Foolish user behaviour allowed by poor auth. support
Anything requiring a password should show a password strength indicator and where feasible reject any dictionary or other easy to attack passwords.
It would be helpful if there were scoring matrices of multiple OSS and commercial authentication web services and authentication libraries for common server side web frameworks, to make this easy to get right, including password strength checking, but I can't find any so far. The lack of these lists is crazy because roll your own user auth. is so very easy to make insecure and hard to fix later, even if you /really/ know enough cryptography.