Application testing cases - describe possible broken authentication scenarios

​Does the application submit authentication credentials over an unencrypted connection? Does the application store authentication credentials in cleartext or weak format? Do application functions allow for anonymous enumeration of valid user accounts? Does the application allow for caching (i.e. remembering) of a user password?