LukeW August 22nd, 2011 4:15 pm @Meketrefe go to Facebook. Type someone's name in the sercah box at the top of the screen. That's illegal in a good number of countries?@Mike your strike 2 & 3 are valid development points and should be in place. I agreeStrike 1, I disagree is any different than a site with sercah that includes user names. Most sites even have APIs for looking up user names. (also see my comment above. nice & AJAXified on facebook as well). @ Craig, three comments from Twitter discussion on this topic that are applicable to your points: in security-related UI, perceptions (and misperceptions) matter even more than in regular UI. lots of fear & misinfo out there. -@jreffell to be fair security UI concerns are valid because the user perceives them, not because the designer's logic refutes them. -@jaysondb I'd say that many designs have created artificial/wrong security perceptions. See password field and keylogging. -@lukew i agree with you both! also see: password rules that make you work hard but don't really add security -@jreffell@zeldman fair point on people using text-expander utilities that's a consideration worth looking into. Also password managers like 1password don't do very well with anything but a standard login box (3rd party sign, sercah UI (like Bagcheck, Google email login, etc.)