Thanks. I learned something. Even if passwords are a weak form of security, they add an extra Ayer that would make it much more difficult for an attacker. They don’t have to be the only layer of security, and would still be good as an extra layer on top of hardware keys and/or OS keychains. Very interesting.
Yes. Also keep in mind that layers are not just preventive. There are also detection layers. You can frustrate threat actors by reacting to their attempts to get past the password or some other layer by collecting logs and alerts. A simple example would be setting up ssh on your vps with password AND public key auth and the setup fail2ban. Of course it is very hard to bypass public key auth but even if you accidentally post your private key to github or have your personal device hacked, that is still one layer of defense to slow them down.
If threat actors spend sufficient resources they will get past any security layer. There is no such thing as absolute security, good security creates the most hostile environment for threat actors by requiring them to committ the most resources without interfering with normal usability of the system.
Using a password on a WebAuthN protected account is the equivalent of putting a bathroom privacy lock on your steel front door. It's psychological coddling, nothing more.
No it is not, comparing passwords or passphrases really (what people should be using) to a bathroom privacy lock is silly. For threat actors, difficulty is not relative like that.
It's more like you have an actual normal door with alarms at a bank. Then a door to the vault area with similar alarms. Then the actual vault.
In your ideal world, everyone should be able to just walk up to the vault because it is so amazing on it's own.
