Re: Maybe just
Look folks. I really don't care about securing my password for Slashdot, The Register, or a multitude of other non-financial sites. Neither do many (I suspect most) other users. The password/account logic is imposed by the sites for their convenience, not mine. For them I reuse the same password within the limits of obscure and often conflicting length and content rules So does my wife, my kids, and (I suspect) damn near everyone.
Fifty plus years of computer work tell me that attempting to educate users or to force them to do things your way is pretty much a complete waste of time. I really believe that "crap" and reused passwords are part of the universe we live in. They aren't going away.
User authentication is a huge problem. It's a problem that will, I think, quite likely eventually limit the utility of the Internet. Basically, the problem is that a website that is actually secure -- for example the US treasurydirect.gov -- is going to be horribly difficult to access and is likely to have other problems as when multiple individuals need to access an account.
Do I have an answer? Nope. If I did, I'd be working on a business plan, not posting here.
But I do think you folks should recognize that passwords don't work very well and, as far as I can see, probably can never be made to work much better than they do now.
(Interestingly, one organization that I actually need to interface with has a website that is perpetually broken in one way or another, but has something I'd thought to be unlikely -- an automated phone system that actually works. FWIW, It authenticates me by date of birth and postal code. Not great from a security point of view, but not awful, and better, considering the medium and all, than passwords).