What’s crypto?
Comment on Security expert reveals surprising way to make your password stronger: use emojis
SirEDCaLot@lemmy.fmhy.net 8 months ago
Last week or two I’ve been learning more about passkeys, and it makes threads like this seem ridiculously out of date. Given the choice between emojis and passwords and hard crypto, I’ll take the crypto.
soloner@lemmy.world 8 months ago
JigglySackles@lemmy.world 8 months ago
Well you see there’s this thing called the Block chain, it’s like a ledger…
ivanafterall@kbin.social 8 months ago
Man, I sure wish I could get on the ground floor of this exciting new technology as an investor.
thanevim@kbin.social 8 months ago
Might be too late for that, but BOY do I have a bridge to sell you!
Aatube@kbin.social 8 months ago
Cryptography
SirEDCaLot@lemmy.fmhy.net 7 months ago
Cryptography. As in, using encryption and encryption keys to authenticate me, rather than just a password.
Kusimulkku@lemm.ee 8 months ago
I’m not sure what the passkey advantage over long unique password in a password database is.
Well, KeepAssXC just got passkey support so I guess it doesn’t matter much
lemmyvore@feddit.nl 8 months ago
With passkeys, your browser and the website exchange a public-private key pair then make up long random one-time “passwords” every time you login but only use them to check they each still have the right key.
Kusimulkku@lemm.ee 8 months ago
I guess I’m gonna need the answer spoonfed to me. I think I understand how the tech works but I don’t understand the advantage over a complex non-reused password. Maybe keyloggers, if it’s one-time thing?
coffinwood@feddit.de 8 months ago
The advantage - from my very incomplete understanding - is that your passkeys cannot be phished or stolen from you. So only you from your device can log-in to the site. Which leaves me with the question, how cross-device passkeys work.
ricecake@sh.itjust.works 8 months ago
Passkeys, under the hood, use a way of proving your identity that doesn’t require you to actually send your password, and also doesn’t require you to send your username either.
Because of how it’s implemented, the system managing the passkeys also gets to authenticate that the website is who it says it is.
So no private data actually gets sent anywhere, but you can prove your identity while also checking the identity of the site you’re talking to, like the SSL lock icon but automated. It’s often implemented such that the device that holds they keys can’t actually have them stolen from it, and it’s integrated with a biometric sensor.
This means it’s possible to have a high degree of confidence that the person logging in is physically the same person who created the credential, and not just someone who had their password stolen.
The final perk, is that if you’re using something like a phone with a fingerprint scanner, passkeys work as two factors of authentication, despite only feeling like one.
Because the phone verifies your identity via fingerprint (something you are), it can then unlock the key that is uniquely available to the phone (something you have).
Combine that with being generally easier to use, and it’s pretty clear why most security experts are pushing them. Security that users will use is better than security they won’t, and finally we have easier to use security that’s also better than the more difficult options.
lemmyvore@feddit.nl 8 months ago
There are lots of advantages:
The downside is that there’s been a whole bunch of tools and apps and services built around passwords for decades and converting all that mass to passkey tools will take a bit.
There are some other tradeoffs like, right now for example I can reasonably print all my passwords and TOTP codes on a few sheets of paper and achieve an “offline” backup in case of untimely death and so on, it’s going to be a bit more cumbersome with passkeys. But I expect there will be ways to optimize that as the technology evolves.