What with keyboard loggers, unsecured wifi, video cameras, stolen computers, stolen iPhones (with email access, now you're vulnerable to password resets), there are just too many attack vectors for even a 16 character password to suffice. You need to be protected by both something you have and something you know. (My iPhone has a 16+ character password. It's a pain. It's worth it.)

Heroku's lack of 2-factor auth has literally given me nightmares.