| |
| ▲ | valenterry 9 days ago | parent [-] | | > Passkey are more like password managers, and less like MFA tokens No:
- I can always export and import all my passwords from/into my password manager
- My passwords always work independently of a password manager or any specific app/OS/hardware That is not true for passkeys and makes them much more like tokens. Of course they don't have to be used in MFA, just like passwords. | | |
| ▲ | jerf 9 days ago | parent [-] | | I just exported my Bitwarden vault and the resulting .json file has my passkeys in it. I'm not going to try to test import, but if it doesn't work that would obviously be more "bug" than anything else. Clearly "export" is the high concern functionality and once exported, importing them is not a big deal. This is only about your first paragraph, it doesn't affect your second. | | |
| ▲ | geodel 9 days ago | parent | next [-] | | Indeed. Credential Exchange Protocol (CXP) is already been worked on and all major vendors are planning to support it. There was talk also in Apple WWDC 2025 about Passkey related APIs including exporting them. | |
| ▲ | valenterry 9 days ago | parent | prev [-] | | Unfortunately just because it's possible with Bitwarden doesn't mean it is always possible. | | |
| ▲ | palata 9 days ago | parent [-] | | Are you saying that it's not always possible to import/export passkeys because you can manage them with some program that doesn't allow it, but the same is not true for passkeys? Counter-example: I can write a password manager that will not allow you to export/import passwords. | | |
| ▲ | valenterry 8 days ago | parent [-] | | No, that's not what I meant. There are cases where bitwarden doesn't work but chrome for example does. Easy to Google up. For passwords however, I never heard of a case where a website only accepts passwords from a specific password manager - and how could they even do that right? | | |
| ▲ | palata 8 days ago | parent [-] | | I don't think your reasoning holds. You say "I know situations where one passkey client works with some websites and not others, but I don't know situations where a website works with some clients and not others". If the website accepts a password, then it can't prevent you from using the password manager you want. But if the website accepts FIDO2 passkeys, it's the same thing, isn't it? | | |
| ▲ | valenterry 8 days ago | parent [-] | | > but I don't know situations where a website works with some clients and not others For example: https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselec... > If the website accepts a password, then it can't prevent you from using the password manager you want. But if the website accepts FIDO2 passkeys, it's the same thing, isn't it? Unfortunately not... | | |
| ▲ | palata 7 days ago | parent [-] | | > For example: [...] Those sound like requirements similar to those that can be enforced with passwords. My company enforces an SSO system with an MFA scheme that is controlled by the IT department. I can use my password manager for the password part, but I must use the mandatory MFA app. In that sense, I am not sure it is so different from passkeys? | | |
| ▲ | valenterry 6 days ago | parent [-] | | Now you are not comparing passwords with passkeys anymore, but MFA with passkeys. Not sure what the point is in the context of the discussion. > In that sense, I am not sure it is so different from passkeys? Yes, if it means "company specific SSO* and a company chooses to force you to use the hardware they decided on, then that is in fact not very different from the passkey constraints. |
|
|
|
|
|
|
|
|
|
| |
| ▲ | nobody9999 9 days ago | parent | next [-] | | >Password managers are those proprietary programs that you need to install, give full access to your computer, register an account and trust their word that your passwords are uploaded to the cloud securely? No thanks. cf. pass(1)[0][1] [0] https://www.passwordstore.org/ [1] No, it's not hosted in the cloud (i.e., on someone else's servers) and that's a good thing. It's FOSS and can be compiled for Android/IOS (and has, see [2][3][4], least for Android). The DB (just a GPG store) can also be shared across multiple devices. [2] https://f-droid.org/packages/app.passwordstore.agrahn/ [3] https://play.google.com/store/apps/details?id=dev.msfjarvis.... [4] Not sure about IOS versions, I don't have any Apple devices. | |
| ▲ | const_cast 9 days ago | parent | prev | next [-] | | Password managers are both significantly simpler to use than just passwords and more secure. Passwords have always been bad. The problem is that users can't remember them. So they rotate, like, 3 passwords. Which means if fuckyou.com is breached then your bank account will be drained. Great. On top of that, the three passwords they choose are usually super easy to guess or brute force. With a password manager, users only need to remember one password, which means they can make said password not stupid. You can automatically log in too with your new super secure passwords you never need to see. Its the perfect piece of software. Faster, easier, more secure, with less mental load. | | |
| ▲ | mangodrunk 6 days ago | parent [-] | | And if the password manager is compromised, then again everything is lost. I doubt people are indeed using good passwords for it, and does this assume you only use one device that you will always use? | | |
