My biggest gripe is those sites that insist upon you creating a username that isn't your email address, and then insist upon restrictive rules on your password creation.
The net result is that I either have forgotten the username or the password given that I can't have one that fits all the minor quirks of the local DBA/webgeek. Don't they understand that, barring a dictionary attack, the ability for me to remember an average password off by heart is infinitely safer than having a list of the difficult passwords written down somewhere.