You sorta missed the point. Kim never gave a single password out. The "security questions" on one of her accounts allowed access to her account by anyone who could answer them. The weakness was largely her college's fault for having such weak validation, and also her fault for using that email as the secondary for her GMail.
I don't think he missed the point. The point is that user management of multiple passwords just doesn't work. This includes the reusing of passwords for multiple accounts and there being too many disparate password recovery schemes. There is too much asked of both implementers of web apps and users of web apps.
I think the current practices, which enabled this domino effect where the security level of the whole is that of the weakest link, are also to blame. We must find something better.
