In most client-server interactions over the Web, the server requires the client to disclose certain credentials before providing the client with the requested service (server policy). The client, on the other hand, wants to minimize the sensitivity of the set of credentials disclosed (client preference). We present a qualitative preference formalism based on conditional importance networks (CI-nets) for representing and reasoning with client preferences over the relative sensitivity of sets of credentials. The semantics of CI-net preferences is described using a preference graph over the set of credentials for which the preferences are expressed. We develop a model checking-based approach for analyzing the preference graph, efficiently verifying whether one set of credentials is more sensitive than another (dominance testing). Further, we identify the least (minimum) sensitive set of information that may be disclosed by the client to get access to the desired service. We present a technique based on iterative verification and refinement of the preference graph for computing a sequence of credential sets, ensuring that a credential set with higher sensitivity is never returned before one with lower sensitivity. We present a prototype implementation and preliminary simulation results.