[swiftcoder]

> Passwords are entered in plain text into fields that you trust, but that also means that passwords can be stolen

The only difference here is that you are hashing the password in your head, instead of trusting the client to hash it for you before submitting it to the server.

Which makes the threat model here what, exactly? Keyloggers, or login pages that use outdated/insecure methods to authenticate with the server?

[ulrikrasmussen]

Yes, but also plain guessing since passwords are usually chosen by the user and not generated by the server like TOTP secrets. Also phishing attacks tricking users into entering their passwords in fake login pages, and stolen password databases.

[swiftcoder]

> Yes, but also plain guessing since passwords are usually chosen by the user and not generated by the server like TOTP secrets.

If we were talking a >256-bit secret, I'd buy this, but in the human-calculated case I don't see how it actually helps with this, because you've substituted a ~8 character password for a 6 digit number, which is significantly less search space to brute-force.

> Also phishing attacks tricking users into entering their passwords in fake login pages

yes, this is more-or-less a subset of the "keylogger/insecure login page" case

> and stolen password databases

There's still a server-side TOTP secret database to be stolen, no? And normally that would be hard to reverse-engineer the actual secret from, but again, you've shrunk the search space down to 1,000,000 entries, which is trivial to brute force.