Inaccurate/Incomplete reporting, again...

This is clearly a WINDOWS exploit yet this article, like hundreds that preceeded it, perpetuates the myth that all PCs, regardless of their OS, are equally vulnerable to attacks. It'd like to see the IT press start calling the shots more accurately.

Practicality

Some people are missing the point here with biometrics and usb tokens. Google are about data collection and ad revenue - they won't force implementation of secondary security measures if it impacts on usability = take up = revenue. The analogues to bank security aren't really valid either - and if your storing financial or password info online then you are asking for it. I like the idea of the OS forcing better passwords but again there is no point if people can't remember them. Human lazyness and ignorance are the weak links in the password chain.

What about obligatory secure passwords?

Could not Google configure things in such a way that people would be obliged to use strong, secure passwords when they first create them? Maybe notifications giving guidelines as to what to include in the password and not accepting it until it is at an acceptably secure level.

Learn of banking security

I think that cloud computing will resemble banking very close in the future. They are the bank account to hold all of your data. Google used this comparison already with the introduction of Google Docs.

My feeling is therefore that they should implement the same security measures that the banking world is. A handy device is the code calculator, a device where you insert your identification card, type in your personal access code, and the calculator generates a login code.

This code is dependent on the unique code inside your identification card, a personal access code and a changing number inside the calculator memory. The number inside the calculator memory changes every time you generate the next code. An access code is generated with an extensive formula, making it difficult to crack.

Your online account can predict the next login code, because it has access to the same information. Therefore it can see if you are using the next (or if you made a mistake the second/third next) generated login code. If not, your account will lock.

Because the personal access code is personal, and because the security card has a unique code, it's making it more save to log-in.

For me, that would be a way that I could trust a cloud service. But until such rigid security is implemented, I could not.

Easy Answer

Most people use the same password for all accounts. They pick easy passwords that are easy to remember. This is well-known and there have been years worth of attempts to remedy the problem. Having a single sign-on with the same, easy password that someone uses everywhere else doesn't add significantly to the problem.

What solves it? Google need to implement a password strength test and disallow easily-cracked passwords, perhaps suggesting ones for the user that would be easy to remember with some assistance. Passwords are checked against standard dictionaries and the user is required to change at next log-in. Remembering one password isn't too bad.

Once we have one, really good password and OpenID, we're all good.