Why even let users set their own passwords?

The author reflects on the current state of passwords and the shift towards alternative methods of authentication such as two-factor authentication (2FA) and risk-based authentication. They question the purpose of passwords if additional steps are always required for login, and criticize the concept of “remember this device” as a fallacy. The author also mentions the trend of using API keys for authentication, highlighting the inconsistency in trusting them while distrusting passwords. They propose that passwords should be randomly generated like API keys and stored securely, eliminating the need for users to choose their own passwords. The author discusses TOTP (Time-based One-Time Password) as a form of “2FA” and raises concerns about its effectiveness. They argue that many supposed cases of 2FA are just variations of single-factor authentication. Overall, the author suggests reevaluating the use and handling of passwords in light of current security practices.

Controversial information: The author critiques the use of risk-based authentication, challenges the concept of “remember this device,” and questions the effectiveness of TOTP as a true form of two-factor authentication.

Surprising content: The author reveals that only 5 digits of a credit card number are truly secret, according to PCI compliance standards. They also contemplate the irony


To top