It's probably more likely that younger users don't use Yahoo for anything important, so they don't bother with strong passwords. Older users are more likely to have a Yahoo address as their primary email, etc.

Did Yahoo give him its user password database or what?

1) Can the older folks actually remember all their passwords? Or are they writing them down?

2) On a related note, if they only have one or two passwords to remember (email and maybe something else) that's easier than younger more tech-savvy individuals who may be trying to remember MANY MANY passwords (email 1, email 2, bank account 1, bank account 2, social media website 1, 2, 3, online forum 1, 2, brokerage 1, 2, iTunes Store, Amazon, Ebay, some app, electricity bill, wireless plan, phone plan, credit card 1, 2 ,3, etc, etc, etc).

I am by no means young, I'm 31, but am part of a more tech savvy generation. I have so many passwords to remember, even after trying to keep them the same, that now I have a whole Gmail label called login info where I store my passwords for everything. Not the actual password but mnemonics that are relevant to me like :"firsthousenum+first name first crush, no space or caps" which would be the street address (house number ) of my first house and the first name of the first girl I had a crush on, with no spaces or Capital letters. That is just an illustrative example, they're actually more obscure.

And this is after I made a concentrated effort to have categories of passwords, like all financial ones (bank, credit card, brokerage, etc) would be the same, but different systems have different requirements (letters, capitals, numbers, special characters, length) that it didn't work out, plus some force you to change passwords periodically, it's a mess.

On a different but kind of password related note, I wish that there would be a concept of a temporary password to use for accounts. For instance, I recently travelled abroad for a week, and was worried about key loggers or some other stuff getting my gmail password when I log on in hotels, cafes, other people's houses. What I would've loved is to set up a temporary Gmail password that was only valid for 1 week (in addition to my normal one) and use that while traveling. The temporary password would have limited access, I could send and read emails, but not change any account settings (like passwords, etc.) That would've been fantastic.

Instead, I changed my Gmail password to another one, but now that I'm back, Gmail won't let me change my password back to the original one (as previous passwords can't be reused). This is something new as I'd done this before while traveling.

That is what I do. All my passwords have the same initial six characters. So I only write down what comes after those six, and make them as long and secure as each site will allow. If a burglar steals the list, it will be useless because they don't know the common prefix, nor do they even know that there is a prefix. They just see "correct horse battery staple" and have no idea that the real password is "R5u7qPcorrect horse battery staple".

The latter. They know that the worst that could happen would be somebody impersonating them, and given how unlikely it is for someone to bother cracking their account to do so (SMTP is completely without security, for all practical purposes), they consider their email passwords to be unimportant. Now their Facebook passwords, they will protect. After all, that's where they do most of their communication.

And the more likely it is that you'll have a wealth of background to draw on when coming up with obscure-but-memorable (to you) bits of information you can combine and tweak to make a good password. I definitely notice this when comparing passwords my wife chooses with passwords my kids choose. She uses bits of old but important dates, parts of names of people she knew decades ago, etc. and comes up with some pretty good ones. I can mostly recognize where she got the pieces but doubt I'd ever be able to guess her password if she didn't tell it to me.

My kids, on the other hand, tend to pick simple names of favorite entertainment characters. Even when I try to get them to pick something more complex, they just don't seem to have much else to draw on. When I pointed out not long ago that one son's choice of his favorite pokemon's name as a password wasn't very hard to guess, he proceeded to pick a another pokemon with a longer name. When I talked him through the idea of picking several and using pieces of their names, the result was still not very good.

Perhaps all of this is just a result of not caring as much, but I think there's more to it.

(BTW, some are undoubtedly wondering why I force my family to give me their passwords. I don't. In fact I harp at them all regularly about how they shouldn't ever tell me their password. They roll their eyes and just blurt it out when I ask them to type it so that I can fix something on their account. I also find out their password when they forget their old password and I have to reset it for them. I used to change it to "changeme", but then I found out that just meant that my kids, at least, always had "changeme" as their password. So they actually have better security if I make them come up with something and tell it to me so I can set it. It also gives me a chance to make them think about whether or not they can remember the new password so I don't end up having to reset it again tomorrow.)

Yeah, seriously, who wrote the summary crap? Does anyone really think that most Yahoo mail users under 25 have conversations like this:

Umm, no. Actual conversations are more like:

Yup. And it galls me to see some places sending a confirmation message to your email address with your chosen username and password in cleartext when you register. Maybe that's why the kids don't bother with decent passwords, but to me it's another good reason to use a unique password for every site, and to then tailor the password strength to the weakness of password protection (cleartext, the mind boggles). Luckily, sites with personal and/or financial data (Amazon, banks, etc.) are a bit better, but it's still worth keeping their passwords strong and unique per site.

BTW, I beat you in the greybeard stakes by a few years...

My 9-year-old son has a password that's at least 15 characters long, composed of several made-up words, mixed case, with numbers and an exclamation point. Personally, I don't know how he remembers it. Of course, I'm the security guy, at work, so I've had quite a few discussions with my wife about choosing secure passwords for things like bank accounts, etc., in front of the kids. I guess they've learned through osmosis, at this point.

By the standards of the article, I'm a geezer, and I've always tried to choose strong passwords, even when I was younger. It really annoys me when I go to a site, even today, and they only accept 8 characters. Do they really care about the security of their users?