I'm coming round to the view that services should avoid implementing their own username and password system. It's easy to screw up (cf crypto) such that a DB compromise leaks users' passwords for other sites.
It's also more convenient for users, who don't need a pw manager.