Once again ...
part of the problem with passwords - internet passwords specifically - is the total lack of anything remotely resembling an RFC on the best practices to implement password-based authentication.
Is the password complexity sufficient ?
Is the password stored in plaintext ? (Because some are, so you can be emailed it if you forget)
If the password is encrypted, can it be decrypted ?
If so by who ?
Is a regular password change mandated ?
etc etc etc
I wonder, if I was to setup a site requiring a login to be created, and harvested all the email address/password combinations people used, how far I could get trying those credentials elsewhere.
However, before I did that, I'd also wonder if anyone else had done it before me ?
Quick question. What's the ISO reference for web-based authentication ?