Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?

  • 0nekoneko7@lemmy.world
    link
    fedilink
    English
    arrow-up
    14
    ·
    edit-2
    11 months ago

    People are making things more complicated than they already are. I simply keep my passwords and passphrases inside my memory.

    P.S. My password is not ‘Password123456’

    • LastYearsPumpkin@feddit.ch
      link
      fedilink
      English
      arrow-up
      43
      ·
      11 months ago

      There’s no way for the average person to keep up with remembering unique, strong passwords for all the sites that require them.

      You either have to write it down, save it in a password manager, reuse passwords, or have simplified passwords or patterns.

      • RippleEffect@lemm.ee
        link
        fedilink
        English
        arrow-up
        20
        ·
        11 months ago

        My vote is password manager. You can use 1 really good password for it and as many stupidly good passwords anywhere else since youre likely auto filling or pasting it in.

        Just if your using it locally, remember to take a backup.

        • Gladaed@feddit.de
          link
          fedilink
          English
          arrow-up
          9
          ·
          11 months ago

          You are not supposed to have relation between the words. This password is vulnerable to a dictionary attack. If you are not a high value target you should still be OK.

          • johannesvanderwhales@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            11 months ago

            Yeah password re-use is the main method of cracking passwords. That obscure site that you think “oh I don’t need a good password for this because it’s a site I don’t care about”? Guess what, they have shitty security practices, and now crackers have access to every site where you’ve used that same password.

        • Patches@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          6
          ·
          11 months ago

          We’re supposed to take security advice from someone for freely gave their password out?

          But in all seriousness yes phrases are better. You don’t need the money symbol 1234t67890 especially if it makes it harder to remember.

          You can even have each phrase be the website. TargetSucksMonkeyDick, BestBuySucksMonkeyDick are secure passwords.

          • LastYearsPumpkin@feddit.ch
            link
            fedilink
            English
            arrow-up
            7
            ·
            11 months ago

            Which is KIND OF ok unless someone looks at a password breech list and figures out your super simple pattern. And I’m sure the rise of AI being used in password breech attacks will just make it more automated.

            Real, true, random passwords/tokens is really the only way to actually be safe. Which means you have to use a password generator, AND something to save the password.

            • leftzero@lemmynsfw.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              11 months ago

              unless someone looks at a password breech list and figures out your super simple pattern.

              Don’t simply put the site’s name there. Put a similar sounding easy to remember word, a synonym, rhyming slang, the first and last letters of the site’s name plus the number of letters in the domain name, whatever.

        • butterflyattack@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          11 months ago

          Phrases are definitely more memorable than forcing people to use capitals, numbers, symbols, all that shit. But there are just so many passwords to remember.

      • leftzero@lemmynsfw.com
        link
        fedilink
        English
        arrow-up
        5
        ·
        11 months ago

        There’s no way for the average person to keep up with remembering unique, strong passwords for all the sites that require them.

        Passphrases with a simple formula to make them unique for each site.

        You just have to remember the formula, you get a strong unique password for each site.

        Easy and safe, and doesn’t tie you to a single point of failure like a specific device or a password manager.

        Add two factor authentication on top (with multiple options, of course, otherwise you’ll get locked out once you inevitably lose the second authentication method), and you can even safely use it from third party devices which you don’t want to remember how to access your accounts.

        • subtext@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          11 months ago

          Except if your “formula” is to make your passwords

          Twit-(password)-ter

          …it’ll be exceedingly obvious if someone were able to get your password from Twitter and then credential stuff at any other website. That’s not real security.

          Also a password manager doesn’t have to be a single point of failure. First of all, they have like 3 or 4 points of failure before they actually lose anything, and you can always make an export or go back to a pen and paper password journal if you really want to to make an offline second point of failure.

      • Ookami38@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        11 months ago

        Assuming you have a strong base password you aren’t concerned with being broken, you can use that, followed by a unique identifier for what you’re logging into, so every password is essentially the same, but also unique. Something like, translate the lyrics to a song (say without me by Eminem) to first letters and punctuations, 2tpggrto,rto,rto, and add the identifier.

        2tpggrto,rto,rto-goog 2tpggrto,rto,rto-faceb

        This is essentially how I manage my passwords that I want to actually remember. Just make sure you’re not SUPER obvious with how you make the identifier, perhaps -g0og or -f4c3b0ok. And no, I don’t use that song lol.

        • KairuByte@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          10
          ·
          11 months ago

          This is essentially the same thing as using the same password everywhere.

          Yeah, they are unique. But if one is broken, they are all essentially broken.

          • blackbirdbiryani@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            ·
            11 months ago

            Only if you’re specifically targeted. I know enough regex to know that nobody is going to bother trying to parse known passwords to identify patterns like that when there’s a billion suckers who use ‘password123’ for their bank accounts.

            As long as the pattern is not super predictable, and aren’t dictionary words, nobody is brute forcing that.

            • subtext@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              ·
              11 months ago

              Even a minute mental load at everything you need to log into in a day is still more than the zero mental load I have when using a password manager.

              It’s not just more secure, it’s far more convenient. Plus once you start to share a life with someone, you can share all your accounts and passwords effortlessly as well.

            • KairuByte@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              10 months ago

              These would be extremely easy to detect with regex. Just look for the service name in a password, including common leet speak conversion.

              Password123-Facebook then easily becomes Password123-GitHub or Password123-Walgreens.

              I can assure you, if I was a bad actor that got my hands on a password dump, I’m checking for these kinds of passwords pretty early on.

              Edit: A word.

    • Darkassassin07@lemmy.ca
      link
      fedilink
      English
      arrow-up
      5
      ·
      11 months ago

      How do you remember 70+ different password+username combinations?

      Or do you just re-use passwords…

      • 0nekoneko7@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        10 months ago

        I have a system of pattern for every new password. So I just have to remember the pattern of things (a pseudo algorithm) that I use to generate new password. I won’t say that it’s uncrackable. But, works for me. And I don’t think anyone care enough to go after my passwords.

        • Darkassassin07@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          ·
          10 months ago

          The problem I have with a system like that is it doesn’t account for leaked passwords/data breaches.

          When you find one of those services has had a data breach and your password was compromised; you’ve now gotta adjust your mental algorithm to make an entirely different pattern, either for every site, or you’ve gotta remember each of the changes you’ve made for specific sites.

          Long term it turns into a mess.

    • ryathal@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      The real solution is to only remember one or two passwords and have widespread oauth adoption. Instead of having to sign up with every possible website and app, I should only need a couple of google/Facebook/apple/steam/github/Amazon/PayPal/whatever.