Ars Technica has an article on a study showing how broken “password reminders” are. Not exactly surprising, but nice to have some figures to back up the argument that reminders are very poor security. Reminders are effectively just another set of passwords for people to forget. I know it has other problems, but the biometric authentication we used in our electronic patient record system still looks streets ahead of most of the other solutions – you can’t forget it, it permits authentication and identification in a single step, and you can do “just in time” authentication so that busy healthcare users don’t have to constantly login/out.