I think I have an excellent system. This is for music lovers though.
Think of a song you like. Think of a line in the song.
Pink Floyd for instance (this is not a password I am using)
From the album Meddle. Song ‘One of these Days’.
Lyrics “One of these days I’m going to cut you into little pieces” (it’s just a coincidence that that is the only lyric in that song, Any song will do)
Take the first letter of each word Capitalize one of them, add a number and a special char.
Ootdigtcyilp23$
All you have to do is think of a song, a line in it that you like, and bingo, secure pwd that you can remember. And a never ending amount of passwords that you can use.
Oh, this is just the start. My bot-legions will render your online corpus limb for limb, tissue by tissue, eyeballs to toenails, and reassemble it into a database of your entire prosopon such that my oracle can divine your every thought, ambition, urge, desire, intention, and flight of whimsy. I will know you not only better than you know yourself, but more thoroughly than the bacteria that colonize your intestines. The portal into your mind will be revealed, and not behind a filing cabinet on the 7-1/2 floor of the Merton-Flemmer Building.
Seriously, that is a pretty good scheme for not making access to the password manager a single point vulnerability, at least until someone figures out the pattern (impossible for a casual attack) or you one day suffer retrograde amnesia. But while brute force attacks and social engineering to gain access are the most common ways to defeat passwords, there are other inherent vulnerabilities in any system reliant only upon a password to access.
That probably seems secure to you, and certainly would be against a human hacker, but a sufficient oriented AI agent with, say, access to your steaming music history could tease out that pattern and make that scheme as vulnerable as a Master padlock.
I do something similar, but my system is to think of a title (of any kind of work) and misspell or otherwise corrupt it in a way that’s easy for me to remember, and then add the extra characters. For example (not a real one I’m using):
Title: The Big Lebowski …mispronounced in a funny way results in…
PW: daboogloobooskie23$
Since you seem to be a resident expert in passkeys, and I know nothing of them beyond what you’ve written …
I presently use Bitwarden as a password manager and have long random PWs for all ~250 of my logins. The master PW to get into Bitwarden is also long and just pattern-enough for a mere human to remember it.
I have been reluctant to embrace passkeys because of concerns about sync across my devices & browsers. My PC runs Win 11 and I use the Edge browser. My phone is Android and uses the Chrome browser. I can’t sync favorites between them; import/export back and forth certainly, but not true bidi sync. Each browser has a built-in PW facility, but those don’t interoperate / mutually sync either.
The Bitwarden extension available for both browsers does sync, and so that’s where all my PWs are. Bitwarden also handles PWs for phone apps which are allied with websites. e.g. the Amazon app & amazon.com website both get their PW from Bitwarden. Lastly Bitwarden handles storing my credit cards, and other form-filling data.
With that background, here’s the question:
So how do passkeys get synced across these non-cooperating vendors and devices? If I still want/need Bitwarden for the form-filling & credit card data, and other similar secure synced repository info, how does passkeys in lieu of PWs really help me?
If I am going to switch to passkeys for those sites / apps which support them, how do I disable the existing PW so somebody can’t get in that way, nor perform a PW reset to create their own PW into my account? As you say, if you have both enabled, then leaking either one is a total security fail.
Lastly, what is the passkey equivalent of the “I forgot my password & need a reset” process? We can all imagine someone with a bricked device and no fresh cloud backup of their passkeys. What now? How to get back in to all their various accounts?
Use passphrases. You can remember them easily and are hard to break cuz they are (or should be) long. E.G. ILovemydogFiFiI22
I use three. One simple one for things like a magazine sub. A longer one for things like the SDMB. And one with numbers and special characters for my bank accounts and such.
Bitwarden also handles passkeys. A passkey is saved to the same Bitwarden entry that your username and password are saved to, and synced across devices. You may have to tell your browser or OS that Bitwarden should be the passkey handler.
When I go to website and use a passkey login on my desktop browser my Bitwarden window comes up and requires my Bitwarden password. On my phone I can use my fingerprint to unlock the passkey.
