I think financial organization web sites are often the most annoying on a web. They are often slow and have extremely poor usability.

One thing which amuses me a lot is the user name and password policies. Some would allow basically any user name such as email – which is what I prefer to use as it is easy to remember and there is no chance of somebody using the same name, others would not allow to use any special symbols. Wachovia  (Auto Loans Site) amuses me the most  – the login name has to be 7-9 digits  and contain at least one digit. Exactly same rules apply to the password.

Both such small variance and digit requitement makes it tricky to pick the user name to remember which causes you to write it down/memorize in browser which only would reduce security as well as increase the load on the password recovery tool. I would suggest allowing most of characters in the user name (enough for emails to work) and having low minimum character requirement and generous upper limit. 3-20 characters is a good limit.

For password you may want to have more restrictions requiring strong password but allow generous length too. 6-20 or 8-20 chars can be the good range. In reality you can allow even higher variance – for secure systems you often would store hash of the password rather than the password itself, which means password of any length require same amount of storage.