[apenwarr]

It's easy to make a basic password login system, and very technical people use password managers, long passwords, etc. But there's a long "tail" (ha ha) of people who don't use long passwords, who will reuse their password on multiple web sites, who will forget their password and need to recover it using their mother's maiden name, etc. This opens up unlimited opportunity for phishing attacks.

And you don't get any key rotation unless you force people to change their passwords occasionally, which is itself now deprecated as a bad practice because people then start writing their passwords down on paper or storing them in a spreadsheet, which is even worse than no rotation. (Tailscale rotates your VPN keys automatically, but it's all for naught if the root key is just a password.)

We know that something better is needed for personal accounts, but please, not username+password. Your private network security is important. The world needs something much closer to foolproof.

[blueside]

> few very technical people use password managers, long passwords, etc

I'd be very surprised if this was true. Most all technical (competent) people I know use a pw manager of some sort

[apenwarr]

It originally said "a few", not "few", which was intended to have a slightly different meaning, but I've edited it to remove that because you're right and it's not important :)

Unfortunately non-technical people mostly don't use a password manager and we can't assume they do. Tailscale is about making the Internet secure by default, and passwords will never be secure by default.

[cube2222]

I know only myself and one other person using a password manager, even though I know a lot of technical folks.

[anderspitman]

Why not ditch passwords altogether and only do magic-link logins via email a la slack?