Passwords are terrible. They're Human Memorable Shared Secrets, it's "What if somebody who doesn't know the first thing about cryptography tried to invent secure authentication?" and should have died out last century yet here we are.

We have known for decades how to do better than that. The fact that at least twice a month (often much more) I read an HN comment saying passwords are great is like discovering most of your friends don't know about germ theory still. I feel so fucking tired.

With a Shared Secret system the person authenticating you can give away the fucking secret and we already know we live in a society where they will blame you and act as though there's nothing they should have done better - that's what "Identity theft" is - blaming other people for the fact you didn't do your job properly.

When you use Human Memorable secrets the humans try to remember them, which means they're usually very low quality, dog's name, favourite band, that sort of thing. Worse, since humans can't remember many things they usually choose only a few and re-use them, so now they're not only a Shared Secret they're also Reused which is even worse.

So then we end up with a whole pile of kludges to try to use "passwords" which aren't really memorable, losing most of the benefits yet still retaining most of the disadvantages. This is an awful situation to be in, it's taken a considerable amount of laziness and incompetence to achieve it.

I also hate this state of authentication on the web, but passwords have problems as mentioned in the other comment. API keys are also just another kind of passwords, so they aren't very good either. I think X.509 client authentication would be better, especially for connections that insist on using TLS.

(However, for some uses, signed messages which can be verified by anyone would be better, in case the message is intended to be public anyways; this is independent of the protocol.)