| ▲ | const_cast 5 days ago | parent [-] | | > I doubt people are indeed using good passwords for it I don't, but even if I do, the simple fact remains that remembering one password is easier than 300. If you have to remember 300 passwords, youre gonna choose 'password1' - 'password300'. Because we're not living hashmaps. But with one password, I can easily make it even 40 characters and remember it. And anybody can do that. If you DON'T use a password manager, you don't solve the problem of "everything is lost". Because people just reuse passwords as noted above. So Experian gets breached, which is WAYYYYY more likely than your encrypted password manager getting breached, and now your bank is also open, and your Gmail, and your IRS.gov. whoops. > does this assume you only use one device that you will always use No, password managers work on all your devices and auto sync. How is it done so securely and without any hiccups? Because they're super simple pieces of software. You just take the passwords, derive a key from the master password, and encrypt all the passwords. Then dump it in whatever online storage. I could write a password manager in a couple hours. |
|
| |
| ▲ | blkhawk 9 days ago | parent | prev [-] | | uh no - a password manager is an open source application you can compile and install yourself if you want. Its nothing more than a small specialised database with a excel like interface. Personally I think that the argument that things are "too complicated for the average user" eventually gets gets you users that find breathing and sphincter function too complicated. | | |
| ▲ | Hackbraten 9 days ago | parent [-] | | I’ve been observing this space for two decades and haven’t come across a single open-source password manager that actually works, is properly maintained, has an acceptable security track record, and comes with a similarly well-maintained browser extension that protects both my clipboard and myself from phishing. | | |
| ▲ | rpdillon 9 days ago | parent | next [-] | | I've been using Keepass for two decades and have never had a single issue. I would never recommend a browser plug in (too much attack surface area), and instead simply check the URL before having KeePass autotype. No clipboard. I think you're rejecting good solutions out of hand. Meanwhile...millions of users trusted LastPass. Twice. | | |
| ▲ | Hackbraten 9 days ago | parent [-] | | > simply check the URL before having KeePass autotype. I’m not going to rely on myself never making a mistake. I want a solution that protects me even during stressful moments where I have a lapse of judgement and forget to check. | | |
| ▲ | simoncion 9 days ago | parent | next [-] | | If you're not using KeepassXC's browser plugin (or are using KeePassX, which -IIRC- never had a browser plugin), then its autotype feature will check the title of the window that has keyboard focus when deciding which entry to use. If one or more matches are found, it will [1] also ask you to confirm which entry you're about to have the software punch in. If no matches are found, it will alert you to that fact. You might find the KeePassXC docs about the feature [0] to be informative. If you're going to complain that all a phisher has to do to capture a password is create a website with the same title as the official one, then my reply would be something like "Duh. That's what the browser plugin is for.". [0] <https://keepassxc.org/docs/KeePassXC_UserGuide#_auto_type> [1] ...optionally, and on by default... | | |
| ▲ | Hackbraten 8 days ago | parent [-] | | Not sure how you got the impression that I was unwilling to use a browser plugin. I’m absolutely looking for a browser plugin. I would refuse to use an auto-type feature that only checks the window title instead of, as a browser plugin would do, the site’s domain. | | |
| ▲ | simoncion 8 days ago | parent [-] | | I'm not sure how you got the impression that I had the impression that you're unwilling to use a browser plugin. I have absolutely no idea whether or not you're willing to use a browser plugin. I was mentioning how auto-type worked because it's useful information for those who either are unwilling to use a browser plugin, or are like myself and simply have no need for one. |
|
| |
| ▲ | rpdillon 8 days ago | parent | prev [-] | | I don't think fixing this at the browser-level is the right place. In general, I'm very vigilant, but I know I can be tricked. So I have a policy about not clicking links in emails from companies I already know the address for. I also aggressively right click / long tap links to examine the URL before opening. In general, opening a malicious URL exposes the user to unnecessary risk, so the correct solution is not to assume the user has visited a malicious site (since that would already be high-risk), but rather to prevent opening of malicious URLs. The most obvious solution is to treat any untrusted content as questionable. So I very carefully examine every domain I visit - as I say to my kids: have a model about who owns the computer you're talking to. Domains matter. Now, this works for me. I'm not cognitively impaired, I have high conscientiousness, probably from working in military and classified defense contexts way back when, but I'm not really sure to be honest, could just be my personality. But it works for me. I get that you want that extra safeguard, but it's just not a dealbreaker for me, especially since I'm highly suspicious of browser add-ons and the security implications they bring in. I guess I'm just extremely selective about what add-ons I'll use. |
