this post was submitted on 03 Nov 2023
284 points (87.4% liked)

Technology

70528 readers
3919 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
284
Security expert reveals surprising way to make your password stronger: use emojis (nypost.com)
submitted 2 years ago by Salamendacious@lemmy.world to c/technology@lemmy.world
231 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] SirEDCaLot@lemmy.fmhy.net 10 points 2 years ago (2 children)

Last week or two I've been learning more about passkeys, and it makes threads like this seem ridiculously out of date. Given the choice between emojis and passwords and hard crypto, I'll take the crypto.

[–] Kusimulkku@lemm.ee 3 points 2 years ago (1 children)

I'm not sure what the passkey advantage over long unique password in a password database is.

Well, KeepAssXC just got passkey support so I guess it doesn't matter much

[–] lemmyvore@feddit.nl 5 points 2 years ago (1 children)

With passkeys, your browser and the website exchange a public-private key pair then make up long random one-time "passwords" every time you login but only use them to check they each still have the right key.

[–] Kusimulkku@lemm.ee 2 points 2 years ago (2 children)

I guess I'm gonna need the answer spoonfed to me. I think I understand how the tech works but I don't understand the advantage over a complex non-reused password. Maybe keyloggers, if it's one-time thing?

[–] coffinwood@feddit.de 4 points 2 years ago (1 children)

The advantage - from my very incomplete understanding - is that your passkeys cannot be phished or stolen from you. So only you from your device can log-in to the site. Which leaves me with the question, how cross-device passkeys work.

[–] Kusimulkku@lemm.ee 2 points 2 years ago

That would be a really nice advantage but yeah, I wonder how cross-device passkeys or recovery passkeys would work

[–] lemmyvore@feddit.nl 3 points 2 years ago

There are lots of advantages:

  • No need to worry about password encoding, like this emoji debacle for example. Actually there's no need to worry about passwords in general anymore, no more worries about lenghts, encoding, character space, remembering them etc.
  • It eliminates that scam where attackers set up a site on a domain that looks like the correct one, because the domain is part of the protocol.
  • It eliminates phishing for 2FA because login only works on your device anyway and there's nothing you can be tricked into giving away to an attacker.
  • If attackers break into a site and steal the public keys they can't use them for anything.
  • Since the whole process is automated between servers and browsers and also standardized, it can be upgraded seamlessly and continously, you can upgrade the protocol, the key lengths, the encryption cyphers etc. with zero impact for the user. New upgraded versions can be distributed to both servers and browsers and they'll just use the highest version they both have.
  • 2FA is a core part of the protocol, but again in a way that eliminates phishing: it's basically a way to unlock access temporarily to one specific key in your key vault. You can use a master password, or an USB key, or TOTP codes, or biometrics (fingerprint or face) etc., but NOT cellular texts (SMS) anymore because the vault stays on your devices, no need for another party to send you anything.
  • Syncing your vault online and over multiple devices, as well as backup, are also a core part of the approach and will eliminate the worry that you drop your phone and you're screwed forever.

The downside is that there's been a whole bunch of tools and apps and services built around passwords for decades and converting all that mass to passkey tools will take a bit.

There are some other tradeoffs like, right now for example I can reasonably print all my passwords and TOTP codes on a few sheets of paper and achieve an "offline" backup in case of untimely death and so on, it's going to be a bit more cumbersome with passkeys. But I expect there will be ways to optimize that as the technology evolves.

[–] soloner@lemmy.world 1 points 2 years ago (3 children)

What's crypto?

[–] JigglySackles@lemmy.world 10 points 2 years ago* (last edited 2 years ago) (1 children)

Well you see there's this thing called the Blockchain, it's like a ledger......

[–] ivanafterall@kbin.social 4 points 2 years ago (1 children)

Man, I sure wish I could get on the ground floor of this exciting new technology as an investor.

[–] thanevim@kbin.social 4 points 2 years ago (1 children)

Might be too late for that, but BOY do I have a bridge to sell you!

[–] ivanafterall@kbin.social 2 points 2 years ago (1 children)

You're kidding. A real-life bridge!? You can own those!? Name your price.

[–] Honytawk@lemmy.zip 2 points 2 years ago

Yes!

You can even change it into a toll road and return your investment in no time!

[–] Aatube@kbin.social 4 points 2 years ago

Cryptography

[–] SirEDCaLot@lemmy.fmhy.net 2 points 2 years ago

Cryptography. As in, using encryption and encryption keys to authenticate me, rather than just a password.