this post was submitted on 09 Dec 2023
302 points (89.1% liked)

Technology

59398 readers
4685 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

DNA companies should receive the death penalty for getting hacked | TechCrunch::Personal data is the new gold. The recent 23andMe data breach is a stark reminder of a chilling reality -- our most intimate, personal information might

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 11 months ago* (last edited 11 months ago) (2 children)

I don't like passkeys. There's the old thing about good security being the thing you have, the thing you know, and the thing you are–a key, a password, and biometrics. I don't like keys or biometrics for anything online. Mainly because of 5th amendment issues (police can hold your finger to your phone to unlock it, but they cannot compell you to say what your password is), but also because either it's more secure than using a password (if you lose the thing you have, you're fucked) or it's the same as using a password (if you lose the thing you have, you can enter a password to get it back).

Why can't we just normalize memorizing complex passwords? It isn't that hard if you dedicate some effort to it instead of lazily making it Currentmonth123!$

[–] [email protected] 6 points 11 months ago (1 children)

Why can't we just normalize memorizing complex passwords? It isn't that hard if you dedicate some effort to it instead of lazily making it Currentmonth123!$

This is just a stupid take. I bet you either reuse your passwords regularly or you don't really use the internet that much. I just looked it up and I have 270 unique logins, with as many 20 characters long passwords, with letters numbers and special characters.

Now tell me with a straight face that you think everyone can memorize that.

[–] [email protected] 4 points 11 months ago* (last edited 11 months ago)

I currently have 75 different accounts stored, each with a unique 16 character randomized password. My memory cannot handle remembering each one alongside their username and which service they are used for. I don't think it's reasonable to expect anyone to.

You are not required to secure passkeys with biometrics, you can just use a password to encrypt them if you want, removing the possibility of forced unlock.

With that many logins, I use a password manager anyway. Regardless of whether I use passwords or passkeys; that is always going to be target. With passkeys, that manager+my device are only possible targets to gain access to my accounts. With passwords every service is also a target, along with every connection I make to that service.

A random example: If I login to twitter with a password using a work computer, that password is more than likely now sitting in a log file on the corporate firewall that performs https inspection. That could be used to gain access to my account later.

Replace that password with a passkey, and now there's no ability to harvest and use login info from those logs. All they saw was the passkey challenge and response sent back/fourth with no ability to replicate it later.

While yes, you can usually recover you passkeys with a password and the appropriate access to the systems where they are backed up; the difference is very rarely using a password as a recovery code, vs using a password regularly giving much more opportunity for it to be intercepted or mishandled. The systems my password manager backs up to are also my own and not publicly accessible. (you don't have to use google/apples managers)

Also the passwords used for account auth are stored in my password manager, where as my password managers password is only stored in my mind. One is easy to remember, 75 is a bit much...