I agree with Eric that it highly depends on what you're protecting - go for broke if it's my SSN, but if it's not identity-theft-worthy stuff (my blog posts, for instance), I'd rather not have to remember my mother's blood type.
On my current project, we opted for encrypted passwords, never provided in the clear, and Matthew's recommended practice - the forgot-password unique key sent to your email, which just lets you change your password. We originally had pretty strict password-strength requirements, but 100% of our support calls around this came from legitimate mistypes by valid users. I'd have to say the bigger security concern we have has nothing to do with passwords, but with people masquerading as their friends or enemies (ex-boyfriends, in particular) on the site. It's not rampant by any means, but it's extremely difficult to protect against someone creating an account with someone else's name and posting defamatory content about them. Even if you prevent against offensive language, you can say an awful lot of mean stuff about someone without swearing. As an anecdotal case-study, we have never had a single complaint or request regarding our password-reset process, and its biggest benefit over sending a temporary password is that you only have to change your password once. Whenever I get a temporary password, if I don't change it immediately after signing in, I eventually have to ask for another temp pw. Kind of a pain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Posted from the new ixda.org http://www.ixda.org/discuss?post=31963 ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [EMAIL PROTECTED] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help