Does anyone know where I could find a list of best practices around
login security? I'm looking for an overview of the most common
techniques and how they relate to both security and user experience --
pros and cons.
For instance, I'd like information on:
- Site Keys (photographs uploaded by users and shown when they visit the
site so they know they are on the genuine site and haven't been phished)
- Enforcing strong passwords (vs. showing a password strength indicator
but not enforcing it)
- Hint questions and when they're useful vs. not useful (though the
thread http://www.ixda.org/discuss.php?post=31190 had a great discussion
- Emailing lost passwords to users
My current client is trying to address some security issues but the
particular approaches they've chosen seem somewhat flawed to me. It
would be great to find a balanced analysis of the options and plus a
list of recent innovations in this field.