Summary (it is all a little meta for me): the reddit link above started as a fairly innocuous reddit thread comparing the sizes of the two books "Javascript - The Definitive Guide" and "Javascript - The Good Parts" - the Good Parts being a good deal smaller as the linked photograph illustrates.
Some wise guy decided to have a little joke, and posted a comment instructing people to copy and paste a snippet of Javascript on their URL location bar. A lot of people (presumably "web programmers") did as instructed. That little snippet posts a comment on that same thread, instructing the next person to do the same. That entire reddit thread is overrun with those script generated comments.
Social lesson: we are fked as far as security is concerned, if that reddit thread is any indication: even programmers would sheep-like do as they are instructed. I suppose that was the "lesson" the wise guy had in mind.
Some good samaritan posted another Javascript snippet to clean up the reddit thread - automatically downvote the spam comments or hide them.
This is an excellent illustration of a core principle of security: anything relying on "educate the user so that they know better" is doomed to failure.
To be precise, anything relying on "educate the user so that they know better" is doomed to be insecure. It is likely to be successful in the sense of becoming popular because it offers humans someone else to blame.
For example, if I am in IT and I tell people to choose a 512 character password with alphanumeric characters that changes every day and doesn't repeat any sequence that appeared in a previous password or contain a dictionary word, I can expect people to write their passwords down on paper and get hacked, even if I tell them not to write it down.
But I can always blame them for writing them down, few people will blame me for being too lazy to find another way to secure the system.
1. Choose a memorable (read: simple, dictionary, insecure) password
2. Choose a good password and write it down
If Joe the Cubedweller writes his login password down on a sticky note, the only other people who are expected to have physical access to that note are him and the other cubedwellers, and they're going to have little to gain from seeing it. I would be much more concerned with Joe picking a bad password that could be guessed by an attacker on the outside.
Memorable passwords don't need to be simple, dictionary, or insecure.
MySonPlaysLittleLeague is a password that someone can easily remember, but few people get pointed in the direction of good sentence passwords, and most password policies indirectly limit the use of sentence passwords with character limits or number and punctuation requirements.
My favourite technique isn't to make the sentence itself the password, but the first letter of each word (with some punctuation thrown in for good measure). E.g. pick a line or two from a song, like "All the fear has left me now / I'm not frightened anymore" and that becomes "atfhlmn-infa" (if it's something that insists on digits too then you can easily do a substitution like "atfhlmn-1nfa"). Memorable without being insecure.
However, this is prone to being truncated by sites / software that only allows or uses the first 8 characters...
Another method that I have used in the past is leet-speak (oh look at me, aren't I cool - cough, cough), so I just used my name and converted it: Haitsma became H41t5m4, very similar to a random string, yet very memorable (depending on your interpretation of leet-speak, of course)
If the system in question permits it (unix accounts do, at least) including spaces in passwords--making it technically a pass phrase--is another nice trick.
I would be much more concerned with Joe picking a bad password that could be guessed by an attacker on the outside.
This argument presents a false dichotomy, as the issue is not how strong to make passwords, but whether there are other security mechanisms that could be used in conjunction with passwords or instead of passwords.
My point is that a password places all the blame on Joe instead of on IT, so IT prefers passwords :-)
It's gotten worse in the last hour or so. Someone's modified the worm so that simply looking at a page with the comment will cause you to start replying to all the posts on that page. Coupled with the fact that reddit has the "red/orange envelope" feature, whereby users are notified if somebody replies to their posts, and the fact that users tend to watch for said envelope in anticipation, the site seems to be melting down.
At first I thought it was the picture that was causing all those posts because I didn't think people were really dumb enough to paste javascript in their browser when they don't even know what it does (especially on the programming reddit...)
Some wise guy decided to have a little joke, and posted a comment instructing people to copy and paste a snippet of Javascript on their URL location bar. A lot of people (presumably "web programmers") did as instructed. That little snippet posts a comment on that same thread, instructing the next person to do the same. That entire reddit thread is overrun with those script generated comments.
Social lesson: we are fked as far as security is concerned, if that reddit thread is any indication: even programmers would sheep-like do as they are instructed. I suppose that was the "lesson" the wise guy had in mind.
Some good samaritan posted another Javascript snippet to clean up the reddit thread - automatically downvote the spam comments or hide them.