As some of the others pointed out, there's a lot to be considered when securing a website login form. Some other things to consider are:
- If the login is wrong, don't let on whether it was the username or password that was wrong.
- If you print out the username (e.g. you print 'there is no user Bob registered here') make sure you html encode the username first to prevent cross-site scripting attacks.
- The choice of session id hashing algorithm is important. MD5, the default in many cases is not really suitable for applications which require a good level of security.
- Make sure any database lookups you do carry out are protected against SQL injections.
And there's plenty more. You can get a bit of an introduction to website security at my site
WebsiteSecurityBook.com. (it's all free).
I'm gathering up information on all the different security issues to be considered when securing websites.