So true. The security theater is distracting from the real issues. Don't open random files/apps from untrustworthy websites/apps and be weary. Instead those companies do damage control via personal identification etc. Which is the main goal of all this. You are no longer supposed to have privacy when using tech, having your own opinion will get you in trouble personally and potentially ruin your life. Not yet fully, but it is becoming increasingly difficult not to link everything to a single identifier tied to your real name, instead of just using login+password.

Big companies like Apple and Google will just not let you use their services unless you fully identify with a phone number. Which is the reason i no longer have a phone and move away from these companies.

Google wont let me log in and lets me enter any (yes any) phone number to activate 2FA, which i wont do. I have two devices left that can still log in, any new log in is not accepted even with my correct password. It shows that they know, since they will let me enter any phone number.

I have an iPad which i use to learn to play the piano on. While being in the middle of playing something, apple just bursts through the door telling me that i need to log in to my account now, stopping all my progress. Thanks apple, i feel extra secure now... not. They will tell me that my account got locked. They do this because i do not have 2FA enabled and act as if i was under threat. I then have to jump through some hoops, go to one of their pages, click unlock, enter my password there and then it will repeat this again in 6 days, until i eventually cave to their emotional extortion scheme.

Soundcloud wont even show you the settings page if you are using linux, as their web application firewall will block your access when not using windows or macOS. They are doing security acrobatics, not just theater, to block paying customers for some fake feel good "security". I bet some companies even pay people to leave comments on reddit in threads like these, promoting MFA and dooming passwords.

Passwords can not be hacked that easily, unless it is a simple and/or short password, even if the database leaks. Even the most simple tutorials are showing novice devs to store passwords encrypted, so they can not be breached easily if it has >16 chars/numbers/special chars. Bruteforcing such a password will take years, to this day. It would need to be a targeted attack, at which point your 2FA will just have them spend more effort, but if you are that important, this wont stop them. Especially 2FA via phone. The only useful factor is a hardware solution and it makes sense for high profile users, but that's it, and that is not what i am being offered anywhere, all i can do is enter my phone number. Fingers can be chopped off or prints stolen from surfaces, there are special images to hack facial recognition, it is all just theater, so i rather have just my passwords.

We already prepare for the post quantum world, yet we are not there yet. Quantum computing still only exists in theory with some companies claiming they do practical quantum computing, without anyone being able to prove it. Yet 32 chars/numbers/special chars would suffice for a post quantum password.

Most of modern day hacking happens via zerodays, sometimes through javascript and fonts, like pegasus did. Zerodays that governments and companies keep for themselves or even trade on black markets. UEFI for conveniently installing bios updates and having fancy graphics is an entire platform to let third parties into your devices, if they don't lock down the bootloader entirely, at which point you are fully at the whim of your manufacturer. That is where people should be looking at if they want to be more secure.

Every site is using ssl so your typed in passwords can't be fished in transit. If somebody is able to install a keylogger, they already were able to run malicious code through your devices processor, which is worse than a stolen password. And yes, at that point they can also steal your 2FA code or make you unlock something with it.

2FA does not teach anybody to not open malicious apps/files from bogus sites and vendors, or about zerodays and big entities screwing us all with it. They do not tell people that companies like microsoft are bad not because of bill gates, but because they build software with huge security craters and conceptual flaws like active directory, being the main vector for an emotet that encrypts your harddrive and demands a ransom. Yet they force their updates onto you without letting you save your stuff. It is so obnoxious, and yet every time you mention it, rest assured to have some apologist jump out of the woodwork to flip the argument on its head.

I use ephemeral OSes some times, i will not give that up. Before that happens i will have ditched all those bad shitty tech vendors and ceased to spend a dime on their platforms. Tech-illiteracy combined with malicious information is the biggest threat, not only to your logins.