I'm constantly bothered by the techniques used to secure our online accounts.<p>First - the multiple security questions.
Second - the mandatory length and confusion in our passwords<p>This techniques are ridiculous and only hinders usability and adoption.<p>How about letting users enter a pin instead of requiring them to answer and set 5 random questions.<p>Password security, if I want it to be password - so be it. Give me a warning and let me keep moving. That ALONE has been the reasons I opt for not using certain services online.<p>Why must online security be stricter than real world application such as ATM pin with the added benefit of using all alphanumeric chars?<p>While taking brute force precaution in the code - why make it harder for users to use/register for your service?
The database containing everybody's PINs <i>will</i> be stolen. Even if you use 8 digit PINs and they are properly hashed, they will get brute-forced rather quickly. Any longer and people will not be able to remember their PINs or will use the same PIN with multiple websites --- exactly the same problems we have with passwords.<p>(Am I saying that security questions are secure? No.)