Passkeys, yelling @ clouds, etc

[-]

scoff-law@reddit

I'm a software engineer that mostly works on security stuff, and I also don't like passkeys.

But I'll tell you this - those things you are supposed to do with passwords? Making them complex, changing them regularly and not reusing them? People don't do that. Or, more accurately - enough people don't do that stuff for it to be an impending global security crisis. Passkeys improve security for the least secure users. And that hardens security overall.

But to me it's just another case of something we need to change because of the lowest common human denominator.

[-]

CSWorldChamp@reddit

Ok, you’re a software engineer. So let me ask you this:

I have heard that the best passwords are actually passphrases. Is this true?

Like, if your password is

a1*Fb271!

That’s doing two things wrong: it’s highly difficult for a human to remember, and it’s incredibly easy for a computer to brute-force and crack. There’s too few characters, which is too little entropy to fool a computer.

But if you eliminate all the stupid rules like “must include uppercase, lowercase, 2 numbers and a special character” and instead you an all lowercase pass phrase like:

isurehopeyouenjoyalltheprettylittlehorses

Then you’re flipping the script. Incredibly easy for a human to remember. And the sheer length of it adds so many layers of entropy that the sun will burn out before a computer could crack it.

True?

[-]

CubicleHermit@reddit

"I sure hope you enjoy all the pretty little horses." is both more secure against a password cracker doing sequential characters, a little more natural, equally easier to remember, and probably a little easier to type.

That said, the unit of entropy there is a word, hackers know about those, and while there are something like 6000-8000 words in the English language, they don't all have the same probability and the fall in some predictable patterns.

Once enough people using non-nonsense passphrases start using them, if crackers aren't already doing so, it becomes pretty easy to just start testing those, and combine them

Especially for the popularity of certain subsets (e.g. how many old folks are going to do something like half of John 3:16 if they start using a passphrase at all?) - there's probably a list of 1000 most common sentences that could be good passphrases, that people should check against.

Here's what Google says:

Ultimately, any passphrase derived from published literature, famous speeches, religious texts, or pop culture is functionally equivalent to a single, easily guessable dictionary word to a modern GPU cracking rig. The entropy relies entirely on the phrase being a recognized entity, which is precisely what these models are designed to ingest and exploit.

(This also happens with predictable "1337" substitutions: "M1cro$0ft" is no better of a password than "Microsoft" because all of the standard substitutions are incredibly will known.)

OTOH, a lot of security is not "you have to have a perfect fence" but just "your fence has to be enough better to dissuade them when someone much easier lives next door" and passphrases are certainly better than what a lot of people use.

[-]

kdawgud@reddit

This is why you have to randomly generate your passphrases. Then the entropy is roughly 6000^N where N is the number of words in your passphrase. You only need 5-7 words to have a really good phrase. It will be a nonsensical phrase, but still much easier to remember than random characters. Here is what the EFF has to say about it: https://www.eff.org/dice

[-]

domstersch@reddit

something like 6000-8000 words in the English language

There are 3-4 orders of magnitude more words than that in English: 150k to a million depending on where you stop counting. And the passphrase scheme asks you to make sure your phrase is nonsense, not an existing phrase from anywhere, nor even a plausible/grammatical sentence.

Analyzing a poorly implemented passphrase scheme doesn't tell us much, just as analyzing consecutive number passwords doesn't tell us much.

[-]

CubicleHermit@reddit

OK, the 6000-8000 is the "core vocabulary," but most people are not going to include "antidisestablishmentarianism" as part of their dictionary. I was responding to the example given, and indeed, in the past, I've recommended exactly this to older family members as a way of getting memorable passwords: find a line from a book or song lyric.

It is still better than bieber4ever, but by a much smaller degree than it was years ago.

[-]

CSWorldChamp@reddit

I was not aware that spaces were a viable option when prompted to create a password. TIL.

So let me ask you this: could you throw a wrench in the works by combining techniques? Like, say you used the same pass phrase, with spaces, and also included (for instance,) the 10-digit phone number of a childhood friend. How much would that “harden your defenses?” A computer looking for predictable word combinations would not be looking for that. And it would also increase the length, and therefore the time it would take to crack it character-by-character.

[-]

veglove@reddit

the passphrases generated by my password manager always have dashes between each word.

[-]

CubicleHermit@reddit

Space are usually an option. Not always, but I can confirm they're OK for the three biggest places people use their service login as a "master login" (Google, Apple, and Microsoft) they are. Plus KeypassXC, and I think 1Password. I'd be surprised if any of the major password managers didn't allow it.

Something non-public like the 10 digit phone number of a childhood friend would likely harden it a fair bit, although as the state of the art of cracking this stuff gets better, it's not always obvious.

[-]

TotallyNotRobotEvil@reddit

It's better with spaces. "I sure hope you enjoy pretty horses" is incredibly secure. 20 random characters is fairly easy to crack, 7 random words with *spaces* is almost impossible to crack.

[-]

faderjockey@reddit

Not OP, but length trumps complexity in most cases.

https://xkcd.com/936/

[-]

worldcitizen101@reddit

+100

I wish everybody would learn to use a password manager.

[-]

Ossmo02@reddit

Do you have one to recommend?

Had to make a new password for a customer portal yesterday and I literally just mashed the keyboard a few times to meet their qualifications, but I'll never remember it, so its typed in full next to my user name in a document currently. Also need the email & 2FA for this site so not terribly worried, but if it makes life easier, I should probably do it.

[-]

JHerbY2K@reddit

I’ve been using 1Password since the lastpass leak debacle. It’s great and fixes the lastpass issue - your password vault is encrypted by a key only you have. It’s copied to all your trusted devices and you can print it out and store in a safe or whatever. But 1Password doesn’t have it.

