this post was submitted on 14 Feb 2024
263 points (88.8% liked)

Technology

59534 readers
3135 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing... that lives on my phone? What if I lose my phone? What if you steal my phone?

you are viewing a single comment's thread
view the rest of the comments
[–] LastYearsPumpkin@feddit.ch 39 points 9 months ago (4 children)

There's no way for the average person to keep up with remembering unique, strong passwords for all the sites that require them.

You either have to write it down, save it in a password manager, reuse passwords, or have simplified passwords or patterns.

[–] RippleEffect@lemm.ee 20 points 9 months ago

My vote is password manager. You can use 1 really good password for it and as many stupidly good passwords anywhere else since youre likely auto filling or pasting it in.

Just if your using it locally, remember to take a backup.

[–] leftzero@lemmynsfw.com 1 points 9 months ago (1 children)

There's no way for the average person to keep up with remembering unique, strong passwords for all the sites that require them.

Passphrases with a simple formula to make them unique for each site.

You just have to remember the formula, you get a strong unique password for each site.

Easy and safe, and doesn't tie you to a single point of failure like a specific device or a password manager.

Add two factor authentication on top (with multiple options, of course, otherwise you'll get locked out once you inevitably lose the second authentication method), and you can even safely use it from third party devices which you don't want to remember how to access your accounts.

[–] subtext@lemmy.world 2 points 9 months ago* (last edited 9 months ago)

Except if your “formula” is to make your passwords

Twit-(password)-ter

…it’ll be exceedingly obvious if someone were able to get your password from Twitter and then credential stuff at any other website. That’s not real security.

Also a password manager doesn’t have to be a single point of failure. First of all, they have like 3 or 4 points of failure before they actually lose anything, and you can always make an export or go back to a pen and paper password journal if you really want to to make an offline second point of failure.

[–] Ookami38@sh.itjust.works 1 points 9 months ago* (last edited 9 months ago) (1 children)

Assuming you have a strong base password you aren't concerned with being broken, you can use that, followed by a unique identifier for what you're logging into, so every password is essentially the same, but also unique. Something like, translate the lyrics to a song (say without me by Eminem) to first letters and punctuations, 2tpggrto,rto,rto, and add the identifier.

2tpggrto,rto,rto-goog 2tpggrto,rto,rto-faceb

This is essentially how I manage my passwords that I want to actually remember. Just make sure you're not SUPER obvious with how you make the identifier, perhaps -g0og or -f4c3b0ok. And no, I don't use that song lol.

[–] KairuByte@lemmy.dbzer0.com 6 points 9 months ago (1 children)

This is essentially the same thing as using the same password everywhere.

Yeah, they are unique. But if one is broken, they are all essentially broken.

[–] blackbirdbiryani@lemmy.world 4 points 9 months ago (2 children)

Only if you're specifically targeted. I know enough regex to know that nobody is going to bother trying to parse known passwords to identify patterns like that when there's a billion suckers who use 'password123' for their bank accounts.

As long as the pattern is not super predictable, and aren't dictionary words, nobody is brute forcing that.

[–] subtext@lemmy.world 3 points 9 months ago

Even a minute mental load at everything you need to log into in a day is still more than the zero mental load I have when using a password manager.

It’s not just more secure, it’s far more convenient. Plus once you start to share a life with someone, you can share all your accounts and passwords effortlessly as well.

[–] KairuByte@lemmy.dbzer0.com 2 points 9 months ago* (last edited 9 months ago)

These would be extremely easy to detect with regex. Just look for the service name in a password, including common leet speak conversion.

Password123-Facebook then easily becomes Password123-GitHub or Password123-Walgreens.

I can assure you, if I was a bad actor that got my hands on a password dump, I’m checking for these kinds of passwords pretty early on.

Edit: A word.