[xpinguin]

I could call that list deliberately malicious from user experience standpoint:

>Are password entropy checks done during user sign-up, using, say AUTH_PASSWORD_VALIDATORS?

No. It's my information to be stolen, not yours. So then it is my choice, whether to use 123 as password or not. Why should I care to manage the complex password, when I use your service eg. twice an year and have no important information there? (if you really believe that people are eager to fill website with their authentic personal info unless they do not have other options, you are probably fooling yourself).

The better alternative is just no registration at all :)

>Are failed login attempts throttled and IP addresses banned after a number of unsuccessful attempts

So, you hadn't listened the previous piece of advice and forced me to create password that would've passed through the password checker. Six months passed and now I have to remember (I really don't want to bother with managing and storing password to your service anyway) it. As you could imagine, it takes several tries, dozen or two, maybe even three - depending on that cool password validator of yours. Do you say, that I need to use tor or have some pool of spare IP adresses just to login to your service?

>Are all form fields (with the exception of password fields) validated with a restrictive regex?

Aha, start with an email and surname, polish with an address;) Then your service will make it straight to the oblivion even faster!

>Do you have an account recovery flow? Delete it immediately.

Quite appropriate actually: when all tor exit nodes are banned by your login attempt throttler, that retards with severe memory impairment (whom you sometimes by mistake call "clients" in your marketing bullshit) still must not have a glimpse of a chance to use their account!

[Karunamon]

>No. It's my information to be stolen, not yours.

And when the site gets broken into years later, irresponsible users (or "morons" as you put it) will pillory them publicly even though it's their own damn fault for using a crappy password or using the same password for their email.

The number of people who will stop using a site because they can't meet basic password strength requirements is minimal and not worth caring about.

[xpinguin]

>irresponsible users (or "morons" as you put it)

Me?! God is my witness, I do not. Rather, it is creators of that "checklist", who suggest that your users are idiots, who should be punished even for being unable to remember their password. IMHO, the really bad thing about the list is the fact that technically legit (I am not a webdev though) points are casually mixed with statements implying derogatory stance towards target users. I do not want you to control the ways I manage my information, that's the point of my rant.

After all, it is not a big deal if some crappy SV startups whose ultimate fate is to die silently after an year or two anyways, will adopt the practice. Problem arises when thing would go in the wild, bringing only headache and distraction to those who is able to control their information flow.

[brainfire]

> It's my information to be stolen, not yours.

Many computer logins protect information other than the password-bearer's- for example, any business or government. As a result it's best to consider it, then discard as your use case may require.

I absolutely agree on the account recovery point - it WILL happen, your choice as designer is just whether it happens within a designed process or without.

[xpinguin]

>Many computer logins protect information other than the password-bearer's

That is my problem, as the user, not yours. If you'd like to help, then just put some warning or notification on the form, and I'll appreciate that. Just don't prohibit registration if password of my choice is eg. '1'.

Most of the time, your bussiness - is your service, not the access to it.

[justinclift]

> As you could imagine, it takes several tries, dozen or two, maybe even three - depending on that cool password validator of yours.

That's confusing. Are you saying 3 dozen login attempts for an existing account shouldn't trigger a lock out?

That seems unusual. ;)

[xpinguin]

No, it should not. Why it is unusual? Happens to me from time to time (not exactly three dozens, though, 20-25 attempts).

[justinclift]

Lockouts on the 5th attempt is fairly common.

If you need 20-30 attempts to get into your own account... that sounds like you're doing something wrong. :(