1Password will also manage passkeys and 1 time passwords.

[-]

veglove@reddit

I've used 1Password since the Heartbleed vulnerability in 2014(?), but when they switched to hosting the data on their server and charging a subscription fee instead of a flat price, I was done. You want me to store them somewhere I don't have control over and just trust you with them, AND you want me to pay more for that privilege? Nope.

Now using Bitwarden.

[-]

JHerbY2K@reddit

You aren’t just trusting them though - it’s still encrypted by your own key. They’re hosting a blob of encrypted data.

I understand bitwarden is also good, and cheaper.

[-]

veglove@reddit

Yeah a lot of my objection was the switch to subscription pricing. I don't have regular employment so I can't count on a consistent income to keep up a bunch of subscriptions, since many companies seem to be switching to a subscription model these days. I much prefer to pay set prices, or if it's a subscription, I would prefer something much cheaper if I'm not making a compromise in quality. Bitwarden is free; you have the option to pay for hosting but they even have a free tier for basic hosting services, and their prices are pretty reasonable.

[-]

You-Asked-Me@reddit

Oh...it's a product. I thought you were just here telling the world that the only password you ever use was "1Password." And I thought surly some sites require a special character. Anyway, I need some sleep.

[-]

JHerbY2K@reddit

Haha

[-]

wish-u-well@reddit

Mine is password1withacapitalpandonespelledout

[-]

chapmandan@reddit

Bit warden is a good free option (I've used it in the past) 1Password is a good paid option (I'm using this right now)

LastPass is hot garbage - they've been hacked multiple times. Avoid.

[-]

faderjockey@reddit

I’m stuck on LastPass until I can convince my whole family to migrate. sigh……

[-]

Jobeadear@reddit

Yeah same, hard to switch, on a family plan with LastPass, it's convenient, also I like that the integrated the breech monitoring and tells you if it's seen a password in a breach and tells you the pwd is insecure do not use, granted NordVPN also does breech monitoring and now have their own password keeper product too. Checked my wifes email acc via the Nord breach monitoring yesterday, her email was seen in 40 breeches now, no passwords that were in the breeches were currently in use, she has used generated passwords with lastpass on every site for like ten plus years now. So it at least helped confirm LastPass has been doing its job, but yeah with hundreds of passwords saved it's admittedly hard to migrate to another password keeper despite lastpass getting hacked previously, but a company getting hacked isn't always a bad thing, it's how they respond to it is the key, because suddenly when Execs realise that their password keeper with a bad rep is your core business model, there's going to be a whole lot of hardening going on, third party pentesters, 3rd party assurance, the works as far as security uplift goes. They are forced to do better or go extinct imo.

[-]

Just-Try-2533@reddit

Lastpass is absolute garbage. They had a major hack in 2022. I’d recommend getting off them now and go with a company that takes security seriously.

[-]

chapmandan@reddit

Migrating the data is pretty easy. You can do an export and then import it to the new one. Getting the rest of the family to adopt however is hard.

[-]

TinyGIR@reddit

I personally use Bitwarden. Good support, and you can either store your passwords securely on their systems (encrypted) or some other place of your choosing. Been using it for years now.

[-]

worldcitizen101@reddit

Yes, I use and recommend Bitwarden.

[-]

Kalel42@reddit

Also happy with Bitwarden.

[-]

IroesStrongarm@reddit

Another satisfied bitwarden user here as well. I self host mine but don't think most people need to do that

[-]

Lauuson@reddit

I second Bitwarden. You can also use it to generate passwords and passphrases. Just make sure you don't forget your master password.

[-]

Oubastet@reddit

Bitwarden and 1password are both good choices just make sure you use them correctly. The only password you need to remember is the one to unlock the vault and should be at least 16 characters. You can use a mnemonic to remember it and don't store it on the computer, ideally not anywhere other than in your head. Every other password you use should be randomly generated by the password manager and as long as permitted. 16 to 24 characters and all character types.

It doesn't matter because it will auto fill it for you. You can also store other details there like notes or recovery codes for things like steam and even use them for MFA. Just make sure to install the browser plugin.

I've used a dedicated browser independent password manager for 15 years and I only know four passwords. Two for my personal computer and vault and two for my work computer and vault. Don't make the vault password the same as your computer password.

Still use MFA where available.

Not only is this this easier, it's vastly more secure.

[-]

nord1899@reddit

Bitwarden for personal use for over 6 years now and very happy with it. At work they push Lastpass but I hate the user experience for my workflow and prefer the simpler Keepass. Also Lastpass has had some security breaches so my trust in them is a bit less than other providers.

[-]

ProbablyInebriated@reddit

Keepass and keep.your database local or on your Google drive or something. This way you control your data

[-]

Eric848448@reddit

If you use Apple their built-in one is pretty good.

[-]

Pooleh@reddit

Bitwarden!

[-]

mog_knight@reddit

I heard LastPass is pretty secure.

[-]

worldcitizen101@reddit

So yes, a lot of what they've done makes it secure. However, they've been acquired and had a number of breaches which has shaken confidence.

Current thoughts: https://www.reddit.com/r/best_passwordmanager/comments/1re867g/is_lastpass_still_worth_it_any_thoughts/

[-]

BeenisHat@reddit

My pandemic job used Solarwinds as its password manager.

lol oopies!

[-]

snoopyh42@reddit

Humans will always be the greatest security risk.

[-]

itsjakerobb@reddit

That’s why passkeys help. They take the human out of the equation.