|
| |
| ▲ | simoncion 9 days ago | parent | prev | next [-] | | rpdililon mentioned KeePass. What have you (that is, Hackbraten) found wrong with the KeePassXC offshoot of it? /me wonders if this is a "recommend me a nice open source, offline password manager" question in disguise. | | |
| ▲ | Hackbraten 9 days ago | parent [-] | | I don’t remember why KeePassXC didn’t make my list last time I checked. That was years ago, so I’m going to check it out again. Thanks for the pointer. Update: One thing that stands out immediately is a confusing mess of three different projects, two of them unmaintained, which all call themselves KeePassX or KeePassXC, sometimes linking to each other’s documentation. How do I even tell I’m facing the correct KeePass(X(C)?)? project? Yes, I’ll figure it out eventually but until then, it’s confusing. Also, if a password manager project needs to be forked over and over and over again (how can a holder of the keys to the kingdom possibly go MIA on three different occasions in basically the same project?), then does that tell us something about how the project is governed? | | |
| ▲ | simoncion 9 days ago | parent [-] | | > How do I even tell I’m facing the correct KeePass(X(C)?)? project? Well, [0] lists a single project called KeePassXC, with [1] as its homepage. Search engines list [1] and [2] as the top results for the query KeePassXC, for whatever that's worth. [3] > Also, if a password manager project needs to be forked over and over and over again ... then does that tell us something about how the project is governed? No? KeePass is Windows-only software. So, some folks decided to write KeePassX, which ran on Linux, OSX, and Windows. They got bored of that after a decade or so, called it quits, and one of the preexisting forks [4] became the widely-used one. > how can a holder of the keys to the kingdom possibly go MIA on three different occasions in basically the same project? In addition to the history I wrote above, you are aware that KeePass is still receiving stable releases? According to [5], it looks like 2.59 was released just last month. EDIT: Actually, where are you getting this "confusing mess of three different projects" from? When I search for "keepass", I get the official home pages for KeePass and KeePassXC as the top two results, the Wikipedia page, and then the Keepass project's SourceForge downloads page. When I search for "keepassx", I get the official homepages for KeePassX and KeePassXC, the wikipedia page, the KeePassXC Github repo, and an unofficial SourceForge project page for KeePassX. [0] <https://keepass.info/download.html> [1] <https://keepassxc.org/> [2] <https://github.com/keepassxreboot/keepassxc/releases> [3] And -because I'm a Linux user- not only do I have KeePassXC in my package manager, I also know that [1] is listed as its project homepage. [4] ...which started like four years before KeePassX's final stable release... [5] <https://sourceforge.net/projects/keepass/files/KeePass%202.x...> | | |
| ▲ | Hackbraten 8 days ago | parent [-] | | Thanks for taking the time to follow up. When I searched for `keepassxc`, my search engine ranked eugenesan/keepassxc [0] higher than keepassxreboot/keepassxc [1], so the former was the first that I’d visit. GitHub says that eugenesan/keepassxc is 2693 commits ahead of keepassx/keepassx:master, so I assumed that eugenesan/keepassxc was a legitimate and meaningful fork of keepassx/keepassx. Maybe I’m entirely mistaken, and I was just tricked by a blunder of my search engine and eugenesan/keepassxc is just a random person’s fork? (But then again, if it’s just a random fork, then why does it show up at the top, and why so many commits ahead of keepassx?) To add even more to the confusion, not only is eugenesan/keepassxc unmaintained, it also points to www.keepassx.org (why?), which in turn says it’s unmaintained, too. If I was just mistaken and eugenesan/keepassxc is really just a random fork, then my earlier allegations are all moot. Thank you for clearing this up, and also for clarifying that the other (legitimate?) KeePassXC was a preexisting fork (so it would have been difficult for them and possibly even more confusing to users if they had taken over the abandoned KeePassX project). [0]: https://github.com/eugenesan/keepassxc [1]: https://github.com/keepassxreboot/keepassxc | | |
| ▲ | simoncion 8 days ago | parent [-] | | What search engine are you using? I've tried DDG, Google, Bing, and Yandex. All of them rank official KeepassXC stuff in the top five results, and -with the exception of Bing- rank it above any other non-Wikipedia results. I didn't see this weird keepassx GitHub fork in the results from any of the search engines I tried. > When I searched for `keepassxc`, my search engine ranked eugenesan/keepassxc [0] higher than keepassxreboot/keepassxc... With the greatest of respect, I would expect someone who's sufficiently savvy to know what to do with a GitHub repo in their search result to also be sufficiently savvy to -at minimum- visit the homepage listed in the repo's About blurb and notice that [0] is the very first item in the list of "Latest News". I'd also expect that savvy someone to know to visit the repo's Releases page, notice that there are no published releases, and consider even more intensely that they might not be looking at the software they expected to see. I can't explain why your search system is ranking this misleadingly-named GitHub repo so highly. AFAICT, noone with the repo owner's email address was ever involved in any public development on KeePassXC. [0] <https://www.keepassx.org/index.html%3Fp=636.html> | | |
