Setting up secure and reliable logins to accounts is the 101 of e-commerce. People are lazy, learning a 4 digit pins is too hard, yes but we are OK with a 9 digit phone number. If you are protecting an email/blog account, single delivery point book buying service; user selected names and password are kind of OK. But for the real money I want to be more confident that that it's only me that can get in. If you look around you can see a lot of authentication mechanisms are flawed.
(1) Users make their own user names and passwords. We know thay are lazy so I bet they use the same username and password for most of the accounts that they set up.
COUNTER: Pick a password that is two elements that have a varying letter element in between eg fredXblogs! for blogs or fredAblogs! for Amazon. Alternately use a mutating password system such as N letters out of a long word or Secure-ID http://www.rsa.com/node.aspx?id=1159
Being a pragmatist i know that level of authentication has to match the level of assets protected. No one needs 10's of random chars passwords that change every 90 days just to get through the day but you do have to watch the implementation details to get the security you think you have.