[-]

TollyVonTheDruth@reddit

I prefer MFA by phone with a backup recovery method.

[-]

Mediocre-Cobbler5744@reddit

I recently read someone claim that 99% of "hacking" stories in the news are actually cases of human error. Like someone left themselves logged in, told someone their password, etc.

I don't know if that's true or maybe exaggerated but it sounds plausible to me.

[-]

TifanAching@reddit

I have a book by Kevin Mitnick, notorious American hacker. He says the majority of the time hacking involved phoning up the place and pretending he was someone else to get them to divulge info. He'd then use that to call someone higher up and use what he'd learned to sound legit and so on until he got the critical info he needed to compromise a network.

[-]

TollyVonTheDruth@reddit

I remember him saying that the first time he tried social enginedring by phone he had no hope of it working, but he quickly learned that people will give up some of the most sensitive data if you sound confident enough to make it seem important.

[-]

rearwindowpup@reddit

IT guy here, absolutely all of our "oh sh*t" security breaches were from users being tricked into providing access or otherwise being negligent, weve never had any sort of breach that didnt have a large social engineering vector.

[-]

TollyVonTheDruth@reddit

Yep. That and phishing emails will get them everytime — even after being trained on what to look for. Just send them an email with "Here is your performance evalution" in the subject line with an attached pdf, and they just can't resist opening it.

[-]

Stunning_Fox_7431@reddit

Or they do this

[-]

TollyVonTheDruth@reddit

I have actually seen that on mutiple computers in a place where security should be paramount... a hospital. And we tried telling their managers about it, but it just fell on deaf ears.

[-]

wish-u-well@reddit

Bro has been immortalized as mr pw faux pas

[-]

botmanmd@reddit

This reminds me of the bit that a comedian did 25 years ago. He said all men have porn tapes. They have them hidden in a special secret place. It’s in the attic between the rafters wrapped in a rag, inside a box, inside a bag, hidden on top of some ductwork, where no one can see it and no one will find it. He said that their wives always find the porn. And how do they find it? Because the guy left it sitting in the VCR.

[-]

IndependentLove2292@reddit

That was Chris Rock. I can't remember if it was from Bring the Pain or Bigger and Blacker. It was for sure one of those HBO specials, though.

[-]

dudleymooresbooze@reddit

False it’s cats.

[-]

IndependentLove2292@reddit

gif

Oh, no! He's in the mainframe.

[-]

mbleyle@reddit

conversely, the most secure system is the one no one can use.

[-]

snoopyh42@reddit

It’s a lot harder to hack an air gap.

[-]

rearwindowpup@reddit

The guy who invented the "complex" password apologized for it as machines dont care, its more about password length which is why many orgs have gone to pass phrases with no special characters or anything.

mykidsliketoplaytagoutside is stronger than dhrGrk371!12bd and much easier to remember and enter.

You can also use a common password prepended by a descriptive word for all your different logins. For instance "ismypass!2026" would be a commom phrase, for your bank you might use "moneyismypass!2026" and your email would be "messageismypass!2026". That way you only have to remember a single word for each site, but all your logins can have long, unique passwords.

[-]

apokrif1@reddit

No. If one of those passwords leak, the others can be guessed.

[-]

rearwindowpup@reddit

Yeah but thats not how hackers are going about things, its almost never targeted at a single person. Primarily they will buy databases of leaked credentials and run a script to try those same credentials at other sites. They would need multiple versions of the password and know they are all yours to even know they have to be guessing at a different first word.

[-]

veglove@reddit

I honestly haven't found a lot of companies who will accept pass phrases with no special characters, even though I prefer to use those. They will insist that it needs a number as well, so I add a number to my passphrase. 🤷‍♀️

[-]

gonyere@reddit

I used to do the variations. I switched to bitwarden years ago and just let them generate my pws now.

[-]

casdoodle527@reddit

If my time in the federal government has taught me anything, it’s how to make a pretty damned secure password. Two uppers, two lowers, two numbers, two special characters and I think it has to be at least 12 characters long. Drives my husband nuts bc I used the same for our home network stuff

[-]

casdoodle527@reddit

If my time in the federal government has taught me anything, it’s how to make a pretty damned secure password. Two uppers, two lowers, two numbers, two special characters and I think it has to be at least 12 characters long. Drives my husband nuts bc I used the same for our home network stuff

[-]

drewbaccaAWD@reddit

The changing them regularly is BS anyway, I have a friend who works in software security and they've done studies on that stuff and she was hard against that recommendation based on their own experience. I'm not saying that it should never be changed, but the frequency at which they try to force people to change passwords creates other issues (and let's be real, most of us are just going to change a single alphanumeric rather than come up with an entire fresh password).

Making them reasonably complex and not reusing them across platforms, is solid advice though. I think the "don't reuse them" argument is the best argument for the passkeys thing, as it's hard to remember like 40 different passwords. I don't really understand the difference between a passkey vs a third party password app though or are they essentially the same thing?

[-]

apokrif1@reddit

It's should be up to each user to decide, depending on their individual needs.

[-]

Belaerim@reddit

Absolutely.

I have multiple 16+ digit password with special characters etc that I need to change every 30 days. And of course they have to be different.

It’s a huge pain in the ass until I got the bright idea to rotate miniatures (Battletech and D&D mainly) along with Funko pops and other small toys.

Put 3 of them under a monitor, and that’s your base password, just add some digits at the end.

And then you just need to remember which monitor was the password for which program

[-]

s4lt3dh4sh@reddit

I'm not sure I agree. Passkeys have other benefits. For example, if I use my iPhone to create a passkey for Home Depot and remove password or email-based sign in, the only way to sign in to my account is to have my phone. That's it. Nobody can get a leaked password and order a bunch of stuff with my account. Yes, password managers help with leaked password risk, but a world with no passwords at all is a more secure world.

