How does this preserve the user experience? Adding hints for strong credentials is great, but restrictions like this, which appear arbitrary to the user, caused a large number of our users to either forget their username or abandom signup completely.

“Enforce a dictionary check to ensure that users cannot choose common words for their password.”
This forces a user to select a difficult-to-remember password. If your site is one that they don’t use regularly (ie isn’t Facebook, or Twitter) then they’ll probably completely forget their password, forcing them down an often painful password-reset process. Surely only recommended on busy sites, or those with highly sensitive information (such as ebanking)

“Require a strong username that includes a numeric character. Often the username is the easiest portion of the login credentials for a hacker to guess. Do not use the user’s email address as their username.”
As above, if your site isn’t one that the user logs into regularly, the chances of them remembering a username instead of just using their email address is slim. I have numerous sites that I need to log into occasionally (mobile phone operator, satellite TV, gas and electric provider) and some force usernames on me, others email addresses. The username ones I always struggle to log into because they have these different definitions of what an acceptable username is, or what was available at the time. Usernames are great for sites such as discussion forums, where you need an avatar and to protect your email address from the prying public, but otherwise I prefer to use email addresses as usernames. Of course, on forums, your usename is easy to see, so it makes more sense there to log a user in with an email address that is not being displayed hundreds of times around the site. As for forcing numbers into usernames; this creates an additional world of pain and will put most users off of signing up. I’d much rather use a simple username (if an email address is unavoidable) and consider an additional step, such as confirming a couple of letters from a pre-determined secret word if required

“Limit the number of failed login attempts to three and temporarily suspend account access unless the user can authenticate through other means.”
This I DO completely agree with, and in some cases (PCI environments, for example) only an administrator should be able to reactivate once suspended. However, this only addresses front-end security and not the back-end data that has been compromised in the Sony/LinkedIn examples

“If the login fails, don’t identify which portion of the credentials was incorrect. Stating that the ‘password is incorrect’ or the ‘username doesn’t exist’ enables hackers to harvest account information. A general statement such as “Incorrect login, please try again” helps prevent account harvesting.”
I’d rather aid account harvesting than provide vague error messages to the user. Usability always recommends that you highlight where you’ve gone wrong. I could be trying loads of different passwords, trying to log in, only to lock someone else’s account because I didn’t realise that my username on this site was actually “anthony2″ and not “anthony1″, because someone decided that letting me log in with my email address as a username was a bad idea. In fact, I’ve recently given up with a website because I needed to reset a password and it asks for my email address and username to reset. I only know the email address associated with it, so now I can’t get in and spend the credit that I already have. Too complicated! The only exception would be where you may need to use sensitive data to log in, such as a bank card number. I wouldn’t want to confirm that this was correct or not as part of the process of signing in

“Use SSL to create an encrypted link between your server and the user’s web browser during account enrolment, the login process and the password reset process.”
Agreed. Can’t imagine many would disagree. SSL isn’t always an option to everyone though, especially not with a certificate signed by a public CA, such as Verisign

“Provide users with advice on how to choose a strong username and password. Research shows that users do choose better passwords when given advice on how to do so. One option is to have a password strength meter built into the page.”
Again, agree. But advise rather than force. If a user chooses to go against your advice then they need to accept the consequences. However, you may want to force higher restrictions on users with elevated privileges. Also, bear in mind that the more rigid your password policy, the easier it is to guess passwords. If you force a capital and a number, you can be pretty sure that instead of “password” being the most common password, that it will just become “Password1″ or “Passw0rd”. Add a symbol and it might just become “Passw0rd!”. These patterns are easily predicted for most users. Allowing the password to be anything at all can sometimes make it even harder to crack

“Hash user passwords using bcrypt, scrypt, or other hash algorithms specifically designed to store passwords. Do not use SHA1, MD5 or other algorithms that were not designed for hashing passwords, as they are not secure.”
Again, I completely agree. Personally I use bcrypt in PHP wherever possible. I especially like that we can increase rounds as computing power increases to make it more difficult for anyone to calculate passwords should our database be compromised. In PHP there is also no choice but to salt bcrypt’d passwords

“Use Salt. Use a unique salt for each user account/password and store that salt with the password. An additional layer of system wide salt that is not stored with the password can also add extra strength if the database is stolen because it is not stored with the passwords but is known to you.”
Also agree

There is always a trade-off between making the most secure system, and making a usable system. For MOST sites, it’s more important to make them usable and therefore much of these recommendations will go out of the window. It’s common sense and that would explain why CU find that most sites don’t meet these minimum recommendations. They’re theoretically great, but in practice just add too many barriers, and in this world of high-competition online, the more challenges you throw in front of the user, the less likely they are to ever sign up, never mind come back again. In fact, some of the best signup forms I’ve ever seen ask only for your email address, and you’re signed up. A password is sent to you and you can change it, of course, but no barriers. No complicated signup. And if you want to reset your account? Just give them your email address again. Perfectly acceptable for most sites.