by getting popped I mean that the provider somehow exposes/leaks information to an attacker.
A unique password limits the damage to a single provider, but passwords do still rely on good security practices like safe resets, rate limiting, encryption, salting etc etc
I say this as both someone who maintains auth for an app, but also a user. The organisational risk of passwords feels too high imo so I’m quite interested in leaving passwords behind!