I am sick and tired of the shoddy programming practices most companies still have in place today with their websites.
I can understand the desire to not provide certain types of downloads to users unless they have an account that can be tracked, especially (yes, Parallels, I’m looking right at you!) when they distribute updates as a completely new installer instead of an updater or service pack. I can understand why they justify the need to use a completely separate account management system instead of one of the many standards that are available, such as Windows Live (formerly known as Passport). I cannot understand, then, why they spend the development (and, one would hope, testing) effort to write a sloppy, poor authentication system that makes assumptions about the habits of the users. If you’re going to spend that internal time and effort poorly, just pay the fee to Microsoft for Windows Live already and at least give your users one fewer set of credentials to remember!
I use passphrases everywhere I can these days, even for “throwaway” accounts on websites. I know the arguments for weaker security on them and agree with them as a personal choice for the user; the website should not be free to make the same assumptions. I’m tired of getting error messages because I’ve entered “too many characters” (turned out that 12 was too many for that particular website) or dared to use symbols instead of just numbers and letters. How dare I try to keep myself in the habit of using cryptographically strong (and easy to remember) passphrases everywhere!
These may seem like little things, but if developers aren’t even getting these usability issues right because they favor “decreased complexity” (what, properly handling symbols in a text string is too hard to figure out how to do properly?), what assurance do we, the consumer, have of them getting bigger security issues right?