Cybersecurity often puts complexity over usability. And because there aren't very good options available sometimes the security measures in place become stagnant.
A variety of security alternatives beyond what is currently available. Included are a few examples I've made up
- Web TOTP: TOTP without the device/app download
- Markov Diceware: combining markov chains and diceware to increase randomness
We as humanity have been reduced to using dumb password rules which increase complexity and decreases usability. Or rules that enforce changing one's password after an arbitary period of time. Rules such as these are more of a security theater, making us feel safe but at the cost of remembering confusing passwords. I believe there are better options. Even if none of these ideas ever gain traction, there are other options out there that would improve usability of passwords like:
- zxcvbn: a better password strength checker that doesn't enforce dumb rules by default, almost all estimators of password strength are utter nonsensesource
- Android's 3x3 dot pattern password (initial version has 389,112 possibilities, but the grid could be expanded, dots could be allowed to be revisited, have no max length, etc to increase randomness)
- Microsoft's picture password (like passwords though they can be easy to guess, Microsoft came out with article how to increase security)
- NIST: National Institute of Standards and Technology (US)
- password minimum length 8+
- block/reject compromised/common/sequential passwords(see zxcvbn above or haveibeenpwned)
- ALL characters allowed
- NSC: National Cyber Security Centre (UK)
- encourage password manager use (generated passwords can be super complex)
- encourage memorable password (3 word (diceware see above) or CVC-CVC-CVC format)
- don't enforce complexity
- block/reject compromised/common passwords (ditto of above)