Long User ID counter-indications
Quote: "Taking the perspective if a man-in-the-middle (malware, reverse proxies, etc.) where one is able to gain access to the HTTP/S traffic flow or say, the browser cookies supporting the "remember my user id?" functionality or native browser userid forms remembering, the threat of gathering that long userid increases. .... "
Gaining access to TCP/IP packets that are encrypted, as they are with SSL/TLS, is not likely to benefit an intruder. Nearly all of the web sites that I frequent use TLS for pages on which a log-in dialog is presented, even if most or all of the other pages on the site are not encrypted. I have heard, though, that under various circumstances, a MITM attack upon SSL/TLS is possible, and countermeasures were being developed, whether they have been deployed yet.
Also, in my observation, when a cookie contains a user-ID or other sensitive data, then it is apparently encrypted. The content of a cookie is supposed to be ASCII characters, but the string can simply be a series of bits which the browser will display as a string of ASCII characters. I've never had a user ID like A^&70x-2@+! but I don't allow web sites to use that kind of cookie anyway.
FWIW, I've adopted LastPass to manage passwords. The LastPass developer claims that their software can import the passwords from any of a long list of browsers and other password managers, because those programs do not encrypt their password data files. So far, I have never retained form data, but I might use LastPass to do that, too.
Of course, no one can guarantee that any data is secure from unauthorized access, change, or erasure, while the computer system and/or network(s) that it uses are currently compromised by malware or by a real-time hacker(s). That is always a risk that we take. As seanferd has already pointed-out, many web site pages on which log-in dialogs are presented are vulnerable to exploits that allow an intruder to bypass the log-in dialog and gain access to servers that host the web site.
