Webapps and User Accounts

| Comments

* If at all possible, don't use user accounts.  No login-password.  We already keep too many of them, on so many sites.

* If user accounts are really necessary, and security is not paramount, try to go with OpenID.  See previous point.

* If OpenID won't cut it, use an email address as login.  Chances are you'll need one from your user anyway, so that removes the redundancy in login info.

* Only if you want a nickname off your user, let them specify a username-password combination.  Make it easy to retrieve lost passwords, because they will lose them.

* use SSL with decent algorithm for any connection that sends passwords over the wire, otherwise you might as well drop the user accounts.