In all the identity theft stories I have seen the perp ussually:
- uses a reset password feature and guesses a secret question
- Steals data from the company
- fishes people into entering their password into a fake site
Long hard to remember passwords don’t really help with those things. Really what you should be doing is eliminating the question feature from the password reset and when you sign on, focus on the site and not some long series of random numbers and letters.
Also, I think you would probably find lots of people create multiple dummy accounts that contain very little personal information. Those probably account for a significant number of the “password” passwords.
I would be really interested to see where the weak points in the system actually are and how we can do more to correct them.
