...
- A solid password policy
- Account information is securely stored by using the approved hashing algorithms using a user specific random value (salt)
- Login information must only be send using encrypted channels
- Anti-automation and brute force mitigations must protect your authentication against automated hacker attacks
- Ensure that forgotten or recover password mechanisms are according to OWASP recommendations.
In the OWASP Authentication Cheat sheet, you can find several recommendations about these topics.
...