TL;DR

• Do assume eventual compromise of your password database (this means prepare for the worst)
• Do encrypt website traffic with TLS
• Do keep your servers up-to-date (especially security critical software like OpenSSL)
• Do hash passwords with Argon2, Scrypt, Bcrypt or PBKDF2 and set an appropriate high work factor (bcrypt: cost >=11).
• Do enforce passwords to a minimum of 8 characters (generally longer passwords are better, I prefer larger than 12)
• Do rate limit authentication attempts and block repeated bad actors.
• Do blacklist top used passwords (123456) / common password masks (?u?l?l?l?l?d?d) / keyboard patterns (qwerty)
• Do block passwords that where in previous data breaches
• Do offer Multi-factor Authentication (Avoid the use of SMS, more examples: reddit)
• Do allow users to delete their accounts
• Do not enforce a limited character set (allow all ASCII and Unicode characters, yes you should allow emoji as part of a password👌)
• Do not enforce a maximum password length (if you need to have it, set it a reasonable high number. OWASP suggests 160 and NIST up to 64 characters)
• Do not enforce the rotation of passwords
• Do not block form auto-fill or pasting in the password field. Doing so unnecessarily restricts the recommended use of a password manager.

Another option is passwordless

Resources

• OWASP: Password Storage Cheat Sheet
• NIST.gov Password Guidelines
• Coding Horror Blog - Password Rules Are Bullshit
• Cloudflare - How Developers got Password Security so Wrong
• Google GCP - 12 best practices for user account, authorization and password management
• Good Example Implementations
• Presentation: Your Password Complexity Requirements are Worthless - OWASP AppSecUSA 2014 - [slides]
• Top 500 passwords - 2008
• OWASP: Brute force attack
• OWASP: Forgot Password Cheat Sheet
• Scott Helme: Disclosing password storage policies on report-uri.io
• Passwords unmasked
• PlainTextOffenders dev/FAQ
• GRC haystack: Brute Force Password “Search Space” Calculator
• Dropbox: JS Password strength meter - zxcvbn
• Kaspersky: JS Password strength meter
• JS topology test based KoreLogic’s PathWell Password Data
• Dropbox blog: How Dropbox securely stores your passwords

Example of what not to do

Hash speed

1 kH/s is 1,000 (one thousand) hashes per second.
1 MH/s is 1,000,000 (one million) hashes per second.
1 GH/s is 1,000,000,000 (one billion) hashes per second.
1 TH/s is 1,000,000,000,000 (one trillion) hashes per second.
1 PH/s is 1,000,000,000,000,000 (one quadrillion) hashes per second.
1 EH/s is 1,000,000,000,000,000,000 (one quintillion) hashes per second.
Source: https://bitcoin.stackexchange.com/questions/9219/what-is-the-difference-between-kh-s-mh-s-and-gh-s#9220

My 2012 laptop can hash 284.6 Million MD5 hashes per second (284.6 MH/s).

Now the guys that hash passwords for a living:

In case you were wondering what 300 kg of @NVIDIAGeForce GPUs looks like. I love this job :) pic.twitter.com/EgPK2o00a3

— Jeremi M Gosney (@jmgosney) March 1, 2017

@vortexau @NVIDIAGeForce should be ~ 7 TH/s NTLM, 4 TH/s MD5

— Jeremi M Gosney (@jmgosney) March 2, 2017

That is 4 Trillion MD5 hashes per second. Let’s see how long it would take to retrieve passwords hashed with MD5 using brute-force:

Try it yourself at: https://www.grc.com/haystack.htm

Now most password cracking is not done with brute-force. It is done with password lists, mutations on the lists, rainbow tables and password masks. This reduces the time to guess the correct password considerably.

Tr0ub4dour&3, password, P4ssW0rd, P4$$W@rd, P4$$W@rd10 and passwordqwerty, would all take less than a second with the same set-up. But FN*vX5t8=o and guxpzsvhzpizgz are completely random so it would still take about half a year with brute-force.

Try it yourself with zxcvbn