The default page to view all people (http://yoursite.dev/admin/people) in your Drupal site leaves quite a bit to be desired. For a much better interface, install contributed module Administration Views (admin_views). It will also give you a better page for looking at your content nodes (http://yoursite.dev/admin/content).
Using a out-of-the-box install of Drupal, you can specify who can create accounts on your site. Options are:
You can also force visitors to confirm sign-up via an email (a good idea), however this comes at the cost of not being able to directly create and account and be logged in.
After requesting a replacement password, or just signing up for a new account, the user will be required to enter a new password. If they don’t, they will have temporary access to the site as an “authenticated” user (until the next Cron, I think.) To force users to immediately change their password after requesting a one-time password, use the Password Policy module as described below.
Out-of-the-box, Drupal will suggest to the user that they make strong passwords with specific recommendations, but they are not enforced. To force strong passwords use a contributed module such as Password Policy (password_policy). You can also force a password change after requesting to get a password reset.
You will need to create a policy that defines the rules for how to construct a password, which roles it applies to, and optionally when passwords expires.
As of April 2015, there is a 2.0-alpha4 release, and their 1.1 release. Both seems to work fine, but there are actually more options in the 1.1 release right now; probably best to stick with that one until 2.0 comes out of alpha.
The Spambot (spambot) module will check against a blacklist of abusive accounts.
The LoginToboggan (logintoboggan) module has several options:
It seems to me that the best way to avoid bots is to move the default location of the login screen, which is /user and /user/login.
Drupal allows you to manually block an IP address. To automate that process the Login Security (login_security) module allows you to set some rules for automatically blocking IP addresses.