[-]

veglove@reddit

I hate this solution, because if your phone is lost, stolen, destroyed, etc. then you're f*cked.

[-]

CubistHamster@reddit

Not a software engineer, but I'm reasonably tech-savvy and I use a password manager and 2FA on everything that allows it. My impression for my case, with most implementations, a passkey is adding a single failure point (losing my phone/hardware key) without any real improvement in security. Is that impression wrong? Is there any real benefit, other than a (possible) slight increase in convenience for some logins?

[-]

BossCatBrian@reddit

My password is password. Oh wait, now it’s Password123!

[-]

Super_Direction498@reddit

Serious question - for regular passwords, is one that has uppercase and lowercase letters, numbers, and special characters actually anymore secure that one that is simply longer but all lowercase letters?

For example, an 8 character password that has all the bells and whistles vs a 20 character lowercase password.

[-]

Normal512@reddit

Just think about one of those gym combination locks with 3 sets of numbers 0-9. You could methodically go through each set of numbers and eventually find the correct combination. If it were a digital lock and you could electronically test numbers using a computer, you could do it very quickly.

While increasing the amount of numbers on each wheel, say by adding letters, capitals, special characters, would vastly increase the amount of time it would take to solve the combination, now imagine if you did that AND instead of being only 3 sets, it was 16. Or 20. And how that exponentially increases the number of attempts you need to try to solve the combination.

In short, each additional character increases the amount of work to solve it by a huge factor. And get a password manager.

[-]

CubicleHermit@reddit

Except that even with those, the 4 digits are rarely random. The number of people who use their birth year is really high, so the odds are very good the first two digits are 19 or 20.

[-]

Lauuson@reddit

Length is better than complexity. Most sites and systems haven't caught up with this mindset though unfortunately.

https://imgs.xkcd.com/comics/password_strength.png

[-]

CubicleHermit@reddit

length and randomness.

A well known four-word phrase is not remotely secure.

[-]

mkeCharlie@reddit

Didn't click, but I always think of Correct Horse Battery Staple in these conversations. Assume that's the link.

[-]

Imnotyoursupervisor@reddit

Length. Using a “passphrase” is better because it’s long and you can remember it.

[-]

LardLad00@reddit

There are a number of websites you can use to compare. Depends on the length and complexity.

[-]

soopirV@reddit

I thought the creator of the password complexity rules is on record saying he never intended it for the genpop, it was only for sysadmin, and got out of control and he regrets it immensely.

[-]

brakeb@reddit

passwords don't need to be regularly rotated if they are long enough... problem is that people make mycatname123 or kidsname+localsport team or 'summer2026!'

I'm not a fan of passkeys, but I will use SSO, MFA, and Oauth flows everywhere, I've a massive 1password with a 35 character password and I use a yubikey for my work password that is 20+ characters. I don't even know what the password is, I let yubikey decide it, and write it to the yubikey.

[-]

Kalel42@reddit

Because that's not actually what's unlocking your access. The passkey lives on something you physically possess. You're just unlocking the passkey on your machine for it to be sent to the site in question.

Passkey implementation continues to be a mess, but they are much, much better than passwords.

[-]

SlowGoat79@reddit (OP)

But when I turn on my new laptop, it asks for a 4-digit passkey (that's the actual verbiage it uses). This is at the same stage of booting up as the Windows login from my old laptop.

Then, there are times when I'm prompted to use a passkey for different websites (what you're talking about in your comment). Those I just ignore for the time being, though I guess I probably shouldn'.t

[-]

Spartan04@reddit

What you’re finding on Windows is probably Windows Hello. My work PC calls it a PIN, not a passkey, since it’s not the same as the other passkeys. If this is a personal computer you might be able to turn that off and just use a password if you prefer. If it’s a work computer they may force you to use Windows Hello like my works does.

[-]

Guhnguh@reddit

Yes how is it that Windows Hello is secure??? Or did they just finally decide to trust us?

[-]

Spartan04@reddit

Windows Hello is more geared towards where your account password also logs you into a network domain, usually seen in a business setup, though now that Windows can log you into your Microsoft account Hello does some things with that as well.

The big thing is that the PIN only works on that one local machine. It's used to unlock the TPM which then authenticates you to the network. Which means if someone stole your PIN it would be useless outside of the one machine it was set up on. It also means you can use a much stronger password since you won't have to enter it every time you unlock your PC. It also enables the use of biometrics to log in if your PC supports them.

You can actually use a more complex PIN if you'd like, there is a setting for it. My work Hello PIN is more than 4 characters.

Here's a post I found that explains a lot of what Hello does: https://www.reddit.com/r/Windows11/comments/1m3xx97/why_is_a_windows_hello_pin_considered_more_secure/

[-]

AlmiranteCrujido@reddit

Your PIN at login isn't a passkey. It's just a short numeric password that only works from the console of the machine. It's arguably more secure in some ways, since if someone gets it, it only works from physically sitting at the machine, and not over the network where you'd need your account password.

[-]

vespatic@reddit

This. The long password you try to remember works from any machine, while the pin only for your machine. Scammers on other countries can guess your password and login, but cannot login of they guess your pin without physically having your laptop

[-]

JHerbY2K@reddit

Yes it’s essentially multi factor (something you have AND something you know) in one step. So the password might be easy to remember but you’d also need to enter it from a specific device.

[-]

tc_cad@reddit

I can’t remember any of my 16 character passwords. Chrome remembers them for me but then I have 2FA to get through after.

