I think Shulman is missing his own point.
"The problem has changed very little over the past 20 years, explained Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. Its time for everyone to take password security seriously; its an important first step in data security.
So 20 years later we still have all of exact same problem? The lesson here is _not_ that "it's time for _everyone_ to take pw security seriously". The lesson is that the basic mechanic's of passwords doesn't work. I'm sure they tried to take pw security seriously 20 years ago. The average user doesn't understand the math behind making a complex password. Password requirements add to the confusion: one pw changes every 3 months, another 4, some must use mixed case, ohters 2 numbers and a special character, and don't write it down, etc, then throw in some passwords fields that cannot use special characters, my bank pw cannot start with a number, can't reuse a pw for 12 uses and the result is simplified easier to remember passwords. Same as the last but add a '1' at the end, incriment to '2' in 3 months.
Old Dakota wisdom says that if you are riding a dead horse, get off. Shulman seems to think that if we just get serious and dig in our heals we can suddenly get the dead horse to trot. Meanwhile management will ignore Shulman and instead decide to double the horsepower-- by buying another dead horse.