A more interesting question is that of password reset. Does one store a random password that’s e-mailed (and/or texted—though this might incur additional cost to the operator) to the user? The details matter: can one reset a password when the temporary one has already been issued? For how long is the temporary one valid? Can the existing one still be used? If the existing one is used, is the temporary one wiped out? Should there be intermediary “security questions” before issuance of a temporary token (as per the OSAWP recommendation)?
Also an excellent article, you should submit it separately!