| "I guess the point I'm trying to make here is that the problem with passwords is password hygiene, not with the method itself" Clearly this guy has never got his password sniffed before, or even heard about it. It's always painful to see someone who doesn't understand something talking about it, and worse, badmouthing it. And, "Notice that all of these problems are solved by fairly simple password hygiene" Clearly this guy has never heard about various fiascos of various password manager software. ===== Passkey doesn't need you connected to the internet. Google Auth too. Actually weak password is fine, when you have 2FA.
I have some accounts which has weak password, some even already in haveibeenpwned; but no problem for years because it got 2FA as well. Password alone without 2FA is okay, as long you can ensure no malware/keylogger enter your system.
Which is a risk. Forcing your users to change their password routinely is bad policy, it motivates your users to use weak password and/or store it insecurely, and other unexpected behaviours. SMS 2FS sucks because it can be intercepted and/or snooped - no, this is not just a theory, this happens rather routinely in my country. Etc etc |