When developers and designers continue to ignore how people actually behave then said developers and designers are the ones at fault. Studies have shown over and over that people write complicated passwords down, reuse passwords, etc.

Yes, people do dumb things. And they use their birth date for their ATM pin. The natural (and even universal) tendency to do dumb things doesn't absolve users from taking responsibility for their actions.

What we really need is a decent and inexpensive two-factor auth solution.

Sure. And maybe (maybe) we'll get one of those someday, but until then the game is all about risk mitigation. The risk for me for a security breach at PM is zero. So therefore I don't care what PM does or does not do to secure my information. YMMV.

And if you want to play the "professional" card then you might want to avoid saying things like "certain people should be publicly humiliated with extreme prejudice".

No, if I wanted to play the "professional" card I'd use much harsher terms, like "fired." Any professional, who has been trained in IT security procedures, and who is fully aware of the risks and hazards of password security, who nevertheless uses the same same password on PM that they use on a server or a bank account deserves much more punishment than mere humiliation.

I think we are well past the time where just blaming the users is acceptable or professional. The actual studies are often just ignored and blaming the victim has just become an excuse. Not exactly a recipe for innovation, eh? The problem at this point is with the industry.

Elda Taluta; Sarks Sark; Ark Arks