For example saving password-hashes as md5 in the db is not state of the art, one should at least add a very long salt, which is different for each user!
I decided that the safest way to store passwords is to not store them at all, hence the federated login. That, and skipping over that whole (tedious IMO) email/human verification dance...