And any decent one will tell you to not bother unless you have to.
Rely on an external authentication system instead. Be if facebook, twitter, google, OpenID, etc. etc. or an existing SSO engine running within your existing environment.
All are almost certainly more secure than anything you can come up with.