Try it. Using passkeys is very slick on the sites that have it implemented well.
(Disclaimer: I’m not a security professional, just a web developer. So what I offer are merely semi-educated blatherings… I’m definitely not the final word on any of this!)
Passkeys don’t have to be hardware-backed. They can be (and increasingly are) software-only, in which case, it’s not very different than how you would sync your passwords or 2FA codes.
When you save a passkey to Bitwarden, Bitwarden keeps your private key in its own vault. When you enter your master password to Bitwarden, it uses that to decrypt the stored private keys, and then it can generate public keys for your passkey-enabled logins.
OS passkey/password solutions like Windows Hello or iCloud Keychain work the same way.
If you know what a SSH keypair is, it’s similar to storing your private key on the cloud instead of on disk.
Passkeys in theory CAN be tied to specific hardware devices (and they typically were when they first launched a few years back), but rarely are these days anymore since people prefer the ease of syncing across devices rather than the stronger security of a device-specific passkey. You’d have to go out of your way to make a device-specific passkey now (and if you’re going to do that, you might as well tie it to an actual YubiKey or such for even more security).
TLDR: Syncing your passkey basically happens the same way you sync any other password. It just gets saved to the cloud storage and decrypted with your master password.
That’s the rub. I’ve never seen a real-world, passkey-ONLY login. In every single implementation I’ve seen, passkeys are provided as a convenience measure on top of passwords, not a replacement for them. (And I’m so sorry I wasn’t clearer about this in my first post above.)
This means that adding a passkey to your account (while keeping the password) primarily improves convenience, not security.
Does it decrease security? Maybe, maybe not — but not by any real-world amount of consequence, IMHO. Yes, technically it means that you’d now have two secrets that could potentially leak (your password and your passkey), but realistically, neither one would be leaked unless you have malware on your computer or Bitwarden’s cloud itself gets hacked. And if that happens, all your logins are gone anyway. Once they get your master password, it’s basically all over. (Side note: That is one slight improvement in 1password’s security model over Bitwarden’s. There, your vault is double-encrypted not just with your master password but also a separate, random secret key that gets saved to your device, adding a little more security).
On the other hand, having a passkey not only makes your logins more convenient, it MAY also add a LITTLE more security in that you are no longer transmitting your password (or a hash of it) over the internet, but only your public key. Cryptographically that is way, way stronger. If your password gets leaked over the wire, people can try to re-use it elsewhere (but again, that doesn’t matter if you’re using a website-specific one anyway). If your hash gets leaked, rainbow tables can be used to look up weaker, non-salted implementations to find the original password. If your passkey’s public key gets leaked… nothing happens. There’s not enough computing power to decrypt it (for now).
Realistically, none of these are significant threat models. Attacks usually happen against the weakest parts of the chain, not the strongest. With a strong password (and optional passkey), you’re already basically doing the best you can, and from there on out it’s up to the browser, OS, and password manager vendors to do their parts.
Using any sort of password manager at all is itself a security tradeoff. You trade numerous, shared, weak passwords for one strong, master password (and perhaps a secret key). But that then becomes your single point of failure.
For most users, that is still a good tradeoff, because realistically humans can’t remember hundreds of strong random passwords.
Adding passkeys on top a password manager won’t meaningfully increase or decrease your security, but will make it more convenient day to day — primarily because most of the time that removes the need to also enter a time-based 2FA code.
If you want to meaningfully increase your security (which I don’t think any home user should — the tradeoff is not worth it), you’d have to go to more inconvenient methods likes physical keys, three+ factor auth, etc.
You login with your password and add a new passkey to your account, removing the old one if you wish.
Almost always, each account lets you have more than 1 passkey. The original idea was that your phone would have one passkey, your laptop another, your desktop a third, etc. But modern usage has deviated away from that implementation and often it’s just the 1 passkey saved in the cloud and synced across all devices anyway.
In either case, though, because all real-world implementations I’ve seen still depend on a password, it’s still ultimately your password that controls your passkeys.
