A good list. I disagree with two points:
1. Using a framework. This is less of a guideline and more of a recommendation. I think frameworks are bloated and unnecessary and I certainly never plan on using one - but I can still organize my code and implement strong security techniques.
2. Password length. Most users would have trouble remembering a password 12-14 characters long. Yes, it is good to have long passwords, but 8 characters minimum is a little more reasonable.