For a web site that only allows 6 digits, OK.
Personally I prefer … a long, strong password that after 10,000,000 years the hacker is only a tiny fraction of the way through brute force - and to change the password very infrequently.
With sooooooo many web sites, I don’t consider changing all passwords frequently to be reasonable.
I use random, meaningless passwords. I use software to generate them.
Obviously … manage each password commensurately with the risk. So internet banking would be dealt with more stringently than the Choice web site. (No offence intended )
Against the above point about “10,000,000 years”, there is Moore’s Law and eventually quantum computers.
Some people are already moving over to hashing and/or encryption algorithms that will be less amenable to attack by quantum computers (but the details are way beyond my ken).
(Also unique password for system i.e. no reuse across different web sites etc.)
Unique username is a bit tricky because you don’t always get the choice.
Many web sites only let you log in using a verified email address. (Sure, I operate my own domain and hence can have an infinite number of email addresses but not everyone will be in that position.)
Another tricky aspect is e.g. the myGov web site where by default you can login with your email address as an alternative to the unique, meaningless username that they assign you.
Various telecommunication companies seem to have the same flaw i.e. let you log in with your account number (which a random would-be intruder won’t know) but alternatively let you log in with your phone number (which is likely to be easier for the intruder to come by e.g. could be publicly available).