[benlivengood]

There are two risk classes; reused passwords exposed by a breach, and targeted attacks (phishing, dictionary/brute-force attacks, etc). The first is easiest to detect by finding password dumps and by observing login attempts. Targeted attacks are best prevented by 2FA. There never was any middle ground where password rotation improved security. For any high security systems worried about insider risk or espionage they should have been using multi-factor authentication all along.

[slownews45]

My own view - reused passwords come from leaks - should be a penalty of $100 per leaked password - come on, salt and hash them! This would at least put some pressure on that side. Class actions allowed. This would push more towards oauth etc.

Then for targeted attacks, allow non-sms two factor with multiple keys and recovery codes. I'm non SMS two factor on google with recovery codes in a drawer. Have never changed my password and actually have it memorized (and I only use it for google). Same password for 15+ years or so now. Feel totally secure. Google authenticator on phone is pretty good because people really keep track of their phone (more so than yubico keys). I have a yubico on keychain which works 90% (a bit awkward in some cases).

[benlivengood]

Reused passwords are also really common and so cracking new dumps of salted and hashed passwords will yield a pretty high success rate.

At this point I just assume that any password that's been leaked (hashed or not) is in plaintext in some database. Obviously 20-character random passwords aren't going to get reversed but there's no guarantee that they were always hashed and weren't leaked from the login process itself, etc.