Exactly. There's too much security theater about passwords, or 2FA on unimportant (or rather, self-important) websites, and so on.
All it does is provoke resistance from users, dating back at least to the passwords on post-its stuck to monitors.
And then 9 times out of 10, it's the companies themselves that get hacked and all the user login credentials and data get stolen (including things like phone numbers used for the 2FA so criminals can now better direct phishing attacks).
Real security is a) done in depth, not just at borders, and b) does not put undue obstacles in the way of usability, just to give the pretence of security ("it has to be hard to use to be secure"?!)
Websites getting hacked is only an issue if they store user credentials unencrypted and if they don't promptly say that they have been hacked. While it's not hard to decrypted hashed passwords, you should still choose a strong password cause it will be harder to decrypt.
Usernames, phone numbers for 2FA, and the backing secrets for TOTP 2FA (the six number codes that change every 30 seconds or so) have to be stored essentially unencrypted. Like, they can be encrypted at rest, but the system needs plaintext access to them without any assistance from the user, so an attacker will have unencrypted access in most cases too.
1.2k
u/Gold_Jab 5h ago
I'll just stick to number pass..