bill - 1:55 am on Jul 23, 2009 (gmt 0)

The hacker used email password recovery to have the password sent to him. The strength and randomness of the password, as well as whether or not it was used at another site, were irrelevant.

According to the article the same common passwords were used on multiple accounts...so if the target had separate passwords for each account, then this would have been limited to a single Gmail account being hacked.

I never retain a password that has been mailed to me. I will always go to the site and generate a new one after receiving a password recovery mail.

Prohibiting webmail seems a bit extreme. Just implement a reasonable pattern of regular password updating. You can force users to update their passwords in Google Apps. Perhaps Gmail and other webmail providers should institute a more stringent reconfirmation of a user's ID on a more frequent basis.