This document summarizes common vulnerabilities in password-based authentication and provides recommendations for improving password security. It discusses issues like password reuse, default passwords, weak password requirements, plaintext storage, and lack of account lockouts. Testing techniques are outlined like capturing authentication traffic for replay attacks and checking password hashing strength. Defenses recommended include educating users, enforcing strong passwords, hashing passwords with salts, locking accounts after failed attempts, and using two-factor authentication to supplement passwords. Real-world examples demonstrate how high-profile accounts were compromised due to weaknesses.