The real mistake is that we are still using simple password authentication instead of challenge-response or public key authentication.