>>
>>The point of forms authentication is to ensure a valid user via username and password (complex as necessary). This give you a more specific idea of who is using your site than captcha, which only ensures a human (probably) user.
>>
>>This is kind of like doing a retinal scan on someone to verify their identity to open a door, but then having them knock 3 times for it to actually open.
>
>The argument that IT guy used is that someone smart can write a script to do multiple tries and figure out one of the users names and passwords. And therefore they will have access to the application. But more importantly he is not that much concerned with access to the application (as it does not really have any critical or financial information) but rather through this password they will have access to some shared drives on other servers. Of course, I have not idea how valid his concern or he is just being too overly cautious.

Ask him how they would get access to shared drives on servers. I'd be curious how that would work.

Is this a national security related app, or banking information? If not, then casual hacking won't get far.

Specify complex passwords (as complex as the client can stand) and you should be fine.

Of course, you could use captcha and highly complex passwords on the site for their users, and make sure users call their IT guys when they hate the site.