Just because you know how to use a password manager, it doesn’t mean that most people ever have a hope of understanding even the best version of password management.
-
@rmondello I don’t think most people have a hope of understanding passkeys, either, or that even most of the people talking about them (myself included) fully understand them. From the basic user perspective, they seem pretty similar to me: the built-in password manager generates and auto-fills them and is treated as magic that just works.
-
@rmondello But, of course, in the real world there are sometimes problems. The issues with passwords are well known, and I see a lot of talk about how passkeys can help. What I am not seeing is acknowledgement of what new issues passkeys bring and how they can be addressed.
-
@mjtsai I am open to talking about the issues with passkeys and solving them. I am not unaware of their issues — I spend a lot of time working to address the issues with passkeys.
I don’t want anyone to feel like passkeys are being shoved down their throats. The reason people excitedly talk about them is that they are currently our best hope of addressing the ways that passwords hurt people.
-
Ricky Mondelloreplied to Ricky Mondello last edited by
@mjtsai They won’t work for everyone. There are tradeoffs. But making every credential “strong”, eliminating phishing as we know it today, and jettisoning the possibility of “leaked” credentials is a big deal, in my opinion.
And for the websites and apps that have deployed passkeys, the folks using them have largely enjoyed the experience, and found sign-in to be faster and easier than before.
But again, nothing is perfect. But again^2, the people working on this stuff are open to feedback.
-
If *Lowe’s* is using passkeys, I think it’s safe to assume they’re not overly difficult to use.
-
@bynkii @rmondello Well, I agree that the happy path is not difficult to use. When it gets to the Bluetooth/QR code stuff I don’t know. But mainly my point was that the comparison is kind of a sleight of hand. In both cases, using the built-in password manager is easy and you are safe if you only use that.
-
@mjtsai @bynkii For people who are using a password manager and strong passwords, several things are true:
1. A sufficiently convincing phishing attack can convince someone to fill or paste their password to the wrong entity.
2. The website can have passwords stolen from them. This happens regularly.
3. Websites have bizarre rules around password composition that are frustrating to people.
4. They can keep using passwords if they want. Nobody is taking their passwords away.
-
@rmondello @bynkii 1. Yes, if they know how to look up the password and don’t rely on auto-fill.
2. Can I assume that a Web site that stores cleartext passwords wouldn’t also store the private half of the passkey?
3. For sure, though I think Safari has mostly solved this.
4. It’s not really up to the user, is it? Your stated goal is to replace passwords. To the extent that’s successful, sites will see enough benefits to passkeys that they become the only option.
-
Okay, and I’m legit starting to doubt you are saying this in good faith, how, precisely, in detail, does a password manager with *any* password prevent that password from being used on every phishing/malicious site. What mechanism prevents the password from being read by the code running the password field?
I’ll wait.
-
@bynkii @rmondello As I said, it prevents phishing if you rely on auto-fill because it won’t auto-fill for a non-matching domain.