Password enforcing rules
Not all users know about threats in security space. It is important for companies to enforce password rules to take care of user’s account not being compromised by attacks such as brute force dictionary based attack. Providing the rule like, at least 1 capital letter, 1 lower case letter, 1 special character and totally 10 minimum characters would safeguard them better.
Case sensitive versus case-insensitive passwords
Usernames may be case insensitive while passwords are not recommended to be case-insensitive. It is just like this, a person who is opening the door can change his appearance however; key to open the lock need to be same and should not be changed with respect to the keys teeth. Case-insensitive passwords are highly vulnerable compared to case-sensitive passwords.
CAPTCHA to avoid brute force
Most of the hackers love to see login form without CAPTCHA as it is easy to do automated password requests using software to crack the password. Account lockout policy or CAPTCHA is efficient way of securing your users account from being compromised.
Make sure you transmit password under SSL
HTTPS / SSL makes your password to not be seen as plain text by sniffing by malicious hackers who can steal the password and username which flows over the wire once the login form is submitted.
No maximum length restriction
Good to have a minimum length validation however, maximum length restriction should not be set anywhere less than 50 characters. It is seen some companies restrict it to 16 even though some users wanted to set more than it using a pass-phrase to have comfort feeling.
Change Password need to ask for Old / Current Password
Many web applications tend to not ask for old / current password while setting new one. Considering security, it is important to enter current password and then new ones to validate if the user is genuine owner.
Forgot Password Link Expiry
Important to expire the link after one use is a standard to avoid re-use of it by malicious hacker. Also, irrespective of whether the link is used or not, expire it after 24 / 48 / 72 hours based on business context. Last, but not least; check if the token value in the URL is at least 64 characters to avoid brute force. OWASP standards for forgot password is great source of information.
There are more tests that you could do with password feature. This is a kick-start for those who want some quick test ideas to test password feature.