The history of the Internet is rife with examples of compromises arising both from poor security hygiene, and also from misguided attempts to "make it more secure" without first considering the implications of changes.
In this post, I'll be detailing some of the decisions you should be making when designing account security and user management functionality.
There's likely little in here that hasn't already been stated elsewhere, but I thought it might be helpful to put it all together in one post.
The post itself is quite long, so headings are clicky links to themselves. For those with limited time, there's a Cheat Sheet style summary towards the bottom.