• If at all possible, don't use user accounts. No login-password. We already keep too many of them, on so many sites.

  • If user accounts are really necessary, and security is not paramount, try to go with OpenID. See previous point.

  • If OpenID won't cut it, use an email address as login. Chances are you'll need one from your user anyway, so that removes the redundancy in login info.

  • Only if you want a nickname off your user, let them specify a username-password combination. Make it easy to retrieve lost passwords, because they will lose them.

  • use SSL with decent algorithm for any connection that sends passwords over the wire, otherwise you might as well drop the user accounts.

IMHO.