[mantrax4]

The problem is that getting email or SMS and having to type that code in every time, then deleting that email/SMS, manually is less convenient that using a password manager.

You can have an "authentication email manager" just like password managers, but then what have we solved exactly? Nothing.

Except that emails, when used as mass-authentication device, will become an even more attractive target to hackers. In most cases accounts are exploited namely via their email password recovery, not via their password.

Email/SMS are an ok layer when used as a second factor, but on their own, they are less secure than a strong password. While logins are HTTPS, email is plain text, so is SMS.

Heartbleed is an exception. Dropping passwords over Heartbleed is precisely the same type of overreaction we had after 9/11 when suddenly flying became a nightmare (and still is).

The proper reaction here is: Heartbleed is fixed, and we better put some resources towards vetting and fixing OpenSSL so this doesn't happen again.

No need to build towers of nonsense that assume it'll be Heartbleed every week now for the next 20 years.

[DanBC]

Dropping passwords because of heartbleed is an over reaction. But passwords are hopessly outdated.

People need secure cryptographic hardware tokens (something they have) with a passphrase (something they know).

[mantrax4]

You're underestimating the work that's been done in secure password managers in the last few years.

Check the whitepaper Apple published regarding their iCloud Keychain mechanism.

It generates secure passwords, locks them with a passphrase, but also makes them available on all your devices, not just one (which, if it breaks, you're locked out of all your services).

Using hardware for tokens is secure and simple, but it shows a severe lack of imagination. I only see hardware tokens as useful for very high security logins, like bank accounts, where the apparent inconvenience is at least justified.