We all knew this.. Who authorized this study? Was there money for it? I have a research project.. Users don’t patch their client-side software. Please contact me if you wish to fund this project.
But in all seriousness, there is something to learn from this…. It is that your users reuse the same passwords. The same crappy password they use on your site is the same crappy password they are using on all of the various Goat Sex sites.
Because of this, we need to start looking at alternative authentication mechanisms. Maybe even looking at two factor authentication.
Just for the record, many “two-factor” authentication mechanisms only authenticate you to the computer or resource you are trying to access. This is important because if an attacker gets access to a users system they will be able to piggy-back on that session, thus bypassing your wonderful, delicious two factor authentication.
So even if you strive for something better… It will most likely still suck.

About the author