Passkeys might really kill passwords - eviltoast

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?

  • johannesvanderwhales@lemmy.world
    link
    fedilink
    English
    arrow-up
    21
    arrow-down
    1
    ·
    9 months ago

    I highly recommend using something like Bitwarden or 1password (which can manage both passwords and passkeys), and then generating a passphrase using a method like Diceware. If you’re paranoid you might prefer rolling your own with Keepass but for most people that’s going to be a lot of work. I think 1password’s model is about as secure as you could hope for while still trusting a 3rd party. Definitely avoid Lastpass. In addition to widely reported breaches, they don’t even fully encrypt your data; only the password portion is encrypted while usernames and site data are plaintext.

    • Codilingus@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      8
      ·
      9 months ago

      Just a heads up for anyone, bitwarden can be self hosted using vaultwarden. All of the bitwarden apps and extensions will work.

      Also, for anyone already using their stuff, Proton Mail rolled out their password manager. I like it so far, the free edition is good.

      • subtext@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        9 months ago

        I just don’t trust myself enough to self host Bitwarden. It’s just too critical of a service for me to be willing to accept any mistake I might make in hosting it. Absolutely worth the $10/year (or $40/year for the whole family), to have some IT professionals and Azure doing the hosting.

          • subtext@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            9 months ago

            Oh well you don’t have to pay for it, but I do for the premium features, most notably family sharing of passwords

        • Codilingus@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Good call, and I agree. I self hosted it but mine was offline, and would only update if I was in my house. Saw proton pass release, and made the switch since I’ve been using their services for awhile, now.

    • morbidcactus@lemmy.ca
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      9 months ago

      Is keepass really a lot of work though? If you use xc you have a client that works in windows or Linux, the file itself can be hosted anywhere, I ran for years with it on a USB key. There’s no accounts to create, you just download and go.

      • johannesvanderwhales@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        edit-2
        9 months ago

        It’s definitely more work than just buying the service from someone that has a ready made app. I don’t think it’s a thing I would recommend to, for example, my parents. I know xc has some sort of form fill thing but it’s not nearly as nice as the browser plug-ins made by the various password manager vendors.

        • morbidcactus@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          There’s a Firefox plugin that provides that functionality. As for getting my parents on board, any attempt to get my mil onboard with a password manager has been futile, actually using it seems to be the biggest barrier to adoption in my anecdotal experience

          • johannesvanderwhales@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            9 months ago

            I’m just saying, the user needs to set up Keepass (on multiple ecosystems), find a solution to sharing their database across multiple devices (and note that sites like Dropbox or Google Drive are blocked on a lot of people’s work computers), find a tool for filling those passwords in their web browser, potentially find different solutions for things like secure notes or syncing passkeys, and then maintain all of those things separately. Or they can pay a monthly fee and just have one integrated solution. A lot of people are gonna choose the latter.

      • ebc@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        KeepassXC works on Mac, too and there’s KeepassDX for Android.

        • morbidcactus@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          Did not know about the Mac version, my partner is using Strongbox on her mac, I don’t personally use Mac os. I’ve been using keepass2android for a long time, I like that there’s so many different clients for keepass

    • podperson@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 months ago

      Since 1P switched to subscription only (which is a dealbreaker for me), I switched to Strongbox. It’s based on keepass, you can store/backup/host your own vault, and it also supports both passkeys and passwords. The UX is almost as good as 1P (few little minor annoying things, but no showstoppers for me). Been great so far.