[tomelders]

I don't think there's anything wrong with user-names and passwords in concept. It's familiar to users and easy to implement. Users need to create better passwords and we need to help them do it.

Don't impose any restrictions on what the password should be, e.g. "Must not contain any special chars. Must contain a number..."

Use the word "pass phrase" instead of "password". Encourage people to use memorable phrases and quotes as their pass phrase. The English language has approx. 250,000 words. If a pass phrase contains 4 words, that's 1.62764322e+20 permutations. That's a naive view since "habit osteopath circumference telephone" isn't a particularly memorable password. With this in mind, You could use statistics to reduce the number of permutations, but that's no small feat.

Use email addresses instead of user-names.

Finally, use Bcrypt.