this post was submitted on 14 Feb 2024
264 points (88.8% liked)

Technology

60116 readers
2797 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing... that lives on my phone? What if I lose my phone? What if you steal my phone?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 10 months ago (1 children)

Coming up with a simple formula is a big security risk. It makes your passwords easier to brute force, and with enough entropy, probably easy to guess as well.

And what happens if the password is breached? Do you change the formula? What happens if a site requires a password change? Even if the formula accounts for versioning/iterating, how do you remember which iteration you’re on?

Extra security with 2FA I agree with, but that’s not mutually exclusive to using a password manager.

And are password managers really single points of failure? These password managers can sync to multiple devices, so your data is generally safe. If someone gets your password manager password, that’s a problem, yes, but they’d need access to your device to view anything, as installing on another device requires a separate master key to set it all up (which should not be stored digitally anywhere).

[–] [email protected] 2 points 10 months ago

It makes your passwords easier to brute force

Passphrases are by definition hard to brute force.

The formula should not be obvious. Don't just put the site's name in the passphrase, put a similar sounding but easy to remember word, something that rhymes, the first and last letters of the site's name plus the number of letters in the domain name, whatever.

An attacker would need to specifically target you and have more than one of your passphrases using the same formula in order to try to figure it out. Too much work. If they're that interested in your password it's easier to beat you up until you tell them.

And what happens if the password is breached? Do you change the formula? What happens if a site requires a password change?

You can have a couple different formulas or variations.

how do you remember which iteration you’re on?

Same way you'd remember the password you used for a site if you reused two or three different passwords.

And if you use the wrong one just try again; sure, passphrases can be a bit long, but having to type them multiple times is a good way to make sure you remember which one you used, lest you have to type it again.