You sorta missed the point. Kim never gave a single password out. The "security questions" on one of her accounts allowed access to her account by anyone who could answer them. The weakness was largely her college's fault for having such weak validation, and also her fault for using that email as the secondary for her GMail.

I don't think he missed the point. The point is that user management of multiple passwords just doesn't work. This includes the reusing of passwords for multiple accounts and there being too many disparate password recovery schemes. There is too much asked of both implementers of web apps and users of web apps.

I think the current practices, which enabled this domino effect where the security level of the whole is that of the weakest link, are also to blame. We must find something better.

For some reason, my electric utility has introduced Javascript that disables copy/paste into the password field of their website. This kills my use of KeePass as an encrypted password vault. If some of the users are going to use KeePass or a similar program, I think this should be encouraged. At least those users won't be subject to these sorts of attacks.

Use the pref that prevents sites from disabling your right click, and use right click paste to paste it in.

That also bypasses any onKeyPress validation.

Or linux, where you can middle-click to paste.

If you use Firefox, you can use the NoScript Addon to disallow JavaScript on that particular site.

Tried that. In order for the login entry fields to be visible, and the javascript routines for login to work, the script has to run.