> Don’t worry, when they actually target you, you’ll be caught.
When they target me, which happens, it doesn't work because of WebAuthn.
Buy a Security Key. If you think you might lose it, buy at least two more. For critical sites like GitHub (which was targeted here) set up your Security Keys and get into the habit of relying on them. It's the same philosophy as Rust itself, machines are really good at diligently performing a simple task, so don't leave those tasks to human vigilance, that is a foolish misallocation of resources.
So, firstly, this won't actually help them which is why they won't try it. GitHub is aware that passwords are crap and since I have a Security Key it will ask to see my Security Key, "But I know tialaramex's password" doesn't help you.
But also you presented no evidence they can somehow detect their problem and try to ask for the password even if it would help them.
When they target me, which happens, it doesn't work because of WebAuthn.
Buy a Security Key. If you think you might lose it, buy at least two more. For critical sites like GitHub (which was targeted here) set up your Security Keys and get into the habit of relying on them. It's the same philosophy as Rust itself, machines are really good at diligently performing a simple task, so don't leave those tasks to human vigilance, that is a foolish misallocation of resources.