There's another flaw in the drive thru system... http://www.videosift.com/video/Free-McDonalds-via-Questionab...

Although you make a good point, you missed something: Nobody tries to intentionally break a taco bell drive through simply because they've got nothing better to do.

On the internet, this is common place. The key is not to miss that "hidden cost" while making your trade-offs. Remember reddit's plain text password fiasco? One of those can kill your company, and cost you millions.

Obviously, it needs to be included in the risk vs. cost calculation. The point of the post: Don't assume the risk automatically outweighs any cost.

I want to add that software developers are not building a new type of franchise on a plot of land. Often times, intuition, experimentation, logic, and luck can help discover better alternatives that one wouldn't have found out had they not been "in the game"; e.g., the peculiar idea that pricing something too low can turn users off, and then finding out you have more orders when you increase the price.

You'd be surprised how frequently people forgot both passwords and E-mail. Or more likely, forget the password to an account registered with a fake E-mail.

In our experience, we've rarely run into scenarios where users forget their passwords and have mistyped their email/faked an email after having spent time on their account. If they haven't spent time on an account -- create a new one!

Otherwise, how does someone who fakes their email expect to recover a password anyway? It's kind of an assumed risk that if you fake your email, you won't be able to recover your password. And requiring a confirmation won't help anything -- they'll be forced to re-create another account with a valid email... that is if they even want to use your service anymore. This user apparently hated giving out their email so badly that they put in a fake one... What makes you think they aren't just going to turn around and not use your service when you require a valid email?

> If they haven't spent time on an account -- create a new one!

What if they've put time into the account when they first logged in post-signup and are infuriated at having to re-do the work? Or they picked their favorite username and now it's taken by themselves, so they don't get their cool URL (like myspace.com/username)?

BTW: I think you should add a <label> tags to TOS checkbox on the front page of Weebly :-)

The whole e-mail/password account verification is a hidden cost in itself. Use openid/clickpass!

Really cool post, thanks.