| From: ac via talk <talk@gtalug.org> | no, not really. by the time you receive the type of email you have, it is way too late. Probably. But the information that a site was hacked should still be useful to the site. | How sure are you that it was Canada Computers? Are you saying that that | was the only place you used that password? Yes. (I said that in my original posting.) | And, is it a current | password (dollars to donuts says: no...) It was. No longer. | and with Google hacked, Yahoo | hacked, Microsoft hacked, it matters very little anyway... Change your | passwords every 30 days (or less) I find that too much bother. Experts have waffled on this policy. | and never use the same password | twice (or even anywhere else) - If they sent me my google/yahoo/etc | password - I would even be able to tell you from which week it came :) For real security, use something other than passwords. But that doesn't seem to be in place for most sites. Single-sign-on makes multi-factor authentication more feasible. I don't trust the monopoly power of single-sign-on providers. And I don't trust the resulting "one compromise to rule them all" ecosystem. And I'm not attached at the hip to a mobile phone (SMS is the usual second factor for consumers). I can imagine that client certificates for TLS could help, and I assume that the TLS supports this feature. But I don't know that any important sites expoit them. And the certificate hierarchy provides for monopoly abuse.