Re: Ouch
And both of these need addressing. I completely agree that there should be some form of legal requirement for companies to provide evidence of a good security plan, but that should also include updates on regular maintenance schedules etc. Some form of guidance that states the level of additional security required based on what type of data is being stored. The current legislations do not go far enough to protect the consumer.
Education of end users is equally important. I have set up all of my immediate family with different password management regimes based on their individual technical capabilities and needs. Good security doesn't have to be onerous, it should, however, reflect the same risk vs impact model. If you are only ever getting your email, doing a bit of skype and facebook having them written down in a notebook at home is fine. If you need to do shopping online or internet banking, encryption is a must.
As you say, lots of people use a generic username and pasword for everything, the number of people who's accounts are compromised on one site and so therefore compromised everywhere is staggering. But if they don't know any better can we blame them? Bad information from the media, ridiculous and inconsistent application of the Data Protection Act which is only followed when it suits the company, mixed messages from most companies and banks. If a company rings me up, they absolutely should either have a completely different authentication method from when you call them, OR provide a reason behind the call and ask you to call them back at your convenience (and expect you to use the numbers for them you already have). Instead they immediately start asking for Name (Wait, didn't you just call me?), DOB, Address. Making all of this information easy pickings for social engineering.