The password is dead, now what?

The password is dead, now what?

I read this morning that hacktivist group Anonymous, under its Operation Italy(#OpItaly) banner claims to have stolen 1TB of data, including unencrypted passwords, from Italy's Expo 2015 ticket provider Best Union.

Are we surprised?  No.

Did it matter how strong each password was?  No. No because they are out 'in the wild' along with other personal data.

Perhaps the only sign of Life for the password is that we all use UNIQUE, strong passwords every time we are asked for one; you know, like this DZN4$!UpbA^7. In this way, the breach of a password database is contained and compromises only a single service/account. This, however, will force mere mortals to use cloud-based password managers (those honey pots in the sky) which will likely succumb to the likes of Anonymous in the near future.

With breaches like this so prevalent, have we not now reached the tipping point where Regulators (not security analysts) look at the requirement of law and conclude that designing any log-in system which requires ANY form of password, fails to meet a basic requirement as described in the UK Data Protection Act, Principle 7?

Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to
  1. the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
  2. the nature of the data to be protected

The rise of two-factor authentication (the death of the password) has long been predicted, perhaps we need some case law to tip the balance?