You should also, if possible, do the login page under https. That way the password and user are never sent unencrypted; mailing passwords is also not the best idea (though a very user friendly one) so you might make passwords that have been mailed temporary, user must update on the site. Can also make sure users enter "real" passwords (minimum of 8 chars; and for the serious security run it against cracking code/dictionary to improve its unguessability -- alternatively, you could lock users out who guess wrong 10 times). Anyway, the links bibo gave are a good place to start. A truly secure site has a lot of angles.