Read OWASP projects. For example the Application Security Verification Standard is a good start.
Also, it's never just passing a username and password, as there are so many things to keep in mind about how they are passed (transport security), how they were generated (long enough?), how they are stored (bcrypt / scrypt?), how sessions are handled (what if multiple people login using the same credentials? How to terminate a session? Should there be sessions at all?), how authentication verification is computed (and what attacks might be possible, for example timing attacks, D-/Re-/DoS, SQL/JS injection,...) and so on and so on.