Password reuse across sites.
Have some check as to whether the same password can be used for the same username / email across other sites. I discovered this one early; back in 2000 I was an admin for a student portal at uni created by Virgin. As an admin I could manage people's accounts; including reset their passwords. The field for me to change their password had their current password; it was hidden by asterisks so I couldn't see it... until I clicked view source on the site :/. So now I had everyone's passwords & their email addresses; my guess is I could have taken advantage of this for at least 80% of those accounts.
Password change frequency.
Changing your password can be annoying; but there is some benefit (so long as you're not changing too often).
Password reset rules.
If you click "forgot password", many sites still use the memorable question with questions which are often publicly available (e.g. to get someone's mother's maiden name, this information's on the public record, and can often be found through someone's social media too by looking through their contacts, then the contacts of those sharing their surname; as their mother's maiden name will match their uncle's surname, and most people with their surname will be friends with both their mother and their uncle). Emailing a reset link is great; but relies on email which isn't (and some people's mail's very unsecure; e.g. company mail can often be legitimately viewed by the company's IT team; and that's the non-hacky scenario).
Regular forced changed of passwords is generally a net-negative for security.
There's nothing wrong with changing if you think it's been breached or just 'cause you feel like it, but a system forcing change every 90 days is likely to be a bad idea.
This is due to the fact that when most user groups are forced into periodic change they will stick an enumerator at the end (e.g. password1, password2 etc) which ruins any benefit you might have got from it.
Password reuse across sites. Have some check as to whether the same password can be used for the same username / email across other sites. I discovered this one early; back in 2000 I was an admin for a student portal at uni created by Virgin. As an admin I could manage people's accounts; including reset their passwords. The field for me to change their password had their current password; it was hidden by asterisks so I couldn't see it... until I clicked view source on the site :/. So now I had everyone's passwords & their email addresses; my guess is I could have taken advantage of this for at least 80% of those accounts.
Password change frequency. Changing your password can be annoying; but there is some benefit (so long as you're not changing too often).
Password reset rules. If you click "forgot password", many sites still use the memorable question with questions which are often publicly available (e.g. to get someone's mother's maiden name, this information's on the public record, and can often be found through someone's social media too by looking through their contacts, then the contacts of those sharing their surname; as their mother's maiden name will match their uncle's surname, and most people with their surname will be friends with both their mother and their uncle). Emailing a reset link is great; but relies on email which isn't (and some people's mail's very unsecure; e.g. company mail can often be legitimately viewed by the company's IT team; and that's the non-hacky scenario).