[-]

Taysir385@reddit

There's always a relevant XKCD

[-]

tc_cad@reddit

Yep. I saw that one not long ago and it is absolutely the correct feeling.

[-]

silentknight111@reddit

The passkey is a certificate that usually lives in the TPM on your machine. You're entering your pin to unlock it so the machine can give the passkey to the site.

A pin is one of if the worst method for securing a passkey. Ideally you'd use a biometric, but if your PC doesn't have any then you gotta use what you gotta use. However, a person can't use that pin on a different machine to log in. They'd have to be on this specific machine with the certificate. So, it's more secure than a more complex password. They can't even get the passkey if they remove your hard drive and put it in another machine, because it's encoded usually in the TPM.

I say usually, because passkeys can be created in other ways. Like stored in a password manager (which let's you use it on multiple machines if the password manager can sync across machines)

The issue with passkeys currently is that you need a fallback - because you might need to access an account when you don't have access to the passkey.

So most sites let you log in with the password anyway if you cancel the passkey. You should at least enable two-factor authentication for that situation.

[-]

TollyVonTheDruth@reddit

Think that's something, how about the passwordless security or SSO. I still don't understand how either are more secure than a complex password.

[-]

Sinistas@reddit

An old phone I had died and now there are accounts I can't access. Wonderful technology.

[-]

zerosevennine@reddit

That was your error. Everyone should have backup passkeys.

[-]

tommy0guns@reddit

Fun takeaway. More password compromises comes from the backend, not the user end. All those times some knucklehead at Yahoo or city hall clicked on a link and gave away their entire password list is why we are where we are.

We went from 4 letters to 8 letters to 12 letters, a number, and a character. Adding 69! to your password really stumped them good. Create better firewalls on the enterprise level. I haven’t downloaded a keylogger since Limewire.

[-]

zerosevennine@reddit

Passkeys are invulnerable to backend attacks.

[-]

JeffTS@reddit

So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

[-]

AlmiranteCrujido@reddit

https://www.youtube.com/watch?v=7rSmMm-7SVA&t=29s

[-]

EastTXJosh@reddit

Part of my practice as an attorney is helping government entities impacted by cyber breaches. Until I started working in this sector, I despised all forms MFA, but after seeing the impacts of everything from email compromises to full blown ransom attacks, I am firm believer in MFA now.

[-]

arcxjo@reddit

The thing that bothers me is if I click a link to a website from my e-mail (save it, I know how to tell a scam from actual Papa Johns), I'm using the browser integrated into my e-mail app, so how the fuck am I supposed to get the code you insist on e-mailing me without losing the page I need to type it into?

Just let me use my fucking password.

[-]

Weird_Squirrel_8382@reddit

Somebody told me that humans (or at least customers of the bank he was working for) are much less likely to give out our phone pin, like if someone calls and pretends to be the bank. Also to get into the bank with my phone pin they'd have to yoink my phone, and nobody is getting between me and my Angry Birds.

[-]

Almostasleeprightnow@reddit

I finally just gave in and started doing whatever they wanted for a passkey whatever that is and it is working out great. Don’t think too hard about it.

[-]

brakeb@reddit

because it took people 20+ fucking years to 'get to that point'. And during that time, threat actors and technology have made it possible to guess your bullshit easy passwords, which is why the information security team you hate at work asks you to use a password locker like 1password or move to SSO like Okta.

There's also the general cognitive dissonance of "who would want to hack me, I'm not famous"... threat actors don't care. You've got money, you have connections to people who might have money, you have access to resources or information within your company, you check personal email on your work computer (and do other personal things on work devices), you click things and you shouldn't, you'll answer a phone call from "Microsoft Tech support" and hand over credentials.

for the 4-6 digit PIN, the idea is it'll expire before a threat actor would have the ability to potentially enumerate through the stack of numbers, especially if rate limiting of tries is a thing.

The sad thing? took us 20+ years to almost get rid of the password, to go to SSO and Passkeys, and threat actors have already found ways to bypass them. And since we don't want to use biometrics (can only change your fingerprint 10 times you know) we're gonna need to design systems that will stop humans (and LLMs) from doing the same things for the next 20 years that we've been trying to warn folks about for the last 20 years.

signed,
the information security community (trying to unfuck that chicken since the first moron who clicked on the link in the "i love you" email)

[-]

SlowGoat79@reddit (OP)

Hi information security community person -- can I confess something else while we're at it? The reason I avoid the biometric thing is that I have vivid memories of seeing Minority Report in theaters. The government already has my fingerprints, but the movie really made me feel like I don't want to give them my retinas. I feel utterly ridiculous for feeling this way, but I can't help it.

[-]

brakeb@reddit

you're not wrong... many in the infosec are against storing or collecting biometric data for authentication and authorization purposes... it's immutable, and unless you add salts to the hashes made from those fingerprints or retina scans or palm prints

[-]

Tygie19@reddit

I still don’t understand passkeys at all. I use my password manager on my phone and all my passwords are extremely complicated and each one different, and I change them periodically. I just can’t get my head around what a passkey is and why it’s better, even when I look up the definition. It looks like it’s just another PIN we have to memorise. I don’t understand.

[-]

burjja@reddit

I spend $3/month on 1Password. A password manager will change your life. You only have to remember one master password. On your phone, only need a finger or your face. Every time you need a new password, it creates a completely random one. Particular site has stronger requirements, you adjust the setting to put more numbers or add a special character or whatever. I used to dread the constant work email reminders that my password for this system or that system were about to expire. Now I let my password manager pick a new one, choose to update it in my profile and then on to what I was doing.

