I fully agree with you that in all of the provided examples the end-user is ultimately responsible for their own security. That doesn't mean the websites should not go through a reasonable amount of effort to assist in the process. The issue is with the real worl, not the best case world (where end-users follow best practices). In the real world users do use the same password for multiple sites and users don't know what the difference is between a secure site and an insecure one. Users don't understand that their e-mail cache is accessible after they walk away from their computer and they don't realize that the guy sitting next to them could do a lot of harm by reading their password over their shoulder. Because users are not very security conscious website administrators should be. While it's not their responsibility by any means, it helps retain customers because ultimately, the customer will blame the company (erroneously) when their account is hacked. I worked at a company who had problems with lots of their users getting hacked and most of the time the users would blame the company, even though they are the one who downloaded the keylogger trojan or fell for a phishing attack. The company has since started issuing digital OTP tokens to help curb user stupidity. Though the cost of the tokens is offset onto the end-user, the company still had to pay for development time but in the end the number of support calls decreased and customer satisfaction increased. Rocky Moore wrote: I guess it is all a moot point anyway as Chris has already said it is on the schedule to change the emailing of passwords. Agreed, though I do find the discussion stimulating none the less. :)