That's amusing but... those same users are likely to be using just altering their passwords a little like "passwd1" "passwd2", etc. You aren't gaining anything.
I'm sure they are, but I think predictability is slightly less bad than being distributed across every single service they've ever used. There's only so much I can do about people not giving a crap.
I don't see how TOTP/2FA can avoid the problem of user password re-use. The password has still been reused, whether an extra layer of authentication is used or not.
Maybe you can say that it mitigates it, but I don't think it avoids it at all.
The sum of the authentication credentials passed to the application is different for each site. with 2FA you submit password + token. so an attacker who is replaying compromised credentials can't gain unauthorised access with them alone.
There are two slightly overlapping ways to actually solve this problem: 1. Use a password manager. 2. Have the tools, knowledge, capability, and willingness to use secure passphrases.
One other way. Websites could hash and salt the users password client side, then proceed as usual (SSL and hash it server side). Means the users password is effectively a long, secure passphrase and is unique. What do you think?
