My Second Official Contribution to the ISO
This one is short and easy:
Online services should never display, divulge, or in any other way expose your login and password information in any form.
That is, when I have set up an account with wonky.com and I have finished the process, I do not need a reminder screen to pop up and let me know the crucial details of my account setup, such as: "Thanks, dummy. Your login and password are: ... in case you've already forgotten."
I also do not need that information e-mailed to me.
Or printed out and sent along with any receipt or paperwork I might receive.
And my login name should not be the account name which is displayed when someone looks at my profile.
How do these ideas seem ok at any point?
It's shortsightedness on the part of the giver of the account. "We'll let them have their own account, they'll love it!" Well, maybe. With the prevalence of this kind of thinking comes the opportunity to have an account for just about every site you might go to regularly.
Which increases the chance that someone might re-use their account name and/or password...
...and coupled with the likelyhood that some moronic system is going to e-mail your password to you or show it oin the screen so someone can shoulder-surf you, this just makes life that much more enjoyable.
End of transmission.