Two other factors to consider are: - you cannot solve a policy issue with technology - you cannot be other people's "password/security nannies"
The best that we can do with technology is to implement the mechanisms that will allow people to be as secure as they desire--let them choose what risk they are willing to take. If a person decides that their banking password is safe on a sticky note in the their home office, then so be it. If a person decides that their email password can be their birthday, *even after it being explained to them* that their email account can be used to gain access to other accounts (such as banking, etc), then *so be it*--they've made their choice. Attempting to force higher security on someone that doesn't want it only results in those individuals finding other ways to make it less secure, simply because security and convenience are by definition at odds. The hard part is educating people of the risks--it's not a fun topic and people don't really have an attention span for it. You *want* to help people be more secure with their data, but at the end of the day, you have to sometimes just point people at the answers and let them discover it for themselves when they're ready. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
