On 01/03/2012 05:09 AM, Greg Ihnen wrote:
A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. Greg
I've been doing something with my site/app (phresheez) that is helpful on that front: instead of having them use their password, the app auto-generates a password for the user instead. I did this mainly for convenience -- users hate typing on their phones -- but it has the nice property that you don't have a domino effect if a password on my site is compromised. Since most browsers auto-remember your passwords anyway, it even works in the web world too. For most need-to-join sites, I think this is a pretty reasonable solution. Maybe not for, oh say, financial sites where password recovery is a little bit scarier, but for the run of the mill app/site... it seems that this solution at least solves the domino problem. Mike