EDIT: I love how most users on FAF are pointing fingers, blaming the "trolls", and giving FA asspats instead of questioning FA's security practices. Password expiration? What's that?
You really don't even need that. I see a lot of people suggesting that and other stuff in the wake of the Gawker attack, but you know what? My dad used to work for a major multinational. They had stringent security policies and a strict password policy. They enforced it. Well, as much as they could. He pretty much openly admitted to me that he had the same password for years and years but just incremented a number on the end. People will
go to great lengths to subvert your password policy. At some point you approach inconvenience, and that brings another set of security problems with it.
My suggestion is to have a basic strength requirement in place and then do server side monitoring. Like I said, it's not hard to establish a pattern of normal access, credit card companies have done this for years, if not decades. They pioneered the technique. People are going to access their accounts from the same places, most of the time. If some access seemingly violates the laws of time and space, then something should happen. An alert maybe. Maybe a secret question should be asked. Who knows. I'm not going to invent this system for them, but the technology exists.
There's a million ways to mitigate this stuff, it's just a question of available skill, really.
For what it's worth, I never got a Gawker commenting account because something about having to impress some dumbshit blogger to get my comments published seemed like a gigantic waste of time.