I think the threat vector of man-in-the-middle userid harvesting is not being strongly considered in the "long user id" suggestion.

Taking the perspective if a man-in-the-middle (malware, reverse proxies, etc.) where one is able to gain access to the HTTP/S traffic flow or say, the browser cookies supporting the "remember my user id?" functionality or native browser userid forms remembering, the threat of gathering that long userid increases. Matching that increase against the proposed decrease in password entropy and I think a case can be made that this long user id approach has significant weaknesses as well.

All this builds the case for multi-factor authentication (which I would venture to say hasn't fully matured in its technical implementation yet, but advancements are being made).

I'm starting a series of blog entries with SSO and then building into multi-factor authentication here if anyone is interested in this topic: http://bit.ly/bXJmjW