A lot of high profile breaches that have occurred exploited backend issues, but there have been plenty of high profile incidents that all came down to the attacker guessing the user's password or tricking them into giving it up. So as a security conscious user of several web services I like to make sure I at least do what I can to operate as securely as possible.

The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it. - Robert Morris

Sometimes though many web apps are actually discouraging best practices for safe operation.

2 Factor Authentication

It is a little selfish to complain about this when there are plenty of services that don't even offer 2 Factor Authentication. But please just implement TOTP as per RFC 6238 so I only need one app to work with this. There are open source apps available for Android, iOS, Blackberry, Windows Mobile and everything else.

Password Requirements

Most sites have decent minimum requirements for passwords. A bigger area of concern is reusing the same password and account information everywhere.

XKCD Password Reuse

Comic Credit: XKCD

To avoid password reuse, I use a password manager so I can use a unique password for every site and also that means I am going to generate random long passwords.

There is no need to limit this to 10 or 14 characters. In terms of today's storage this is a minimal amount of space, for example VARCHAR in MySQL: L + 1 bytes if column values require 0 − 255 bytes, L + 2 bytes if values may require more than 255 bytes.

Second, if you need to block entry of characters please disclose this information along with any other requirements. The only thing worse than forcing the user to repeatedly guess why they can't use a password is to just drop all input over the character limit without notification leaving the user to guess why their new password won't allow them to login.

Once you do have the users information, make sure that the appropriate precautions are taken to ensure that it is hashed and salted. Nothing is completely secure so at least make sure my information isn't easily decrypted.

2015's list of Most Popular Passwords still include "password" and "123456", and getting people to place security ahead of convenience is already an overwhelmingly uphill battle, don't make it harder than it needs to be.