> It always bothers me a bit when I see analysis of password strength for compromised sites without any mention of the possibility that the account might just not be important to users.
I actually use that as a factor when considering a password. If I think the site isn't going to be the most secure (a phpBB forum, or hand-rolled web-app), then I'm more likely to use a simple (but still relatively decent) password.
Recently I made a new password for some random site (and keep an encrypted record of it). Then I was relieved I did, because the site turned around and emailed the password right back to me. Unencrypted. In plaintext.
Hmm, that is wrong enough that I'll call them out by name... https://www.nbotickets.com/
(Is it polite and useful to email them how I feel about that? I feel like I'd just be "someone-is-wrong-on-the-internet"-ing. Advice?)
I actually use that as a factor when considering a password. If I think the site isn't going to be the most secure (a phpBB forum, or hand-rolled web-app), then I'm more likely to use a simple (but still relatively decent) password.