

EBay Urges Password Changes After Breach - akerl_
http://krebsonsecurity.com/2014/05/ebay-urges-password-changes-after-breach/

======
dtdt1
Since most users reuse passwords or use variants of it, we should push the
industry towards something like PCI DSS for storing passwords and other user
metadata. While PCI had credit card vendors to push it through, how can we do
the same for user passwords and metadata? Maybe industry consortium of the big
players volunteering to use one. If compliance is expensive, new startups need
not use it and consequently users will use a 'less important' password for
these class of websites. Or they will use a 'Stripe' for identity.

~~~
akerl_
PCI only "works" because the credit card companies have the final say on who
can accept payments from their cards. It's a powerful position to be in, and
they use it skillfully.

We are neither in the same position nor should we try to put ourselves there:
the solution to password reuse is not stronger provider security, it's
stopping password reuse. We're in the future, we have password managers and
the integrate with the tools we put passwords into. There is no longer any
reason that a human needs to remember hundreds of unique passwords, and thus
no reason for a human to reuse a password in lieu of remembering multiple.

