Passwords are terrible. They're Human Memorable Shared Secrets, it's "What if somebody who doesn't know the first thing about cryptography tried to invent secure authentication?" and should have died out last century yet here we are.
We have known for decades how to do better than that. The fact that at least twice a month (often much more) I read an HN comment saying passwords are great is like discovering most of your friends don't know about germ theory still. I feel so fucking tired.
With a Shared Secret system the person authenticating you can give away the fucking secret and we already know we live in a society where they will blame you and act as though there's nothing they should have done better - that's what "Identity theft" is - blaming other people for the fact you didn't do your job properly.
When you use Human Memorable secrets the humans try to remember them, which means they're usually very low quality, dog's name, favourite band, that sort of thing. Worse, since humans can't remember many things they usually choose only a few and re-use them, so now they're not only a Shared Secret they're also Reused which is even worse.
So then we end up with a whole pile of kludges to try to use "passwords" which aren't really memorable, losing most of the benefits yet still retaining most of the disadvantages. This is an awful situation to be in, it's taken a considerable amount of laziness and incompetence to achieve it.
I dont care so much about passwords as I care about how annoying the current implementations are.
Passwords do have some benefits. They dont require a phone, it being charged, and fetching it 5 times to go through a couple services. They can be used from any machine.
Yes theyre not as secure, but as user Id prefer to be able to choose for myself whether I want to opt in for additional security. For most sites I dont even give a shit if my account gets hacked, and I have to go through a ton of annoyance everyday for no reason
"This terrible idea could actually be worse" is about the level I've come to expect. Congratulations, passwords haven't managed to be worse in every way than every possible alternative, mostly, yet.
> Dont you hate that every service requires you to give them your identity?
I have Security Keys, which are entirely anonymous†, so actually I have much better security and do not "give them my identity" since I am, as I said, entirely anonymous.
In 1925 the understanding needed to do this did not exist. In 1975 the technology to implement it would have been prohibitive. In 2025 it's easily possible and indeed I use one every day - and yet here you are.
> Do you think HN for example would be better off if they decided everyone now has to do 2FA?
As so often it would depend on the implementation. I have absolutely no doubt that HN regulars would have strong opinions about what they should or should not use to achieve this.
† Obviously the choice to be named tialaramex everywhere is not "anonymous" - with a little effort you can even connect that to the name on legal paperwork, but on the other hand I also have accounts which aren't named tialaramex because they're intentionally not connected to this identity, and those use Security Keys too, by design it's not possible to connect the two.
I also hate this state of authentication on the web, but passwords have problems as mentioned in the other comment. API keys are also just another kind of passwords, so they aren't very good either. I think X.509 client authentication would be better, especially for connections that insist on using TLS.
(However, for some uses, signed messages which can be verified by anyone would be better, in case the message is intended to be public anyways; this is independent of the protocol.)