NewInstance

Registration/Login is the #1 usability problem on websites.
I hate security paranoia when it is not needed (ok, I can understand a bank…)

My suggestions to avoid boring the people using our software:

1. Let the user choose the preferred password. Don’t assign it your own (especially with random chars!!!). User will forget it and abandon the damn website. If your ego wants you to write a very cool password generator, provide it as an option in alternative to pick their own, for the eternal undecided. Mailing the password (choosen by you) is boring enough to let the user go away, at least the time to check the email… and it may be too late.
2. Don’t require the user to change the password on first login.
3. Implement a good and safe “remember me” feature.
4. Don’t impose restriction rules on user passwords: don’t ask for special chars, don’t require a minimum lenght, don’t mandate periodical password changes, don’t memorize the password history to prevent password repetitions. User will use password like “a1111111$” and periodically change it to “a2222222$”, or attach a post-it on the monitor, just to be able to remind it: you think that is more secure? Just warn that short password=low security, or provide a measure to tell the user how strong is his chosen password.
5. When the user writes wrong user name or password, don’t say “the password is wrong” and “username not registered” or more idiocy: implement a mastermind if you like video games leaving your job to a smart guy, and don’t help crackers to guess.
6. Don’t lock the account when the user is logged in. This is also known as “single session per user”. It’ just insanity.
7. Don’t require the user to remember the email with which he subscribed. Allow the user to retrieve the password by user name, email address, or just his name, and send it by mail. Remember the CAPTCHA, to avoid mailbox flooding.
8. The “secret question” test to permit the user to recover a “lost password” situation is good option, but may be risky because the answer can be guessed: use smart questions. Example: not the birth date that could be on user skype profile; nor the car number plate that is publicly visible. Allow the user to write his secret question. You can allow the user to access the website and change the password without using emails (sometime people changes/abandon mailboxes): when the user correctly responds to a “secret question” test, don’t send him any email: let him log in without the password, and give him the chance to change it.
9. Don’t require the user to register. If possible, offer a “guest experience”, and suggest the user to subscribe only when he feels it worths the pain or if your application need to store information specific to the user. An option could be to create a temporary guest account when a new user visit the site, warning the user that guest accounts are periodically cleaned up and he risks to loose the work done. On cleaning up, remove before the guests that don’t login after much time and keep the others.
10. To protect against password guessers I would lock the account after a certain number (enough high) of tries. When the lock happens automatically send the mail to the account owner with the “password reset link” and the “user unlock” link. This feature may be configurable: user may not like this.
11. Displaying the “last login” information to the user can help the user to detect if someone not authorized is using his account.

Of course those suggestions are not valid for websites that require a strong security, but they can provide enough security for 99% of the site we daily use.
Let the users be responsible of their security, and if they choose a stupid password, worse for them! Against stupidity the gods themselves struggle in vain.