The library I work for actually does this. Their last name is their password and their barcode is their username -- yet we display forms the other way around to make their account look more secure (cuz a last name is obviously not a secure password).
People cannot change their password. Whatever the system has for your last name is your password. This is common in libraries because a) your barcode is assumed to be mildy private and b) online access to your account doesn't give you access to physical objects (even if you request something, we require barcodes and picture ID to circulate the item) thus mitigating any financial losses to the user.
This does raise concern regarding unauthorized access to licensed content. If you google for EZProxy logins you can find dozens of lists of accounts to Universities. My experience is that libraries rely on publishers to ulinately report abuse though at which point we suspend the barcode and issue a new one to the legitimate user.
It's stupid, but works.