[jlkinsel]

A problem for security geeks is they frequently forget about 2 things: 1) the balance between usability and security, and 2) The risk acceptance/appetite of the person for the security they want/need to use.

The two are intertwined closely. For something that isn't that important, a user isn't going to jump through complex hoops every time they have to login. What they will end up doing is finding workarounds (Hello Mr. Post-It).

For most folks, they don't really need complex solutions to reset their email password. What needs to be asked is "What am I protecting, and what is it worth to me?"

Oh, and I'd suggest certificate-based auth is way better than complex passwords.

Daniel's been around for a while (I've loved OSSEC for years) so I suspect this post just wasn't meant to be a complete essay on the topic...