> > I am EXTREMELY worried about forcing high entropy on people though... so > > that's where I start sighing. Sigh.
> Well, the reality of the stringent password policy issue is that > people will find lazy workarounds unless they are invested in the > liability. Meaning... if it is their credit card that will be used, That's pretty much my problem. We don't think users really care that much, because it's not a banking app. The most a hacker could find would be the user's phone number, address, etc. Unfortunately, that user doesn't see how that information could then be used to phish them, and install spyware. The consequences to my client of that kind of attack are pretty huge, but a user doesn't foresee something like that. So the interests of the company and the interests of the users aren't really aligned. That leaves forcing users to have strong passwords, which leads to either a) annoyance & forgetfulness or b) sticky notes. The users of the app are distributed -- so I'm wondering whether sticky notes really matter that much. I could see sticky notes being a problem if the sticky note is attached to the very computer the password logs into. But if the sticky note is for some random website? The person who wants the info on my client's website is a large scale scammer -- not likely to browse through random offices looking for sticky notes, you know? I guess I'm convincing myself that perhaps sticky notes don't matter SO much in this situation, and therefore it wouldn't be the end of the world to force users to go for more complex passwords, that resist a standard brute-force attack. Wondering if I'm making any sense... Meredith ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [EMAIL PROTECTED] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help