How secure can you make a hosted service? I was reading about the recent Hotmail/Google username blunder and the thought struck me that the security model might be fundamentally flawed. After all, if they force the use of an email address as a login identity then you have automatically given away your login identity to everyone whom you have sent an email, and by extrapolation a hacker could figure out the login for most other employees in your company eg
'Let's see now... if "John Smith" becomes "firstname.lastname@example.org" then his boss "Rita Rose" should be "email@example.com".'
The same article pointed out that around 40% of people had the same password for every website they used and when you consider that most people on that list had a very simple password then it shouldn't take too long for a dedicated hacker to get external web access to a couple of email accounts in your corporate system.
Am I missing something here or is this a time bomb waiting to explode in Google's face?