In http://www.schneier.com/blog/archives/2009/05/researchers_hij.html he mentions some results of UCSB research.
What really sticks out in my mind is the following.
“During that time, however, UCSB’s researchers were able to gather massive amounts of information on how the botnet functions as well as what kind of information it’s gathering. Almost 300,000 unique login credentials were gathered over the time the researchers controlled the botnet, including 56,000 passwords gathered in a single hour using “simple replacement rules” and a password cracker. They found that 28 percent of victims reused their credentials for accessing 368,501 websites, making it an easy task for scammers to gather further personal information. The researchers noted that they were able to read through hundreds of e-mail, forum, and chat messages gathered by Torpig that “often contain detailed (and private) descriptions of the lives of their authors.”
It’s the whole reusing credentials part that sticks out for me. 28% of people use the same login and password for over 350K websites.
I think it’s high time to move the web to multi-factor authentication. RSA like keys that require something you know (pin) and something you have, like a keyfob. Much safer.