Dang these are much more useful than my first port of call for looking up http codes... which is http.cat/<code>. It's a shame you have to know what a code is to get to it... e.g. /404-not-found works instead of /404
I still haven't reckoned the security implications, but Bitwarden supports passkeys, you can mostly use them the same way as you do a username/password across devices.
That still means dependence on some software product to log-in to basic services. With a password, I don't need to use a software product.
What if I don't want to pay for Bitwarden, or buy a smartphone, or tie my log-ins to my computer? What happens when the WebAuthn standard evolves and only the big-tech companies have solutions for storing passkeys because little software vendors or open-source vendors don't support the standard as well?
What happens when password-based login is phased out because passkeys are SO much simpler...assuming the user acquiesces and signs up for a big tech company's service? Who will be able to choose then?
> What if I don't want to pay for Bitwarden, or buy a smartphone, or tie my log-ins to my computer?
Even with passwords, you'd still need an application or a device for 2FA, unless you keep a pack of scratch cards with you everywhere. So unless you go out of the way to avoid 2FA or use scratch cards, I don't think this change anything from the status quo, only now you have one less thing to remember.
Well, 2FA was the first step in making devices more entrenched. Passkeys are just the next step. So, it's not exactly passkeys in isolation that is the problem, but the lock-in to technology (and big tech for most people), and passkeys being another discrete but significant step in the process.
On the contrary. Passkeys free us from complete dependence on mobile devices (and the telcos that distribute SIM cards) because passkeys can live on any number of desktop computers.
I said "passkeys free us from complete dependence on mobile devices". Complete dependence means not having other options. Passkeys give us other options - all of us, not just those of us who decide to use those options at any moment time.
If most people use their phone for login that's fine. Many people don't even have another device.
What we should push for is passkey export, migration and backup features. The most likely lever that big tech could use for lock-in is making it near impossible to move those passkeys out of their closed ecosystems.
I'm curious – if open standards such as 2FA (TOTP) and Passkeys are considered locked-in, what would be a solution in your mind for an authentication scheme that doesn't subject to the inherent problems of passwords (phishing, weak passwords, password reuse, database exposure, etc.) that fits your requirement?
If you don't currently depend on a software product for managing your passwords, then you are undoubtedly using weak or reused passwords everywhere. You absolutely should be using a password manager to store unique, complex passwords for everything, and then it's not really a big jump to upgrade to the superior user experience of Passkeys.
> With a password, I don't need to use a software product.
Formally, you still need a computing device with software that allows you to input and transmit the password, as well as any related challenges. (E.g. you may have hard time logging in on a device that doesn't have a physical or full virtual keyboard, like a TV - I literally had to grab a laptop and change password once because there was no character on the virtual keyboard that I needed to "type".)
While public-key cryptography isn't really doable on pen and paper, I don't see anything fundamentally wrong with requiring to perform some computations, as long as every step is documented and end-user fully and completely has access and owns their credentials. "You won't have a calculator^W computer" was the biggest lie from my childhood - everyone does, or can, including full control of ownership of the device if desired.
Of course, this is not the case with how Passkeys are currently implemented, as the corporate is extremely hostile against even idea of letting user to export "their" "own" keys.
> What if I don't want to pay for Bitwarden, or buy a smartphone, or tie my log-ins to my computer?
Then you and the people you influence can continue to enjoy getting phished.
> What happens when the WebAuthn standard evolves and only the big-tech companies have solutions for storing passkeys because little software vendors or open-source vendors don't support the standard as well?
For a bunch of companies/gov entities syncable passkeys aren’t secure enough. So they still need to use hardware-bound passkeys on e.g. yubikeys.
Try to read up about a subject next time before you let your imagination go wild and scare equally ignorant people away from more secure alternatives.
Your conspiracy theories even seem to push you to be against using password managers in general. I guess googling around for an offline one like KeePass that’s heavily recommended all around the internet was too hard?
KeePassXC even supports passkeys.
> Then you and the people you influence can continue to enjoy getting phished.
Yes, you are quite right (although I have never been phished). But the spirit of your answer is correct. But that was my point: there is no choice, except to be more tightly integrated into tech, which in my opinion is a horrible thing. Instead, we should lessen our dependence on technology so computer accounts aren't so important after all.
> Try to read up about a subject next time before you let your phantasy go wild and scare equally ignorant people away from more secure alternatives.
I am fully aware that passkeys are MORE secure. If you actually read my post, my argument was not TECHNOLOGICAL, but sociological: I argue merely that the tighter dependence on this technology is a bad thing sociologically, even if it is the RIGHT thing technologically.
My thesis is that passkeys are a symptom of tighter tech integration, perhaps an inevitable one. You are irate because passkeys are the better solution to a technical problem, but I nevertheless maintain that the existence of that technical problem itself is merely a side-effect of a much larger problem for society -- the dependence on a tightly-integrated vertical technology stack. So perhaps YOU should read into the subtelty of my argument before claiming that I am ignorant.
Are you intentionally ignoring the part where I provided reasons for why alternatives to the use of password managers by vendors that (supposedly) cause lock-in won’t go away?
It turns your fear into a hypothetical that you’re more than welcome to discuss but imo it’s disingenuous to frame it as the incredibly big problem you’re framing it as.
I remember when the whole OpenID/OAuth stuff started with a simple input field to login with your domain name. You could selfhost OpenID or delegate it from your homepage.
Today "distributed login" is "login with you preferred feudal lord".
If you don't want (or able) to use the 'app store app' what the options are there? What options would be when Google/Apple make a smartphone (and an app on it) a requirement, in the name of security?
No, that's not true; it's just less efficient because you have to handle more air and cool it to a lower temperature. Air in Earth's atmosphere always has significant humidity. See https://news.ycombinator.com/item?id=30716765 for some calculations.
It's reasonable to condense drinking/cooking water from air with solar energy in places that lack secure water. Not water for other purposes; you can't run a cooling tower, irrigate a field or an orchard, water a herd of cattle, or even grow a garden that way. But a household-sized dehumidifier powered by a household-sized solar panel can certainly make enough water to drink and cook rice.
On the other hand, if you live in semi-arid desert or any wetter biome, a cistern probably has a better cost-benefit ratio. Depending on your aquifer, a well may be better still.
I'm not sure whether it was due to changes in the algorithm, but at some point the logged-out front page that most people see became easily 50% outrage porn - a picture of a truck parking in two parking spaces, shaky video of someone being racist in public, most recently message conversations from horrible bosses.
When someone eventually makes an account and delves into the more niche subreddits, that's the culture that they're expecting and as more do it, it starts to change the culture of the niche subreddits as well.
Ironically the secret to reddit's success was that it was just left alone with very few changes for so long. The front page was already a dumpster fire at that stage, but a dumpster fire mostly contained to the top 20 subreddits. Now that it's more clever about pulling in posts from more niche subreddits that are doing well, or based on geolocation, it pulls people into the subreddits more which accelerates the Eternal September effect.
You don't necessarily have to choose - you can post on your own blog, then copy-paste it to Medium and set the canonical url back to your own address so you keep some of the SEO-juice.
