[no_more_death]

Right. It's not correct that people will blithely accept an error like "Error: this image failed to load." These people don't think about errors the same way we do. To them all errors are the same and mean there's a catastrophic failure. Developers understand that some errors are minor, but a user faced with an error, where he expects a reassuring "security image," will probably become fearful and bail from that page.

Of course, he might still type in his password even if he decides not to go through and submit the form, in which case his data is still compromised.

[peeters]

Fine, so just omit the area for the image completely. Showing an error in place of the image is obviously a stupid choice over just asking for the password up front, and just omitting it (by pretending there shouldn't be one) will not trigger panic in non-savvy or forgetful users.

[ncallaway]

This makes me wonder how sophisticated phishing setups are. This seems like something that they would want to A/B test to determine which "converts" more "users".