The one issue I used to have was it that made you update your profile before knowing if the application you were using accepted the new password. If it didn't, it would want to confirm your current password again, which was no longer stored in your 1Password account and you were off to the "I forgot my password" link. They've fixed that. It keeps track of your old passwords now so you can revert to that to make another attempt.

[-]

user08182019@reddit

1Password asks you to re enter your master password 100x a day including every time you launch your browser. It’s extremely annoying. LastPass almost never asks for your master password, not often enough? Their UI is poor (mixes view/edit), and they had a major breach in the past. Xkeypass Bitwarden etc not sure.

[-]

burjja@reddit

I'm fine with it. That 100x a day has made it muscle memory for me, it's just a longer version of Ctrl+C, or insert your favorite keyboard shortcut.

[-]

CubicleHermit@reddit

If your computer is so old that you don't have any kind of biometric thing so you don't have to keep entering the same password, buy a yubikey or a USB fingerprint reader. Neither is expensive.

[-]

user08182019@reddit

YubiKey can store your master but there are downsides to that mostly having to do with input flow

[-]

CubicleHermit@reddit

There are downsides that it can be stolen, but I'm not sure how the input flow won't always beat "retype this long-ass password."

I don't know if any of the password managers can use FIDO/FIDO2 as an alternative to biometrics to unlock without a password, but for stuff like Okta, it's a good alternative.

[-]

user08182019@reddit

YubiKey is a good second factor to a password manager

[-]

brakeb@reddit

Just don't make your master password "dogsname123" because it completely defeats the purpose of using them

[-]

burjja@reddit

Definately. My problem is I always want to tell people how genius my password is but that's a bad story unless I tell them my password.

[-]

worldcitizen101@reddit

Yes, though I prefer Bitwarden - I don't know about 1pass, but Bitwarden will remember past passwords to solve exactly that problem.

[-]

burjja@reddit

No worries, I can be long winded.

[-]

MaddyKet@reddit

I like the finger print passkeys.

[-]

VisiblePlatform6704@reddit

Something you know, Something you have, Something you are.

Its 2025 and we havent been able to streamline showing a system those 3 on a simple way.

Lots of tech mumbo jumbo: ZK SNARKs + Mobile biometric input, plus mobile, plus out of wallet question should make this trivial now.

But the problem is making companies standardize on something.

If we look back to the 60s-90s , society pushed more towards standards. Right now everyone wants to make their own closed protocol, system or wallet garden.

/rant

[-]

apokrif1@reddit

PIN ≠ passkey AFAIK.

[-]

AnthrallicA@reddit

Yeah and if everyone wants you to 2FA, what the hell does the password matter anyways?

[-]

Dear-Discussion2841@reddit

Literally cannot take much more 2FA. Honestly just steal my identity already.

[-]

modulus801@reddit

Same. My water company just added two factor to their logins. Why? Is someone going to hack my 32 character random, unique password to pay my water bill?

[-]

ADHDFeeshie@reddit

I haaaaaate 2FA. There has to be a better option. Make me enter 2 passwords, answer a security question, or something. Who hasn't had to use a different device to send an email because their phone battery died but not been able to get into that email because their phone battery is dead? Or people change their phone numbers and lose access to important accounts forever. It's ridiculous.

And at least let me designate one private device per account that lets me log in without 2FA. Checking on my health insurance website is a major pain in the ass, and then once I'm in I have to do the 2FA shit again to click through to their health rewards page even though supposedly it's linked to my insurance account and I didn't even need my password.

[-]

IrrationalSwan@reddit

Passkeys are the better option.

Passwords are a weak approach to authentication, so over time we had to add 2fa to strengthen them.

Passkey replaces password-based authentication with an alternative that's secure enough to not need 2fa.

It sometimes feels superficially like 2fa because the passkey software running on your device might require you to enter a pin or do something similar before it does the actual passkey authentication with the remote entity. In that situation, you still only have to enter one secret or provide one piece of biometric data, and the thing going on underneath the hood is completely different than standard password-based authentication.

[-]

mayhemkb@reddit

Dude. 2FA sucks. I already had to deal with a dude who wiped out the bank account of a client by using Google numbers to spoof their cell number to get past 2FA. The IT department when I went in to deal with placing fraud protections on their account (Fortune 500 company) told me, “Well I can add 2FA and that will take care of the problem.” Burn it all down.

[-]

lostmybackupcode@reddit

I just went far too long getting my Google authenticator app to work with the website I was trying to access. First time I felt too old to understand technology.

[-]

AnthrallicA@reddit

One of the vendors I (rarely) use at work offers the option to either 2FA via email or their proprietary mobile app. I don't want their app on my phone so I opted for email and it never works! Guess I'll spend my company's elsewhere lol.

[-]

boston_homo@reddit

I consider myself somewhat tech savvy and authenticator apps make no sense to me, I’m always a little surprised if, not when, they work.

[-]

big_z_0725@reddit

You and I want to communicate with each other over text. We often drop out of contact. When we reconnect, we want to verify that we are actually who we claim to be.

At first, we decide in one of our communications to share a secret number. That way, whenever we initiate contact, we can text our secret number to each other to verify our identities. This has several problems. Other people can eavesdrop and see our secret number. One or both of our devices could be compromised and use a keylogger to capture our secret number and send it to a malicious third party. This approach will not protect us for very long. We need a better one.

Now we need to take a trip back to high school algebra, specifically, functions.

f(x) = x + 3

g(x) = x^(2) + 5

These take one input, x, and output values based on x. Function f outputs whatever x+3 is. Function g outputs whatever x squared plus 5 is.

