Please don't do any of these things on your web sites:
- Ask me to enter my email address twice.
- Tell me what characters I can and can't use in my password.
- Time out my sessions for my own protection.
- Make me change my password every so often.
- Make every field in your form *required.
- Make it impossible for me to change my email address.
- Insist that I provide you with a security question and answer.
I know how to type my email address and I know more about how to create a secure password than you do, and I do not forget my passwords. You have meetings where you talk about "reducing friction" for people to join your sites. You create friction every time I log in, not just when I sign up.
If you are a bank, and your page times out after 5 minutes and I have to log in AGAIN, inside my highly secure physical location with no possible access to my computer by anyone but me ... are you protecting me, or irritating me?