Why access and API tokens are the new passwords but worse

[Arzh]

This might be one of the worst things I've read this week. Tokens shouldn't have anything to do with your login and giving out login is so much worse.

[akane]

The post doesn't say you should give out your login. It says you should encrypt your access tokens and explains some security implications of current implementations that use them, like how they often give too broad permissions. When you change your password, you often need to reauth all of your devices, but you don't need to reauth your access tokens.

[Arzh]

Why would I want the access tokens to be revoked if I change my password, unless I revoke the token it should be valid.