[diogenes4]

> but starting a low level awareness campaign to warn people with passwords that haven't changed in years about this risk seems like an easy thing to do that

Rate of change seems like a very poor signal compared to absolute password strength, which won't change over time. Isn't this already built into lastpass?

[gxs]

Ah, I was talking about OPs comment - it wasn't that passwords weren't changed often - it's that they were created a long time ago when that particular length/complexity was thought to be enough.

[diogenes4]

I see what you're saying, but 8 characters was also considered not enough 20 years ago. Naturally it takes a long time for good practices to propagate but