I mean yeah if the password was 'letme1n' that's one thing. Whereas if it's a "at least 16 characters, mixed cased, punctuation and no english words"; maybe that's another.
But, I would have thought at the very least, ssh with keys-only on the external-facing bastion host.
What with keyboard loggers, unsecured wifi, video cameras, stolen computers, stolen iPhones (with email access, now you're vulnerable to password resets), there are just too many attack vectors for even a 16 character password to suffice. You need to be protected by both something you have and something you know. (My iPhone has a 16+ character password. It's a pain. It's worth it.)
Heroku's lack of 2-factor auth has literally given me nightmares.
I mean COME ON, MAN.... there are mistakes, and then there's incompetence.