There’s a lot to be said about how to secure our online information while providing a good experience; hasn’t anyone written this book yet? In any case, I think a good, uncommon, guideline would be:
Do not use human memory
To remember and recall takes work, and I’d rather not expend my precious attention and cognition on computers. And, human memory is fallible. Most passwords break this guideline, but we now have biometrics and password managers to provide security without relying on memory and it’s time our security practices catch up to the technology.
Two-factor authentication, similarly, feels like a lazy, flawed approach which requires too much human work.