[bkjsbkjdnf]

> trying to enforce security constraints on new websites alone is an impossible task.

Why 'new websites alone'? Enforcing security standards on new/small websites would be harder than on large ones, and the large ones are more important. There are already many cyber-security related laws that are in place and more-or-less enforced. Having these laws makes large companies invest money into at least attempting to follow them for fear of legal repercussions.

[OedipusRex]

Who would enforce it on any website? The US government, or W3C, or IANA? Everyone talks about a free and open web and no one wants someone poking around behind the scenes. I don't trust anyone to enforce password rules for fear of exploitation. The user is responsible for their password security and it should stop there.

That being said, Yahoo should have force reset passwords.

[bkjsbkjdnf]

> The user is responsible for their password security and it should stop there.

That would be true if the user created, stored, authenticated the password himself.

[jsmthrowaway]

> Enforcing security standards on new/small websites would be harder than on large ones

Wait, you think the larger a property gets, the easier it gets to secure it?

[Naritai]

I'm guessing s/he means that there are fewer total such sites, so any regulatory body wouldn't have as many individual properties to monitor.

That is to say, it's a reference to the effort of the regulatory body, not of the property managers themselves.

[bkjsbkjdnf]

No, but the larger the company the more incentive it has to meet regulatory demands. There are also much fewer such companies so they are easier to identify and check.