And again, I’m sorry I didn’t emphasize this enough earlier: If you have a weak password, adding a passkey will not materially improve your security. If you already have a strong password, adding a passkey will not meaningfully improve or worsen your security, it’ll just make life more convenient.
If you don’t have any computing ‘ecosystem’ that syncs across devices you’ll need to use some third party manager that has that capability to manage passkeys for accounts on different devices.
Most systems that use passkeys will let you select between using a password or a passkey, or you can just enter a password that is as complex as a passkey but that you’ll never need to memorize and reenter.
Somewhere in the chain, you will have some kind of account that you can log into with a password (ideally one that you don’t keep on your password manager so that if it gets hacked in some way you can still clear and reset passkeys to limit security compromise.) Here is the Google Chrome explanation for using and recovering passkeys using Google’s system. (Not an endorsement, it was just the quickest thing I could find that explains it simply.) Apple’s MacOS ‘ecosystem’ works in a similar fashion but with the addition of biometrics on their mobile devices and newer MacBooks.
If you want even more security and the ability to dump passwords completely, then you can go to a USB biometric key like the YubiKey which can store the passkeys offline. Just don’t lose the key because you will then be truly fucked unless you have a backup.
Thank you both. And yes, I’m familiar with the whole PKI technology. It’s the implementation details of passkeys at the UI level I’m clueless about at least before this morning.
From my POV, unless I can switch away from needing a 3rd party app like Bitwarden and just rely on the various OSes and browsers doing it all, including syncing natively, there’s no real upside I can see to them.
When I use Bitwarden in my PC browser, I have the extension configured to log off / lock up after a few minutes of inactivity. So although I type my master PW a couple times a day, I’m not having to supply it for every login to every website; it’s pretty much once per session at the computer.
If I understood @echoreply correctly, for passkeys with Bitwarden I’d be required to supply the Bitwarden PW for every login. That’s a huge step backwards in convenience.
Attitudinally I try to a) avoid using 3rd party tools if built-in tools do the same job adequately and b) avoid being a Luddite. But from where I sit today it seems that as long as the various ecosystems refuse to play nice together I’m stuck with a 3rd party solution. And it seems that although passwords, even cyrptographically strong ones, are an aging tech reaching end of life, their replacement by passkeys in their present form is not yet really a forgone conclusion.
Thanks for all the education; for now I’m inclined to stand mostly pat. But with a more-informed eye on how this all develops.
Right, like the users themselves. There’s an xkcd comic for that too:
Not that the scenario depicted in the xkcd comic is a realistic worry for most people, just that the user is the weakest link in many security threats—including voluntarily giving up a password by social engineering or in a phishing attack.
It is a tradeoff. In exchange for entering your password to Bitwarden when you login, you don’t have to deal with all of the broken autofill stuff on websites. So many sites split the username and password field across different pages now, or some that even do stuff to actively make autofill not work, that typing my password into Bitwarden is preferable.
If you can use a biometric to open Bitwarden, then that biometric will also work to unlock passkeys.
For me, these are the frequent alternatives:
Type my Bitwarden password, click “fill” to enter my username, click login, click “fill” again to enter my password, click login, paste my TOTP code, click login.
Or
Click “passkey” on the website, type my Bitwarden password.
Also, this applies for all password managers, you should disable the stuff where you can click into the username or password field, and that brings up a password option. Web pages can mess with that, and it is a security vulnerability. Web pages cannot mess with clicking on an extension in the browser title bar, and clicking “fill” up there.
What echoreply said. The passkeys completely bypass the multi-page login flow that many websites now have, where you first enter your username, then wait for a load, then enter your password, then wait for a load, then enter your 2FA code and finally you get in. Passkeys go straight to “logged in”. You don’t have to fight the autofill system or pray that Bitwarden parses the DOM correctly (which it often fails to, in my experience).
I’m fairly certain it’s the same way with passkeys (at least when I use it on the desktop, in Firefox). As long as your Bitwarden is unlocked, everything in it (passkeys, passwords, 2FA) should also be unlocked. It just pops up a little box confirming that you want to sign in with a passkey, and that’s that — no need to reenter your master password unless your Bitwarden re-locked itself. Same as passwords.
