The existence of a password constitutes an insecure one. Brute force methods have been pretty easy for a while now if one has the hashed/secured copy, and continue to grow in power as GPUs and other tech continues to advance. And with flaws like Meltdown and Spectre leaking the clear text password possibly via Javascript, and, yeah...

The world needs to really move on beyond passwords as any form of security. The one work environment that was all X.509 certificate based, even for SSH, was pretty nice. I'm just glad I wasn't the security person setting it up though