this post was submitted on 14 Feb 2024
228 points (88.8% liked)

Technology

58055 readers
4819 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
L4s@lemmy.world
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
228
Passkeys might really kill passwords (www.theverge.com)
submitted 7 months ago by Ninjazzon@infosec.pub to c/technology@lemmy.world
174 comments fedilink hide all child comments
 

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing... that lives on my phone? What if I lose my phone? What if you steal my phone?

you are viewing a single comment's thread
view the rest of the comments
[–] johannesvanderwhales@lemmy.world 17 points 7 months ago (3 children)

I highly recommend using something like Bitwarden or 1password (which can manage both passwords and passkeys), and then generating a passphrase using a method like Diceware. If you're paranoid you might prefer rolling your own with Keepass but for most people that's going to be a lot of work. I think 1password's model is about as secure as you could hope for while still trusting a 3rd party. Definitely avoid Lastpass. In addition to widely reported breaches, they don't even fully encrypt your data; only the password portion is encrypted while usernames and site data are plaintext.

[–] morbidcactus@lemmy.ca 6 points 7 months ago (2 children)

Is keepass really a lot of work though? If you use xc you have a client that works in windows or Linux, the file itself can be hosted anywhere, I ran for years with it on a USB key. There's no accounts to create, you just download and go.

[–] johannesvanderwhales@lemmy.world 4 points 7 months ago* (last edited 7 months ago) (1 children)

It's definitely more work than just buying the service from someone that has a ready made app. I don't think it's a thing I would recommend to, for example, my parents. I know xc has some sort of form fill thing but it's not nearly as nice as the browser plug-ins made by the various password manager vendors.

[–] morbidcactus@lemmy.ca 1 points 7 months ago (1 children)

There's a Firefox plugin that provides that functionality. As for getting my parents on board, any attempt to get my mil onboard with a password manager has been futile, actually using it seems to be the biggest barrier to adoption in my anecdotal experience

[–] johannesvanderwhales@lemmy.world 1 points 7 months ago* (last edited 7 months ago)

I'm just saying, the user needs to set up Keepass (on multiple ecosystems), find a solution to sharing their database across multiple devices (and note that sites like Dropbox or Google Drive are blocked on a lot of people's work computers), find a tool for filling those passwords in their web browser, potentially find different solutions for things like secure notes or syncing passkeys, and then maintain all of those things separately. Or they can pay a monthly fee and just have one integrated solution. A lot of people are gonna choose the latter.

[–] ebc@lemmy.ca 2 points 7 months ago

KeepassXC works on Mac, too and there's KeepassDX for Android.

[–] Codilingus@sh.itjust.works 5 points 7 months ago (1 children)

Just a heads up for anyone, bitwarden can be self hosted using vaultwarden. All of the bitwarden apps and extensions will work.

Also, for anyone already using their stuff, Proton Mail rolled out their password manager. I like it so far, the free edition is good.

[–] subtext@lemmy.world 4 points 7 months ago (2 children)

I just don’t trust myself enough to self host Bitwarden. It’s just too critical of a service for me to be willing to accept any mistake I might make in hosting it. Absolutely worth the $10/year (or $40/year for the whole family), to have some IT professionals and Azure doing the hosting.

[–] Codilingus@sh.itjust.works 2 points 7 months ago

Good call, and I agree. I self hosted it but mine was offline, and would only update if I was in my house. Saw proton pass release, and made the switch since I've been using their services for awhile, now.

[–] petrol_sniff_king@lemmy.blahaj.zone 1 points 7 months ago (1 children)

Am I paying for Bitwarden?

I've legit been telling people that it's free. xD

[–] subtext@lemmy.world 1 points 7 months ago

Oh well you don’t have to pay for it, but I do for the premium features, most notably family sharing of passwords

[–] podperson@lemm.ee 3 points 7 months ago

Since 1P switched to subscription only (which is a dealbreaker for me), I switched to Strongbox. It's based on keepass, you can store/backup/host your own vault, and it also supports both passkeys and passwords. The UX is almost as good as 1P (few little minor annoying things, but no showstoppers for me). Been great so far.