[daigoba66]

I agree, if you get locked out and need to regain access it should as hard as possible to get back in.

On the flip side, we perhaps need to come up with something better than usernames and password for authentication. There are plenty of services where I simply cannot remember my password and/or username. I'm getting better about writing them down inside a password protected master file. But for many of those services I rely on the account recovery procedures; a vast majority of which are vulnerable once the attacker has access to my e-mail inbox.

[cheald]

The problem is simply that if things are easy enough to remember, they're easy enough to crack or brute force. If they're too hard to remember, people will forget them and have to recover them.

I use LastPass and just generate a new random password for every new account. If I ever forget my LastPass password, I am boned (since it's the encryption key for my data!), but I don't worry about forgetting passwords anymore, and I don't worry about RandomSite getting hacked and my password being leaked. It's not perfect, but it's good enough.