These are great points. A few more thoughts.
One of the most frustrating things about passwords is that many have conflicting requirements which makes it almost impossible to have any sort of secure strategy. Some have a minimum length, some a maximum length and some an exact length. Some require special characters and some don’t allow them at all.
Another problem security questions have is that the syntax is often unclear. Say my “best childhood friend” is a guy named Bobby Smith. A few months (or years) after I set this question I ask myself, did I put in “Bobby,” “bobby,” “robert,” “BobbySmith,” “Bobby Smith,” “robertsmith” etc.
The sad fact is that increasing password complexity ultimately ends up undermining security. Eventually users give up and start using the same password for everything and/or writing the passwords down somewhere. Hopefully not on a post-it on their monitor.
One way to improve usability and security is having longer passwords with less requirements. Something like “morehumanthanhuman” is tougher to crack and easier to remember. More on that in the link below.
Looking into the future we need to stop trying to outrun the machines. We need to use our human brains. Show the user a photo and ask them to identify it, “who is this?” “where is this?” Show them an impressionist painting and ask what it looks like. Ask which of these 5 words rhymes with banana? Questions that are multi-modal, that use our abilities to interpret things and detect patterns.
We’ll get there eventually.