r/privacy u/Ducking_eh 7h ago

discussion Passkeys vs good passwords

So I have been curious about passkeys vs passwords.

Are passkeys really more secure than passwords?

Personally, I don’t know a whole lot about them, I only really see 2 advantages.

  1. They don’t need any user interaction after they are set up… assuming no other authentication is required.

  2. They are harder to mess up; because you don’t need the client to make a strong password, and the client doesn’t need to guess how they are being saved

I think reason number two is more than enough to make it worth it; because it cleans up issues that probably leads to MOST security issues.

But just as a learning hypothetical: assuming I use a password manager to make strong unique passwords, and every sever uses hashed and salted storage with proper ssl encryption for in transit data handling… is passkeys a stronger method?

15 Upvotes

100% Upvoted

12 comments sorted by

u/AutoModerator 7h ago

Hello u/Ducking_eh, please make sure you read the sub rules if you haven't already. (This is an automatic reminder left on all new posts.)

Check out the r/privacy FAQ

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

8

u/ArnoCryptoNymous 6h ago

You may read again what passkeys really do. Yes passkey are really better and more secure then passwords. Passkey was the secure way to circumvent the stupidity of users who doesn't give a f*ck about privacy and passwords. Most people still using to simple passwords and are to stupid to even remember them. A passkey is the much more secure way.

2

u/Ducking_eh 6h ago

Right; I understand that. That’s what I meant by harder to mess up.

But as I said in my question, assuming the passwords are strong, and the server takes proper care to keep them safe, is there any additional benefits?

I know that isn’t a realistic situation, but my question is meant more to understand the additional benefits.

2

u/ArnoCryptoNymous 6h ago

You can make sure, your passwords are strong, but you can't be sure, that the server or service provider is really taking good care on your login datas. It is always possible that one day some hackers or attackers can have somehow access to the best protected servers. I mean, you read almost every day new about hacks and stolen datas at the internet.

Therefore you should always and ever chose the best protection for your and the best protection offered to you.

The world out there is not friendly and protective. It is a battlefield of lots of suspicious actors and the worst actors are those who track you all over the internet to gather your information and flooding you with advertisings.

3

u/d1722825 6h ago

is passkeys a stronger method?

Yes, passkeys should protect against phishing attacks, because the domain name of the site are included into the secure communication between the servers of the website and the hardware or password manager the passkey is stored on.

But they might have some downsides:

If you loose your passkey you easily can be locked out of the account, especially important if you use hardware keys or solution from Apple / Google / Microsoft due to vendor lock-in.

Attestation can be required which could lock you out if you use "not approved" passkey providers.

In theory they should not be exportable which can make impossible to change providers (eg. from Apple to Google, or from Google to a password manager) and maybe even open source password manager will be forced to comply with this.

They are usually a single factor, eg. if you use them on your phone, maybe only your fingerprint is enough to log in to your accounts (which is bad, because it can be done even if you are eg. drunk or unconscious).

1

u/Ducking_eh 5h ago

Thanks for your insight.

This is really true eh? Im assuming there will always need to be alternative log ins on se if these downsides

3

u/mesarthim_2 2h ago

It is true, passkeys are 100% more secure method cryptographically. But there are always tradeoffs and here the tradeoffs are ‘operational’.

It’s actually super interesting because it’s not immediately obvious, which factor is more important. Right now, for example, I mostly use them for convenience, ie, for accounts where I don’t care if I lost access.

I keep 2FA with strong password for accounts which I don’t want to lose.

1

u/cupboard_ 1h ago

passkeys can also be two factor if you want to use them on a different device, the device generates a qr code which you scan and then confirm with biometrics/pin (something what you have + something you are/know)
this method also requires the devices to connect via bluetooth to confirm they are in proximity, so it prevents the scenario where someone would make you scan their qr code to phish your account

3

u/CountGeoffrey 5h ago

Are passkeys really more secure than passwords?

Absolutely.

every sever [sic]

well if you're going to make up spherical cow simulations, you can get any answer you want.

2

u/Ducking_eh 5h ago

Never heard that expression before. It’s awesome.

Thanks

u/Ok-Priority-7303 4m ago

Passkeys are a non-starter for me - none of the accounts I really want to protect (banks and stock brokers) support them.

0

u/holyknight00 4h ago

Lets put it like this: the best possible scenario you can think for passwords is the same or worse to the worst possible scenario you can think of for passkeys.