In June 2004, I published an article on password protection in ;login:. The article discusses the history and basic concepts behind the password protection measures used in Unix and Windows. Parts of it are out of date (e.g. the password length recommendations), but the technical parts hold up fairly well as an introduction to password security. It also provides lots of references for further reading.
Disclaimer: I no longer stand by some of the advice I gave at the end of the article. Password aging and expiration, for instance, are worthless. Read it for the technical bits, but skip the ending.
The article is online here.