You make an interesting point, and one I will probably have to incorporate into the node. These rules could easily contradict each other -- except that they are not absolute rules.

In your cited example, you have to decide whether security or usability is more important in that particular case. Rules like these don't remove the power and responsibility of making choices, they just provide a framework to guide those choices.

Also, this is arguably a bad example: it is secure, so it hits rule #3. It's also usable, so long as the password reset capability is easy for the support staff to use. The idea behind these rules is that they are flexible enough to fit your specific circumstances.