| ▲ | Hackbraten 8 days ago | parent [-] | | > What search engine are you using? I’m using Kagi. They say they rely on several third-party search indexes. I can’t see which one they are using for which particular search request. What I do know is that the backends are of varying quality. However, after years and years of using Google (back when their search was still good), I got used to the fact that if they return a GitHub project as a top search result, then that project was usually meaningful. > With the greatest of respect, I would expect someone who's sufficiently savvy to know what to do with a GitHub repo in their search result to also be sufficiently savvy to -at minimum- visit the homepage listed in the repo's About blurb and notice that [0] is the very first item in the list of "Latest News". Forks sometimes don’t update the About blurb that they inherit, and I think that that’s exactly what happened in the bogus repo. > I'd also expect that savvy someone to know to visit the repo's Releases page, notice that there are no published releases, and consider even more intensely that they might not be looking at the software they expected to see. In this case, however, the Releases section said “13 tags.” Some projects don’t use GitHub’s Releases feature at all, and rely only on Git tags. It’s sometimes difficult to spot. |
|
|
|
|
| |
| ▲ | mangodrunk 6 days ago | parent | prev | next [-] | | It’s annoying how people are gaslighting you into thinking this is a solved problem. As if password managers don’t have issues themselves and even if they did solve that aspect, it’s only a part of the whole problem. | |
| ▲ | odo1242 9 days ago | parent | prev [-] | | What about Bitwarden? |
|
|
|
| |
| ▲ | valenterry 9 days ago | parent | next [-] | | No need to write like that. I know, understand and use passkeys for quite a while now. I don't love them. I don't love passwords either. But while I don't fear passwords, I fear passkeys. The reason is that it makes the tech even more intransparent. My password manager stops working, completely dies or I can't use it anymore for other reason? No problem, I can fallback to a paper list of passwords if I really have to. This transparency and compatibility is more important than people think. Passkeys lack that. They can be an interface like you described, but only if everyone plays along and they can be exported. But since there is no guarantee (and in practice, they often cannot be exported either) they are not a replacement for passwords. They are a good addition though. Unfortunately, many people don't understand that and push for passwords to begone. | | |
| ▲ | ericjmorey 9 days ago | parent | next [-] | | I have yet to see passkeys used as a sole method of logging in. There's always a traditional username and password setup first. There's always a recovery code set up for the passkey. I have yet to see passkeys offered as the only means of MFA. Which means that your backup methods still work. You can use them for recovering your access. I see passkeys as an optional convenience. It works well for me by that measure. | | |
| ▲ | valenterry 9 days ago | parent [-] | | I agree, but there is no guarantee that it will stay like that. In fact, there are many people who argue to completely get rid of passwords. | | |
| ▲ | palata 9 days ago | parent [-] | | This would be an argument to support keeping the passwords, instead of pushing for not adding passkeys in the first place. And I would agree with that argument. | | |
|
| |
| ▲ | Flimm 9 days ago | parent | prev | next [-] | | What about server-generated passwords, like API keys? That would solve the main problem with passwords, namely, that people reuse the same weak password everywhere. I doubt it would be as popular as user-selected passwords, but I still wonder why no website has tried it. | | |
| ▲ | dchest 9 days ago | parent [-] | | How is that different from a passkey's private key, apart from being less secure? It's literally something like hnkTKS7h2WCOBr3CxSKM51cSVKSkiKOSlQsMhtRZ0CU
stored in the password manager. |
| |
| ▲ | palata 9 days ago | parent | prev | next [-] | | Why not keeping passwords AND passkeys? Most of the time I want to use passkeys for different reasons, but if I lose my passkeys I can go back to my printed list of passwords. | | |
| ▲ | valenterry 8 days ago | parent [-] | | Exactly! That is what I would like to have too and that is in fact how I currently use passkeys. |
| |
| ▲ | syhol 9 days ago | parent | prev [-] | | A passkey import/export standard is in the works. Once I know I can backup everything in a keepass database I'll be much happier. | | |
| ▲ | valenterry 9 days ago | parent [-] | | True. Still, the difference is that with passwords, no one can stop you from "exporting" it. With passkeys, it could be changed, and the power for that lies in the hands of only a few vendors. It's still a bit concerning if they replace passwords forcefully. |
|
| |
| ▲ | dur-randir 9 days ago | parent | prev | next [-] | | Let me decide for myself what must I love. | |
| ▲ | account42 9 days ago | parent | prev | next [-] | | Also without all that pesky privacy and choice of what you run on your own computer. | |
| ▲ | RHSeeger 9 days ago | parent | prev [-] | | I love password managers. I dislike passkeys. So clearly that's not the case. |
|
