Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?

  • johannesvanderwhales@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    I highly recommend using something like Bitwarden or 1password (which can manage both passwords and passkeys), and then generating a passphrase using a method like Diceware. If you’re paranoid you might prefer rolling your own with Keepass but for most people that’s going to be a lot of work. I think 1password’s model is about as secure as you could hope for while still trusting a 3rd party. Definitely avoid Lastpass. In addition to widely reported breaches, they don’t even fully encrypt your data; only the password portion is encrypted while usernames and site data are plaintext.

    • morbidcactus@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      Is keepass really a lot of work though? If you use xc you have a client that works in windows or Linux, the file itself can be hosted anywhere, I ran for years with it on a USB key. There’s no accounts to create, you just download and go.

      • ebc@lemmy.ca
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        KeepassXC works on Mac, too and there’s KeepassDX for Android.

      • johannesvanderwhales@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        9 months ago

        It’s definitely more work than just buying the service from someone that has a ready made app. I don’t think it’s a thing I would recommend to, for example, my parents. I know xc has some sort of form fill thing but it’s not nearly as nice as the browser plug-ins made by the various password manager vendors.

        • morbidcactus@lemmy.ca
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          There’s a Firefox plugin that provides that functionality. As for getting my parents on board, any attempt to get my mil onboard with a password manager has been futile, actually using it seems to be the biggest barrier to adoption in my anecdotal experience

    • podperson@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      Since 1P switched to subscription only (which is a dealbreaker for me), I switched to Strongbox. It’s based on keepass, you can store/backup/host your own vault, and it also supports both passkeys and passwords. The UX is almost as good as 1P (few little minor annoying things, but no showstoppers for me). Been great so far.

    • Codilingus@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      Just a heads up for anyone, bitwarden can be self hosted using vaultwarden. All of the bitwarden apps and extensions will work.

      Also, for anyone already using their stuff, Proton Mail rolled out their password manager. I like it so far, the free edition is good.

      • subtext@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        I just don’t trust myself enough to self host Bitwarden. It’s just too critical of a service for me to be willing to accept any mistake I might make in hosting it. Absolutely worth the $10/year (or $40/year for the whole family), to have some IT professionals and Azure doing the hosting.

          • subtext@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            9 months ago

            Oh well you don’t have to pay for it, but I do for the premium features, most notably family sharing of passwords

        • Codilingus@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          Good call, and I agree. I self hosted it but mine was offline, and would only update if I was in my house. Saw proton pass release, and made the switch since I’ve been using their services for awhile, now.