This blogpost is a bit of a mixed bag of advices:

• 1, 5, 8, 9, 10, 12 is generally good practice
• 2 (third party identity providers) seems a bit self serving for a Google post. Users trade lack of control over their data over convenience, privacy (especially if you can’t seamlessly transition between identity providers and/or direct login)
• 6,7 and 11 are in direct conflict with each other, especially given the stunning naivity of this sentence:

It’s trivial to store usernames and email addresses in all lowercase and transform any input to lowercase before comparing.

Bullshit. Unicode case-folding is anything but trivial for non-ascii codepoints. You better use case-folding for only internal/login purposes in no user visible way and even then: you have to stick to a single case-folding algorithm forever (or migrate very carefully to another one by converting your existing user data). Mismatch between case-folding at registration vs login vs anywhere else? Boom, huge security problems. It is treacherously hard to get this right.

• 3,4 depend on the system that you’re building. It is not more or less secure whether you decouple user identity from user accounts or decide to go for simplicity but a more rigid user structure. If you have the resources to thoroughly validate a more complex user account / identity setup, great. Otherwise stick with simplicity.

Sadly they mentioned…

“If my database were exfiltrated today, would my users’ safety and security be in peril on my service or other services they use? What can we do to mitigate the potential for damage in the event of a leak?”

…only in the context of hashing passwords.

As Bruce Schneier says, data is the toxic waste of the computer age.

Eventually it will leak.

So don’t hoard it.

Keep it for as long as it will be useful to your user…. then actively age it out and purge it.

It can’t leak if it is has been wiped.