@Master Chief said:
I disagree, I think everything should be secured the same, because of what was brought up earlier, that people use the same emails and password combinations across multiple sites. But, I also think that, in the event they get that login info stolen, the website shouldn't be held responsible, the user should.
Urgh, in this specific case, the website people were clearly incompetent.
Also this beg the question have you ever designed a security solution?, I have. The point of every system is cost/benefits, because every information is unsecure, what you can do at most is act as a deterrent. How much is the information worth? How much are you willing to expend to protect it? How much is someone willing to expend to steal it from you?
Then you act accordingly.
If the user uses the same password for a compromised system, the user is liable. If the company makes an unsecure system, the company is liable.
In this case if the company did not implement adequate security measures, saw sign of hacking and did not act on them, then the company is liable no matter how retarded the users are.
It takes two to tango. I agree that users don't make the best choices ever, but neither companies. What I think is that we need to implement better security models because frankly I don't think users will ever be fully aware of the security issues and we should not expect them to become security experts.