The latest episode of FA Security Theater showed once again the fundamental flaws with passwords.
tl;dr: send a token embedded in a URL by email, or the token by SMS, instead of requiring passwords. Medium is actually a good proof of concept for this. You can log in just by putting in your email address. They email a link, you click, and you're in. Email remains a weak link, but that was already the case. It'll matter less as more people adopt two-factor authentication for their email accounts.
Customer support service by UserEcho