* If at all possible, don't use user accounts. No login-password. We already keep too many of them, on so many sites. * If user accounts are really necessary, and security is not paramount, try to go with OpenID. See previous point. * If OpenID won't cut it, use an email address as login. Chances are you'll need one from your user anyway, so that removes the redundancy in login info. * Only if you want a nickname off your user, let them specify a username-password combination. Make it easy to retrieve lost passwords, because they will lose them. * use SSL with decent algorithm for any connection that sends passwords over the wire, otherwise you might as well drop the user accounts.