This will probably be controversial, but I disagree with the current password policy. Checking against a list of known broken passwords sounds like a good idea, but that list is only ever going to get bigger. The human factor has to be taken into account. People are going to reuse passwords. So whenever their reused password gets hacked from a less secure site, it's going to add to that list.

Ideally, a password would be unique. Ideally, users should maybe ever use a password manager that generates garbage as a password that no one could hack. An ideal world is different from reality. Specific requirements are going to lead to people needing to write things down. In the past, that was on paper, like Wargames. Now, it's going to lead to people pasting their username and login into text documents for easy reference. That's probably what i'm going to have to do. Was my previous method of reusing passwords safe? No. Will my new method of remembering passwords be safe? Probably not either.

I'm not entirely sure what all the account security is about, either. For my bank, sure, a complex password. I have a lot to lose there. For an account on a glorified message board? There's better ways to establish legitimacy. 4chan, of all places, dealt with this (nod to 2chan), by having users enter a password after their username that got encoded and displayed as part of their username to verify that they were, in fact, the same user.

So the topic for discussion would be, what's the endgame here? Where is the line drawn between usability and security? I may well be on the wrong side of this, but I think it's worth discussing.

Edit: I think there may be some good reasons, evidenced in this reply. I think it was a good discussion none the less, since it wasn't obvious to me and perhaps not to other people.

Edit 2: I'm going to hop off, but I think there's been some good discussion about the matter. As I said in the original post "I may well be on the wrong side of this". I may well be, but I hope I have addressed people well in the comments. Some of my comments may be "worst case" or "devil's advocate" though. I understand the reason for security, as evidenced above, but i'm unsure about the means.

Have you quit social media? Why? Why not?
I have been thinking about it (specifically Facebook). I have not done so, because I fear that I'll lose contact with friends from my past (even though I have not messaged any of them, or seen their profile, in years).

For those unfamiliar with the story, "The Emperor's New Clothes" is about an emperor who parades around naked, but nobody will point out the obvious for fear of being seen as ignorant. Idiomatically, it refers to something seen as true or widely praised, simply because nobody is willing to speak out against it.

I saw a rant about "blockchains" being the new overhyped hotness for tech companies, and it made me wonder what other "new clothes" are out there right now. What's something you have a strong takedown for that everybody else seems to love/support?

I volunteer with several small nonprofits. A few weeks ago, one of them got a spam message from a "volunteer" offering to create a free website for the organization and disclosing a connection to DonorComplete. There was no unsubscribe link. I hit Google, which eventually led me to a thread on TechSoup where I commented with what I had found to that date under the same user name: http://forums.techsoup.org/cs/community/f/24/t/43439.aspx This & other results showed that the "free" website is linked to historically very expensive hosting (historically , ~ $20-$40/mo, now showing about $10/mo) for a static website with very limited support or options.

My research continued intermittently, but there appears to be a network of over 100 domains (active, expired, dormant and/or returning server errors) connected to spam efforts over roughly the last 6 years, questionable marketing tactics dating back to ~ 1998, 4 overlapping corporations with one man as a central figure, several throwaway email addresses and a couple that seem to be dedicated & longer running, a handful of apparently dedicated servers and several shared servers with many connected domains hosted. The messages target nonprofit organizations and churches, with 4 textual variations posted via email, mailing lists, and comments. The first archived comments I found targeted FOSS project mailing lists. Based on the Internet Archive's Wayback Machine, many small nonprofits used their service years ago, but it looks like the spammers' services have been largely abandoned over the last few years - probably why the new campaign started ~ June.

I've filed complaints with two of the registrars, and at least one of the recently active domains appears to be in non-hosted status. Would there be any interest in my posting a thread with the details of what I've found so far (spreadsheets and mind maps in progress)? Would anyone be interested in helping me present the data in a more easily digestible format a la r/dataisbeautiful? Or can anyone recommend an easier way to report the registrant tied to the spam? I'm not trying to start a witch hunt, but these people seem to have flown under the radar for a long time, and I know many small nonprofits aren't tech savvy enough to recognize the warning signs these folks present.