What i never got is why we don't have, by default, password expiry on all non-authenticator enabled battle.net accounts.
Famously a US-based gold seller has pointed out that his 'colleagues' don't hack battle.net accounts, don't key log, or don't do anything to get in Blizzards servers. Instead they less secure exploit community sites where commonly people use the same email / password combo as they do for battle.net. The only way to secure battle.net accounts for those that dont want authenticators is to force player's passwords to expire on a regular interval. e.g. every 30 days.
This practice is already in place for WoW players in Taiwan, and they see a markedly lower amount of account compromises than the rest of the battle.net user base.
I suspect Blizzard's response will be that there would be huge backlash against such a fundamental change to account security by the players.
What do you guys think? Password expiry, good or bad idea?