In recent years, however, we have a special anti-security innovation: Web sites allow you to set a password, but also require that you supply a further secret, which can be used to unlock your password! The unlocking secret is almost never optional, and the instructions generally ask you to choose something very insecure, such as a pet name. Sometimes you can enter a strong secret (by acting against the design of the system) and sometimes there are hard limits preventing you from choosing anything secure. For example there may be a requirement to choose a 4-digit number.
Security experts may be able to point out something I'm missing, but is that not the most air-headed innovation in the history of computer security? As far as I can see it's like buying a lock with the special non-optional feature to have a spare key hidden in a compartment somewhere on the outside of the door. Sometimes you can remove the spare key, sometimes it's fixed there for your convenience with a chain.
Apparently sane web sites, such as the ACM, use this inane feature. In that particular case you are allowed to enter a strong secret. But what is the point? You're either going to remember your password, or you'll store it in a digital keyring, or don't bother. Re-register, or use your credit card information to erase and reset a paid account.
