Jakob But still, if someone were to gain access to my email account, they now only have to guess 6 numerical digits. I would like the option to make them guess 40 random digits. A lot less likely to guess right before hitting rate limits.
And let’s assume, for the sake of argument, that the rate limit implementation or something else in the software backend has a bug giving an attacker unlimited tries. If the password check still works, guessing 40 random characters makes it a LOT harder to gain access to an account. I understand that people lose access to passwords, but I would like to at least have the option.