Comment on Support PassKey Integration (Web Authentication API) in KeePassXC implemented
fosiacat@lemmy.world 1 year agoEli5?
Comment on Support PassKey Integration (Web Authentication API) in KeePassXC implemented
fosiacat@lemmy.world 1 year agoEli5?
shortwavesurfer@monero.town 1 year ago
Instead of having a secret that both you and the server share (password). Only you have the secret. Basically, what happens is that the server sends a message to your device encrypted that says, “If you are person, please give me back this code unencrypted.” And then it gives a code, for example. Your device decrypts that using your secret that you keep and then tells the server the code and the only way to have gotten that code is for you to have successfully decrypted the message the server sent.
cole@lemdro.id 1 year ago
how does the server encrypt the message it sends without the secret? Or is that stored during sign up?
shortwavesurfer@monero.town 1 year ago
When you sign up, your device creates a public private key pair. It keeps the private key locally and sends the public key to the server. So instead of a username, you are nothing but a string of random characters representing your public key. You can see an example of this, if you go into the Linux terminal and type “ssh-keygen”
zerodawn@leaf.dance 1 year ago
Underrated explanation, you held it finally click for me. I consider myself a fairly educated person but just couldn’t wrap my head around what made it so special. Correct me if i’m wrong but my understanding is the server uses the public key to encrypt a challenge code that can only be decrypted by your private key. You get an on device prompt to approve the process and the rest is done under the hood.
To go further on this, is the public/private key a mathematical relationship? What ties the two together to make them useful as a pair?
lemmyvore@feddit.nl 1 year ago
cole@lemdro.id 1 year ago
good explanation, thank you! I’m very familiar with ssh key auth so that makes sense
slumberlust@lemmy.world 1 year ago
Would this be susceptible to a MitM attack intercepting the decrypted secret?
shortwavesurfer@monero.town 1 year ago
No, because it’s a public private key pair, you have the private key and the server has the public key. So you end up sending the secret back encrypted as well. I just used that as an explainer. It’s not actually how that works.
fosiacat@lemmy.world 1 year ago
oh cool I get it. is this a good replacement for lastpass? I’ve been thinking about switching for a long time, but got kind of locked in to the convenience/cross platform compatibility (i use linux, macos, windows, ios regularly) but haven’t looked into keepass much.
Vash63@lemmy.world 1 year ago
Bitwarden is more of a direct replacement to Lastpass, but better and open source with self hosting options (see also Vaultwarden). Keepass is a safe stored and managed by you, no syncing or online services are included.
nyar@lemmy.world 1 year ago
There are extensions for it.
Personally, I use syncthing to send my keepass database to the various devices I need it on.
jeena@jemmy.jeena.net 1 year ago
Yes me too, syncthing is perfect for that.
shortwavesurfer@monero.town 1 year ago
From my personal experience switching from last pass, yes, it has been a very good replacement. Inside of LastPass, there is actually a way to get a spreadsheet with all your account details like username, password, URL, notes, etc and then import that into keepass. Once you have done that, you obviously delete the spreadsheet since it’s in plain text. However, I will say that keepass Is not right for everybody. You have to control your own database file and if you lose it, then you are shit out of luck. So you have to make sure that it is properly backed up and synced between devices. I use a quarterly backup strategy and a flash drive to accomplish this, but your choice may vary. However, using a cloud service of any kind to put the file on is probably not a great idea. If you must use a “cloid” I would highly suggest syncthing since you remain in control at all times.