Been seeing some scary stories about every password in the universe being hacked and posted on “the dark evil web”. Several stories have briefly mentioned that we should all switch to passkeys - without really explaining how they work. Looking for a good primer for someone old and dense - like me. There seems to be some reference to the “key” being kept on your device. But what if I access my loot depository from my phone on occasion and from my PC on other occasions?
Scratching my head…
The Yubikey is one typical such device. It has a USB port, and maybe NFC, and supports various static passwords, one-time passwords, 2nd-factor authentication, identity verification, that sort of thing.
Basically, you plug it in and touch it. Any private keys should exist only on the device, so you will need to keep it on you.
Yes, but this standard doesn’t require a dedicated dongle:
Of course, you can use any device that implements the standard; the idea is that (theoretically) it is harder to compromise and grab secret keys from a dedicated dongle (one that is designed to be at least somewhat secure) than a random smartphone.
I also would not back up secret keys on Google or Apple or online. If they are encrypted, it is less of a problem, but where is that decryption key backed up…
You can also use software like 1password or bitwarden to store and use your passkeys across multiple devices. It’s actually really nice. Save it once (on any device), and then on supported websites it just pops up a prompt and asks if you want to sign in. Click yes and you’re in.
Your passkey is stored in the cloud and encrypted with your personal master key (a long password, essentially).
You’d get much of the same benefit if you just used a password manager without the passkeys, but the passkeys save you a step or two and are more secure than a weak password.
Although you can use a passkey with a hardware device (be it an external Yubikey or just your phone), I’d strongly discourage that for most users. Yes, it’s more secure, but it’s also very very annoying if and when you lose that device or upgrade your phone or whatever. The increased security over a software passkey is not worth it for most normal people, IMO. It just adds hassle to your life with security you don’t need. Just use a password manager and use a different password (or passkey) with every site and you’ll be fine.
I get not trusting every platform.
But if you use an Android phone and you don’t trust Google, or an iPhone and don’t trust Apple… that way lies madness.
The networked nature of our tech requires you to: Trust your ISP, your email provider, the builders of the paltform you’re on. If one of those are compromised you are fucked.
At some level it becomes impossible to verify everything personally—every individual microchip? And if you gave up on electronics and locked your secrets in a physical safe, do you trust the manufacturer?
But you can, for example, run modded Android without Google Play Services, and/or with an increased focus on security: List of custom Android distributions - Wikipedia . iPhone is a little more tricky. You could also run Linux on a phone…
You can encrypt your data and metadata so that there is no need to trust your ISP. There are email providers that do not have access to your messages (everything is encrypted). And so on.
So, again, you cannot personally check everything, and who is qualified to?— but it is absolutely possible to reduce your attack surface, which is the responsible thing to do if you deal with private or sensitive information as part of your job.
So let me confirm what I think you said. Use something like 1password or bitwarden. I have the very long, very hard to crack super secret password to that account. When I go to a site that requires a password I can enter one that is 100% unique to that site and the program (1password or bitwarden) remembers that unique password for me. So after visiting 50 sites, it has memorized 50 unique passwords. What happens if the program itself is hacked? Are all my accounts and passwords now exposed?
Not interested in the hardware dongle approach.
At some point, there is always a a single point of failure. Your master password should never be used for any other purposes, so the only way it can be compromised is spyware on your computer or social engineering.
If someone has access to your computer and your master password, you are cooked. If someone has my master password but not my computer, Bitwarden will use MFA to ensure its actually me, or at least someone who also has control of my cell phone.
If I were to start getting Bitwarden MFA requests, I know that my master password has been compromised and I change it. Nothing is ever going to stop a state actor from getting your passwords if they really want it, but your average Joe will not lose to criminals.
So after visiting 50 sites, it has memorized 50 unique passwords.
Yep, or 50 unique passkeys if you prefer. And also 2FA codes if you want to store them there (cuz it’s a lot quicker than having to pull up your phone, and you don’t lose them when you upgrade your phone). However in that case it’s not really 2FA, which is traditionally “something you know and something you have”. It becomes “two things someone else knows, protected by one long password you know”. But it sure is a heckuva lot more convenient.
What happens if the program itself is hacked? Are all my accounts and passwords now exposed?
In theory, your passwords should be encrypted with your super secret master password such that nobody else (whether a hacker or the company itself) can access your data even if they were hacked and all their hard drives were stolen. In the case of 1password, your master password is further augmented by a secret key that together provide stronger protections. If you lose that, or if a hacker doesn’t have it, in theory all your stored passwords are inaccessible.
I say “in theory” because at the end of the day, you are choosing to trust this company with what they say to be true. Some password managers, like LastPass, do have a horrible history of security leaks and should not be trusted. But as far as I know, many others (like 1password or Bitwarden or the ones built into Apple & Google stuff) don’t have major known issues. Whether that makes them safer or more secretive is anyone’s guess.
In the special case of Bitwarden though, it’s supposed to be open-source, so if you’re technical enough, you could in theory self-host it on servers that you exclusively control, and audit all its source code (or pay a security company to do that audit) to get some peace of mind. Both 1password and Bitwarden have outsourced and done many audits, for what it’s worth: Security audits of 1Password and Compliance, Audits, and Certifications | Bitwarden Help Center
At the end of the day, there is always a tradeoff between convenience and security, and it’s up to you determine what balance you find acceptable. If you don’t have super secret national security stuff, honestly, a password manager (basically any except Lastpass) is more than enough security, and already much better than what most people use (weak, reused, memorized passwords).
If you do have super sensitive state secrets, well, probably none of this applies and realistically, you’re pretty effed, and nothing I know will protect you.
But otherwise… it’s fine 
Hardware dongles aren’t worth the trouble, IMO, a huge PITA that just wastes your time.
I self-host Bitwarden - actually Vaultwarden. Everyone in the family has their own vault, then there is a shared vault that we use for things like Netflix and Amazon.
I like Apple’s built in password manager.
(I especially like how I can generate a unique e-mailadres for each account)
There is a plugin for windows browsers.
I tried LastPass, 1Password, KeePass: this is so much easier to use that I can get my family to use it.
This IMHO is the weak point of any password solution: getting people to actually use it.