Ah, but we're discussing a specific domain, security, where I think "the user is always right" is often wrong. Requiring a user to memorize 10+ essentially random characters, for example, is an awful user experience, but it is required for security purposes.
Personally, I prefer keys (long, randomly-generated passwords stored in a file or device) to passwords, but I don't know of any reasonable way to authenticate to a webapp with a key.