But yeah, if you’re already happy with the autofill + 2FA flow, you don’t need passkeys. They just make it easier to skip all that nonsense.
You should be able to easily add a passkey to try it out for yourself if you want, and remove it again if you don’t like it. I only bother setting one up for the especially annoying websites that have multi-page logins and/or required email/text confirmations. Typically (but not always) a passkey can bypass all that and make logins much quicker.
But then again, at work I’m logging in and out of various services dozens of times a day, so there the passkeys are more valuable to me. If you only do it once every few days, it doesn’t matter…
I’ve always found it hilarious that “Correct Horse Battery Staple” almost certainly made it onto hackers’ “Top 100 Passwords To Try” list, right next to Password123 probably.
Now that’s some wisdom. The growth in the username + password + text message to phone on websites of trivial importance has gotten old. Onward into the Future!
How about what I went through last night to log in to my stupid Lowe’s account:
Enter username and password
Get error
Verify password in password manager
Enter username and password again. This time it works, but they send a two-factor code to an email address I rarely use.
Check for email repeatedly. Nothing.
Log into my email account online to check spam folder. After accepting my username and password, they send a two-factor code to my work phone.
Can’t find work phone, realize I left it in my car in the driveway. Retrieve phone, get code, but code has expired.
Finally log into email, find email from Lowe’s in spam filter, enter code. Of course this code has now expired as well.
Request another code from Lowe’s.
Finally log in.
At least Lowe’s actually sent the emails with codes promptly. Other websites—like Amtrak—take 15-20 minutes to send a code, as which point they are expired before I can use them. Whose bright idea was it to make two-factor codes sent by email expire in 5 or 10 minutes when it takes longer than that sometimes to get an email?
Lowes has passkeys, which does saves trips out to the car, unless that’s where you left your Yubikey.
However, it is still pretty dumb. Click the “login with passkey” on the sign in page, then your passkey manager will prompt for a password. While that is happening, the Lowes sites changes and asks how you want to receive your second factor. Ignore it, and click “send passkey” or whatever, and then Lowes will log you in, without sending the second factor.
Password+TOTP and passkeys are probably in practice similar levels of security, but passkey is a big winner over password+SMS. First for convenience, but also for security. SMS as a second factor is much better than nothing, and will protect from mass attacks, but SMS for authentication is a huge security hole for focused attacks. SIM cloning is still a huge problem, and if someone is after you, it is likely to be one of the first steps in the chain of breaking into all of your stuff.
Security of SMS is dependent on security of a telecom company, which have historically been terrible.
Not at all. It only takes two steps:
1: Do something stupid and insecure.
2: Tell your users that it’s a passkey.
It’s really no harder than screwing up a thing that you’re calling a password.
That might be half-decent, but only until you tell someone that that’s what you do (like you just did). Once they know that, and your taste in music (not hard to figure out), they’ll only have a few thousand passwords to try.
What a lot of people miss about that is that the words must be chosen randomly. If you’re not choosing randomly, then attackers can figure out what you’re likely to have chosen. Even just making an intelligible (if nonsensical) sentence vastly reduces the search space.
With a truly secure system, you can tell the world your entire system, and it won’t decrease your security at all. For instance, for my online banking password, I took this grid:
1 2 3 4 5 6 7 8 9101112
1 q w e r t y u i o p a s
2 d f g h j k l z x c v b
3 n m Q W E R T Y U I O P
4 A S D F G H J K L Z X C
5 V B N M 1 2 3 4 5 6 7 8
6 9 0 ` ! @ # $ % ^ & * (
7 ) ~ [ ] \ { } | - = _ +
8 ; ' : " , . / < > ?
then rolled a d8 and a d12 (rerolling any 8-12 result). Then I repeated that process a total of 20 times. The resulting characters were my password, and you’re no no closer whatsoever to getting into my bank account than you were before.
