It always bothers me a bit when I see analysis of password strength for compromised sites without any mention of the possibility that the account might just not be important to users.

But there is a caveat. If the account is somehow identifiable as yours (say, because your friends know it's your account) then suddenly it's a possible social attack vector. Perhaps a weak one, but probably not something to be ignored, either.

> It always bothers me a bit when I see analysis of password strength for compromised sites without any mention of the possibility that the account might just not be important to users.

I actually use that as a factor when considering a password. If I think the site isn't going to be the most secure (a phpBB forum, or hand-rolled web-app), then I'm more likely to use a simple (but still relatively decent) password.

Recently I made a new password for some random site (and keep an encrypted record of it). Then I was relieved I did, because the site turned around and emailed the password right back to me. Unencrypted. In plaintext.

Hmm, that is wrong enough that I'll call them out by name... https://www.nbotickets.com/ (Is it polite and useful to email them how I feel about that? I feel like I'd just be "someone-is-wrong-on-the-internet"-ing. Advice?)

Many mailing lists are doing that by default, too.

I'd love to see a set of data that compares weak passwords with used-Mailinator. I only ever use weak ones with Mailinator accounts, and I doubt I'm the only one (though maybe not enough to account for a majority of weak-password users).