If I tell you that I ran function f and got an output of 5, it's fairly easy to figure out that I gave it an input of 2. If I tell you that I ran function g and got an output of 30, it's fairly easy to figure out that I gave it an input of either +5 or -5. That's because these functions are easily invertible, or reversible. These functions will not help us verify our secret number with each other while also keeping it safe, because, if we use our secret number as input, and only share the output, someone who can see the output and also knows what function we are using can easily invert the function and determine our secret number.

There is a class of functions that are very hard to invert. That is, if I tell you the output of the function is 30, and I tell you what function I used, it is very, very hard for you to determine what input I gave it to get it to output 30. This kind of function will help us verify our secret number with each other, while also keeping it safe from others. Let's call this a "hash" function.

But we need to add one more step. We want to vary what we send to each other, to add another layer of protection. So, we decide to use the current date and time, down to the nearest 30 seconds. We will take this datetime (which we will actually represent as the number of seconds that have elapsed since Jan 1, 1970), add it to our secret number, and then run that sum through our hash function, and then send the output of that to each other.

Provided we have shared our secret number securely at the beginning of our relationship, this is how it works. If we both know our secret number, and we both know the time, you can hash the sum of our secret number and the time, and send that to me. I also have our secret number, and I know the time, so if I also hash that sum and my answer matches what you sent me, I know you have our secret number, so I can trust that I'm texting with you. But even if Mallory, a malicious eavesdropper, watches our exchange, and knows what hash function we are using, and knows what datetime we added to our secret number, it is computationally infeasible for her to determine our secret number. Remember, neither you nor I sent our actual secret number during this exchange.

With an authenticator app, the "secret number" is the QR code you scan into the app. The QR code is sent over HTTPS, so it's encrypted, and can't be intercepted. Now your phone and the site you are trying to authenticate to have shared the same secret number. The app itself handles the datetime calculation and the hashing function. The 6 digit codes that rotate every 30 seconds are the first 6 digits of the output of that hash function.

[-]

super_chillito@reddit

Excellent explanation!!

[-]

lostmybackupcode@reddit

I never remember what I did to make it work previously, so it's like a completely new adventure each time.

[-]

c_b0t@reddit

I have to use authenticators for work, and Microsoft logs me out like 4 times a day. Every time I pick up my phone to get a code, I get distracted by something else on it and forget about logging in.

[-]

faderjockey@reddit

Because you need two factors for….. two factor authentication.

Authentication can have three factors: something you know (like a password,) something you have (like a hardware token or a phone,) and something you are (biometric data like a fingerprint, iris pattern, or face.)

Your password is the first factor, your one-time code generated by an authentication app or texted to your phone is the second.

[-]

AnthrallicA@reddit

Yeah, so why does the password have to adhere to some ridiculous set of rules if I'm going to have to use a second factor of authentication to log in anyways?

[-]

DiaDeLosMuebles@reddit

Password is the first authentication factor. If you remove that then you don’t have multi-factor authentication anymore

[-]

brakeb@reddit

passwordit is a method of authentication.

Something you know (password, phone unlock code, ATM card pin)
Something you have (passkey, yubikey, tokens, etc)
something you are (biometrics, face unlock, fingerprint, retina scan, DNA?)

Some of all of these are used in tandem for authentication. Security teams have been trying to save people from themselves, because we can't trust you to not make a shitty password, and we can't trust you to not re-use it all over the internet. Password reuse is what breaches companies...

[-]

M_V_Agrippa@reddit

Well, you expect us to change our password every ninety days with some absurd number of rules about what does and doesn't constitute a valid password. You are getting an incrementing password because "ain't nobody got time for that.

[-]

brakeb@reddit

That guidance from NIST has gone away. Even the guy who initially suggested it says that caused more harm than good.

Some of that is baked into compliance frameworks that need to be fixed. Many of us security people thought it was stupid, but NIST put out the guidance (which isn't even binding) and it was blindly followed by IT and security people that felt like they needed to adhere to "some standard" because IT and dev want guidance on securing systems, but won't follow guidance made locally because they don't see their security people as an authoritative source. So security people use ISO or NIST guidelines and state "guidance comes from the government or an international body" which management is cool with

[-]

DarksunDaFirst@reddit

2FA feels like a scheme to link identifying information together for an entity that normally wouldn’t have those identify points.

[-]

coolpartoftheproblem@reddit

i hate the future so fucking much

[-]

DiaDeLosMuebles@reddit

Then you’ll always be stuck in the past

[-]

coolpartoftheproblem@reddit

man i wish

[-]

platypus_farmer42@reddit

I would just prefer it if everything was a confirmation text. I wouldnt even need to try to remember a password, just text me a code. But no, now I have to remember a password AND get a 2fa code

[-]

AttitudeSimilar9347@reddit

Texts can be intercepted, SIM jacking

[-]

538_Jean@reddit

Just sent me an actual physical key or encrypted usb and leave me alone. I cant memorize random crap so it'll never be secure.

[-]

wiserTyou@reddit

It's a conspiracy. They want us chipped like dogs. Twenty years ago I would have said no way, now I just want the damn chip so I can log in to stuff. They wore me down.

[-]

eatsleepdive@reddit

Why aren't we talking biometrics?

[-]

goosedog79@reddit

My password actually has “4eva!” In it!!!

[-]

Alarmed_Drop7162@reddit

Our annual password update now requires 20 characters.
My Palo Alto network requires me to type that in within 120 seconds.
My keystrokes don’t register in real time. Takes about ten minutes. -access denied-

So, then I restart the machine again.
Haven’t done a lick of work yet.

[-]

FlatSixFun@reddit

These responses show me just how little people understand about information security.

