| > Nobody can store passwords securely. 100% busted. [...] Let’s talk about > one-time codes One-time codes rely on a password: either it is stored in your 2FA App, or they rely on your email password, or they rely you storing a password somewhere else. OTP rely on stored secrets. You can make these secrets be much larger than the humble password and call them "private keys" : > asymmetric key cryptography, hardware tokens If these are not protected by a passphrase they can be stolen. Which seems like a variation of "nobody can store passwords securely". To mitigate the effects of them being stolen, you need to protect them with a password. I sympathize with your desire, but it's not that easy, although I do think that we can reduce password usage. But fundamentally a password is a trust anchor in your brain. I have yet to find a way around this limitation. |
How we use them, is very much broken. What is the point of a password that a bit of social engineering can bypass? Why are passwords required to get info on my ice cream rewards? Shouldn't I just get a coupon instead?
You should only use passwords that mean something and they should not be resetable, otherwise you have something closer to a one time token with a replay attack. Forget the password? Tough luck. Either it should not have needed one, or it should have some tangible effect which causes the user to highly value forgetting or getting it stolen.
We have engineered a state where we can't remember passwords because we are actively encouraged to ignore them, passwords are fine, how and when we use them is not.