To prove that I have a secret key, I encrypt something of your choosing, and you decrypt it with a public key. This is enough proof, and private parts remain unexposed.
That's funny and I agree that _some_ people are bad at using passwords, but I have a feeling whatever replaces them will be worse for everyone. It's like some people cut their fingers with knives so let's all use plastic knives instead.
I don't know anyone personally that are good at using passwords, myself included.
Often I get shocked to find highly tech savvy people taking crazy risks.
But even the most careful people I know occasionally reuses passwords or picks easy to guess ones out of convenience. Most of the time it is a calculated risk, but the problem is it is hard to tell when you accidentally create a chain of weaknesses that can be leveraged into something more substantial.
As a standalone method of authentication, insecure is more ways than I can list.
I didn't think this was controversial or obscure. Authentication on my work laptop is fingerprint + 2FA, then password and 2FA for VPN. Access to most other resources at that point is certificate driven.
I wish my bank would use certificates, for instance. I absolutely get the human (ultimately cost) factors involved, but my bank is one of the few entities with which I would go through the hassle of in-person key setup/renewal.
There was an old post by Bruce Schneier where he suggested people write down passwords on a piece of paper and keep them securely. This is something people have been already doing for centuries with wallets, keys, etc.
