Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Password management is like exercise. Even when people say they understand the value and want to do it, they don't. Even if you implement it for them, if it's not something that slots perfectly into their existing routine, they're not going to do it. Thankfully passkeys are here.


It's fine, even bad password management is better than passkeys.

Thankfully the incredible hype for passkeys has been dead for years now and people are starting to question it.


Is this... is this sarcasm? I honestly can't tell anymore.


It is not.


Would you care to elaborate? It also matters what counts as "bad password manager" to you - Poor crypto? Poor UX? A reddit post ;-)? LastPass?

With passkeys, both the website and the user can be pretty sure that the "password" is secure. The website knows that it's based on enough entropy, and the user knows that the website can not loose it.

Of course if I use a random generated 80 char password I only mildly care if the website stores it plain text or not.

But if I was a site operator, I could additionally trust that the users are using secure passwords. Without insane strength requirements (which people only work around anyway, e.g. Passw0rd!123 is usually accepted, but thisisasuperlongpassphrase often is not).

I'm in the business of testing security, which means I sometimes crack passwords. No matter how much training you put your employees through: Somebody gonna use ${some name}${0 or 1 special char}${some birthday} - is it's the spouse, kids or affairs data, your guess is as good as mine.


Management, not password manager.

I'm not talking about technical merits, we all know passkeys are so complex they might work decently as obfuscation alone ;)

No, all that crap is meaningless when you give all your keys to an entity that simultaneously locks you in and couldn't give a fuck about you.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: