Re:Real lesson -- make guessing expensive! (Score 1)

I agree that coming at this problem from the side of the user is not only blaming the victim but is ineffective. However, to understand why this is so I think that we need to consider human psychology. Why is that most people continue to use weak passwords, even though all but the lowest of the "low information" users understand the supposed importance of internet security? I assume that it is because they or their circle have not been victims of online identity theft. Until that happens to them, they will continue to use the weak passwords. Why bother with something complicated like a complex and difficult-to-remember password string when there don't seem to be any consequences? If online identity theft with significant monetary or professional consequences becomes sufficiently widespread, you will find that people will suddenly become interested in online security. At that point, however, I am sure that users will clamor for improved security measures on the corporate/server side. At that point, something like a security code of conduct might be appropriate. Corporations would clearly declare that they were following X security practices or adhering to Y set of standards for online security. Getting Joe123 to change his password from password123 to 8}0_(|5-'23a1_E_2_-! is not going to happen.