this post was submitted on 16 Oct 2024
219 points (86.1% liked)

Technology

58713 readers
3969 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
219
Passwords have problems, but passkeys have more (world.hey.com)
submitted 1 day ago by exu@feditown.com to c/technology@lemmy.world
161 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] ikidd@lemmy.world 26 points 1 day ago (4 children)

Just. Use. A. Fucking. Password. Manager.

It isn't hard. People act like getting users to remember one password isn't how it's done already anyway. At least TFAing a password manager is way fucking easier than hoping every service they log into with "password123" has it's own TFA. And since nearly every site uses shit TFA like a text or email message, it's even better since they can use a Yubikey very easily instead.

Passkeys are a solution looking for a problem that hasn't been solved already, and doing it badly.

[–] EncryptKeeper@lemmy.world 17 points 1 day ago (1 children)

Yes, use a password manager to store your passkeys.

Passkeys are a solution looking for a problem that hasn't been solved already, and doing it badly.

You say that and then

hoping every service they log into with "password123" has it's own TFA. And since nearly every site uses shit TFA like a text or email message

That’s literally a problem passkeys solve and password managers don’t lol

[–] ikidd@lemmy.world 6 points 23 hours ago (1 children)

I make the assumption people are using the password managers like they should, which is generating unique, complex passwords, which is kinda the point. Once you hit a certain number of characters on a random password, you might as well not try. And passkeys don't solve any sort of MFA problem, same as passwords.

And tell me something, do you realize how cunty you come off when you end a comment with "lol"?

[–] EncryptKeeper@lemmy.world 8 points 23 hours ago* (last edited 23 hours ago) (1 children)

And passkeys don't solve any sort of MFA problem

They do in fact solve this problem. Passkeys are something you have, and are secured by something you know, or something you are.

They also solve an age-old problem with passwords, which is that regardless of how complex your password is, it can be compromised in a breach. Because you have no say in how a company stores your password. And if that company doesn’t offer 2FA or only offers sms or email verification, then you’re even more at risk. This problem doesn’t exist with passkeys.

Edit: lol

[–] sugar_in_your_tea@sh.itjust.works 6 points 19 hours ago (1 children)

it can be compromised in a breach

Sure, and then that one password is compromised. Password managers make it trivial to use unique passwords for every service, so if a service is breached, you're basically as screwed with passwords as passkeys.

The switching cost here is high, and the security benefits are marginal in practice IMO. I'm not against passkeys, but it should be something password managers handle, and I don't have a strong preference between TOTP baked into your PW manager and passkeys.

[–] EncryptKeeper@lemmy.world 4 points 18 hours ago* (last edited 18 hours ago) (1 children)

Sure, and then that one password is compromised.

Which means that entire service you used that password to login to is compromised. If you were using passkeys however, you would have nothing compromised.

so if a service is breached, you're basically as screwed with passwords as passkeys.

No… with a passkey you would be not screwed at all. You’d be entirely unaffected.

the security benefits are marginal in practice

I mean in your own example that’s a reduction of 100%. That’s kind of a huge difference.

[–] sugar_in_your_tea@sh.itjust.works 2 points 33 minutes ago

that entire service you used that password to login to is compromised

If the password is compromised, it means the service is compromised and the password isn't really protecting anything anymore. So to me, there's no functional difference between passwords and passkeys once a service is compromised, the data is already leaked. If I'm using proper MFA, there's no rush to reset my PW unless the service has a stupid "backdoor" that can just bypass MFA entirely, in which case passkeys wouldn't help either (attackers would just use the backdoor).

The main value of passkeys, AFAICT, is that they're immune to phishing attacks. Other than that, they're equivalent to TOTP + random password, so a password manager that supports both provides nearly equivalent security to a passkey (assuming the service follows standards like storing salted hashes). And honestly, if you use a solid form of TOTP (i.e. an app, not text or email), password security isn't nearly as critical since you can make up for it by improving the TOTP vault security.

I honestly haven't bothered setting up passkeys anywhere, because I don't see any real security benefit. If a service provides passkeys, it probably already supported decent MFA and random passwords. The services that should upgrade won't, because they've already shown they don't care about security by not providing decent MFA options.

In short:

  • passkeys > passwords
  • passkeys == random passwords + TOTP

The venn diagram of companies that support passkeys and companies that supported/support random passwords + TOTP is essentially a circle, with the former enclosed in the latter. So I don't really see any rush to "upgrade."

[–] KinglyWeevil@lemmy.dbzer0.com 1 points 13 hours ago

I have a sub to dashlane that came with ten additional subs and despite trying to literally give them away to family and friends and you'd think I was trying to pull teeth.

[–] johannesvanderwhales@lemmy.world 9 points 23 hours ago (1 children)

You're looking at this from the perspective of an educated end user. You're pretty secure already from some common attack vectors. You're also in the minority. Passkeys are largely about the health of the entire ecosystem. Not only do they protect against credentials being stolen, they also protect against phishing attacks because identity verification is built in. That is of huge value if you're administering a site. Yes if everyone used a password manager there would be less value, but only about a third of users do that. And as an admin you can't just say "well that guy got phished but it's his own fault for not using a password manager."

[–] ikidd@lemmy.world 3 points 23 hours ago (1 children)

Password managers have only really taken off in the last half-decade, so one-third is kind of to be expected. I know they've been around a long time, but major adoption has been recent.

Passkeys will take a while to get wide adoption as well, especially with syncing problems that we've seen.

[–] johannesvanderwhales@lemmy.world 5 points 23 hours ago

Password managers are never going to hit anywhere near 100% adoption rate. It requires knowledge on the part of the user and in many cases money. No grandma isn't going to roll her own with keepass. Most likely she'll never even know what a password manager is. And as long as those users are still out there, admins still have to deal with all the problems they bring.

Incidentally I looked and it's been over a decade since I started using my first password manager. They're not that new.

[–] Evotech@lemmy.world 1 points 23 hours ago

Password managers are too hard for the boomers