never change
Nah, that’s not a problem.
So, if you send a password at some point, someone could theoretically intercept and get the password, and then impersonate you.
PGP keys are public-private. The key never leaves your possession. Instead, the other side asks you to cryptographically sign something using your private key, which they can validate using your public key.
You never expose your private key to any intermediary, and even the other side doesn’t have it.
TOTPs have a shared secret, and generate a temporary passphrase using both time and the secret. Those also protect (mostly) against interception, since the OTP becomes invalid within probably seconds. Just as with PGP keys, the secret does not change. However, unlike PGP, the other side does also have all the information required to authenticate as you.
Xanza@lemm.ee 2 days ago
PGP keys gain trust the longer they’re used. But the likely-hood that they’ve been compromised also increases with time. I wouldn’t say they get “less secure” with time. Also, you can very easily create a new identity under the same PGP key, and revoke a previous identity. Additionally, you can certify other’s keys by signing it with your own, increasing the WOT (web of trust) with the key–asserting that the key does in fact belong to the correct person.
The keys are a bit more dynamic than you’re giving them credit for.
There’s also F/OSS which has been designed to alieviate some of the usability issues with PGP keys, mainly Keybase.