I'd love best practices around, say, login forms, e.g.:

- use standard input field names password managers recognize - disable autocompletion and autocapitalization on the login field

- if it's an email, use the correct HTML5 input type

- don't have a form with just a login email and force the user to click to enter the password

- follow NIST SP 800-53, e.g. no SMS 2FA and no arbitrary password rotation and composition rules

Or how many sites that have a form with only one input don't automatically focus on it.