, “Only experienced security experts should try to build secure authentication systems.” Or, “Only experienced walkers should attempt to tackle this route through the mountains.”

In all kinds of different fields, we’re warned that certain activities shouldn’t be approached by the inexperienced. How do you know when you’re no longer too inexperienced? It seems that the more you learn, the more you realise how much you don’t know. I think this is a good thing but there’s a danger that only the inexperienced ever try to solve the difficult problems yet they probably don’t have the skills to succeed.

Eric Lippert starts a series of posts on security with the disclaimer, “This blog posting is for informational purposes only; don’t think that after you’ve read this series, you have enough information to build a secure authentication system!”. That’s good advice but I wonder how much you have to know to have enough information to build a secure authentication system.