Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?

  • Ookami38@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    3
    ·
    edit-2
    9 months ago

    Assuming you have a strong base password you aren’t concerned with being broken, you can use that, followed by a unique identifier for what you’re logging into, so every password is essentially the same, but also unique. Something like, translate the lyrics to a song (say without me by Eminem) to first letters and punctuations, 2tpggrto,rto,rto, and add the identifier.

    2tpggrto,rto,rto-goog 2tpggrto,rto,rto-faceb

    This is essentially how I manage my passwords that I want to actually remember. Just make sure you’re not SUPER obvious with how you make the identifier, perhaps -g0og or -f4c3b0ok. And no, I don’t use that song lol.

    • KairuByte@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      3
      ·
      9 months ago

      This is essentially the same thing as using the same password everywhere.

      Yeah, they are unique. But if one is broken, they are all essentially broken.

      • blackbirdbiryani@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        2
        ·
        9 months ago

        Only if you’re specifically targeted. I know enough regex to know that nobody is going to bother trying to parse known passwords to identify patterns like that when there’s a billion suckers who use ‘password123’ for their bank accounts.

        As long as the pattern is not super predictable, and aren’t dictionary words, nobody is brute forcing that.

        • subtext@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          9 months ago

          Even a minute mental load at everything you need to log into in a day is still more than the zero mental load I have when using a password manager.

          It’s not just more secure, it’s far more convenient. Plus once you start to share a life with someone, you can share all your accounts and passwords effortlessly as well.

        • KairuByte@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          edit-2
          9 months ago

          These would be extremely easy to detect with regex. Just look for the service name in a password, including common leet speak conversion.

          Password123-Facebook then easily becomes Password123-GitHub or Password123-Walgreens.

          I can assure you, if I was a bad actor that got my hands on a password dump, I’m checking for these kinds of passwords pretty early on.

          Edit: A word.