[-]

alvinofdiaspar@reddit

I'd rather see more local biometrics.

[-]

crbowers@reddit

It’s taken me a while to get on the passkey train, but so far it’s making my life easier. I’m a big proponent of paraphrases and password managers. The only passwords I actually know are my computer password, iCloud password, and password manager password.

[-]

wetfloor666@reddit

You should actually use basic passwords, but not stupidly easy like bdays, etc. The crazy generated ones like you mentioned are apparently easier to crack. I personally love passkey, but only on my PC.

[-]

user08182019@reddit

The crazy generated ones like you mentioned are apparently easier to crack

You got misinformation on this, This is only true if/when it makes people record the password in an insecure way.

[-]

realitythreek@reddit

Passkeys are more secure, not less. As a person that works in tech, I’ve been frustrated for 20 years that we’re still using antiquated security practices like resetting passwords every 60-90 days. That’s how you get laptops with passwords on stickies nearby.

[-]

SmokinSensei@reddit

Relevant XKCD, though of course you can find Reddit posts stating this is not the case but those just seem to be advocating password managers.

[-]

ProfZussywussBrown@reddit

It's not just the passcode. It's the passkey, which you saved in your phone, password manager, etc. You need the code AND access to the passkey.

It's one thing you KNOW and one thing you HAVE

[-]

MasterDave@reddit

They’re secure tokens. They can’t be intercepted by a keylogger on your device or whatever.

Ironically JustinBeiber4ever is more secure than random garbage if it’s longer because token length resists brute force decryption. Random or not.

Basically you’ve been listening to 90’s IT thought process that’s been outdated for a long time but it’s really tough to get corporate America to understand new things when technology capabilities pass them by. Quantum computing will be able to defeat any password sooner or later so we have to eventually move to a more secure method thats encrypted hard enough to make quantum decryption less than trivial.

[-]

user08182019@reddit

Quantum computing will be able to defeat any password sooner or later

IT has already been busy rolling out post quantum algorithms.

[-]

scronide@reddit

Note for fellow nerds: when people say passkeys they don’t necessarily mean those passkeys.

[-]

EverythingButTheURL@reddit

I've pretty techie and I still don't understand passkeys. Since I don't really understand them I feel like they're going to get stuck to one device instead of synced across all of mine and then it's just a bigger pain in the ass.

[-]

Just-Try-2533@reddit

Most (except windows) do sync.

[-]

peeinian@reddit

That is exactly the point. The passkey is only stored in the device it is created on. If you have multiple devices you have to create a passkey on each device.

The second factor to fulfill MFA is the PIN or biometric to unlock the device that stores the passkey.

[-]

ckglle3lle@reddit

Yes all security measures have tradeoffs. In the case of passkeys, the trade off is significantly stronger login credentials, essentially uncrackable, accomplished by tying them to an authentication measure. How secure you make that authentication measure is the new "how strong is your password" and just using a simple 4 digit pin *is* about the least secure method you can use for that. Facial/fingerprint recognition is generally stronger while 2FA remains the strongest. But even in the least secure method, if your passkey is tied to your device then a threat actor would still need direct access to your device which is still stronger protection than just a login/password because it makes you less vulnerable to phishing and social engineering attacks.

You can think of it a bit like using a physical notebook to write down all your logins. You still need to keep that notebook secure but the idea is no one can otherwise access anything without it.

[-]

intransit412@reddit

Sometimes things change for the better. This is one of those things. Someone would have to steal your device and know your password to hack your accounts behind passkeys.

Maybe it’s an Apple thing but I don’t even think about passwords anymore because of their password manager. Even my mom hasn’t had to reset a password for a long time.

[-]

Blando-Cartesian@reddit

4 digit passkey is security theater. Not meant to be secure. Just make you feel safe without inconveniencing you much.

[-]

rmagere@reddit

My issue with passkeys is that I am not clear how to (a) save them (b) how to handle moving between devices

Currently all my accounts have unique, long, complex passwords and all those that allow it have a 2FA authentication (does not matter if it is a bank account or random bbs forum about cookies from 20 years ago) All of this has moved along with me from device to device over the years.

If a passkey is linked to my current phone, what happens when I lose it or gets stolen?

[-]

Just-Try-2533@reddit

Depends where you choose to save it. But some are synced with the cloud. So it automatically moves to your new phone.

[-]

rmagere@reddit

That works as long as I am on a iPhone only system but my current set up works between Apple, Android, windows, and steam deck

[-]

Just-Try-2533@reddit

Thanks! And fyi on most systems you can scan a QR code with your iPhone and then use the passkey. So it should work cross platform.

[-]

worldcitizen101@reddit

Ideally you want passkeys saved to a password manager that is then synced across devices - otherwise, indeed, you lose access when you lose your phone. Bitwarden handles this just fine.

If you are using unique passwords plus 2fa, you're far ahead of the curve and you're not the target audience for this change.

[-]

rmagere@reddit

Need to figure out how keepass handles them (as I had a bad experience with last pass breached I have moved away from online password managers)

[-]

Telgar321@reddit

Bad actors generally don't break in...they log in.

[-]

DefiantThroat@reddit

My work has passwordless that bypasses all that and it’s been an amazing experience. Took me a day or 2 to get used to it but I never want a password reset or 2FA prompt again.

[-]

stykface@reddit

I'm all for 2FA. Wish we can just leave it at that.

[-]

Money_Magnet24@reddit

I matched 4 of 6 numbers on PowerBall including the PB number and guess how much I won

$160.00

That’s all.

4 of 6 and it’s $160.00

So, ya, my password for my computer is “you’re. so.money” I guess I have to change it now

[-]