> Firstly, I don't recall seeing *any* spam e-mails in 2012 - at least to my own domain. I get a number to my work e-mail address, but that's because they use email@example.com, and at any rate the address is likely harvested when software companies demand e-mail address for pricing. At any rate, this is unlikely to be related to the e-mail account being hacked as much as it is marketers gonna market.
> Secondly, I vaguely recall the Mat Honan hack, but I'm reasonably certain I've already got sufficient steps to mitigate the attack he suffered. For one, I don't subscribe to the apple camp. For two, I don't use similar credentials across the web. For three, I think the guy who was affected made a significant number of utter schoolboy errors and would have been subject to an attack sooner rather than later. Lets hope he sufficiently learned his lesson rather than be the subject of another embarrassing hack later on.
Anyway, I'll be happy to see the demise of the password - it does have significant problems with regard to entropy versus memorability; general weakness tied into the idea that humans aren't necessarily designed to cope with arbitrarily long strings; arbitrary and inconsistent requirements, and policy-related changes. On a couple of occasions I've been aghast that somewhere requiring authentication kicks out credentials because they're either too long or they start with a number. The fuck?
But, I don't think Google is the innocent party presenting this for the good of mankind. Any move that reduces the possibility of plausible deniability, anything that increases the confidence that an action can be tied to a person, will directly benefit their bottom line. Therefore, I'd suggest that while the sentiments behind the paper may be good, a different approach may be better (e.g. LiveCD on RW media, with a KeePass or similar database in ~/boringdatabaselogs.
After all though, perhaps my tinfoil hat is on too tighOP HERE, DISREGARD THIS, I SUCK COCKS.