I am largely unconvinced of the downsides of passwords presented in the article. Especially the historical angle. Old != bad. In fact, it is a testament to the fact the the password system is simple enough to be done analog, easily understood without any training.
My question to the people here is are passkeys actually the future? Or are they an over-hyped over-engineered being forced on everyone? I say this as someone not knowing much of passkeys. And I'm not a fan of the "holier than thou" feeling from people proselytizing passkeys. Take the public's / user's doubts seriously. You wouldn't break into someone's home and force them to get a different lock mechanism for their safe, or front door.
---
Counter-points to "password bad"
> Password Overload
Use a password manager.
> Email Requirement
Passwords don't require email. Email is a used as user ID commonly. You can also use other mechanisms such as "store this long key in your records and if you forget your U+PW then use it for recovery".
> Single Point of Failure ... email acts as a one-stop shop for attackers looking to hack your accounts, either by getting into your email account itself or by sending you convincing password reset emails that send you to a phishing page ...
I agree. Solely having "what you know" info makes phishing possible.
> Service Provider Negligence
A weak argument that could be applied anywhere to "but I don't trust them to do the right thing". All we need is good U+PW auth libraries and clear education like https://thecopenhagenbook.com/. Give actually big fines for companies that have breaches, then magically security will get better.
> Human Error ... passwords rely on randomness to be secure, but they also rely on humans to generate them... Humans are very bad at generating random numbers
Use a password manager. This article reeks of a wannabe expert tone with the certainty, finality, and generality (I can speak confidently yet have an out because I used the word "most" or "possibly"!) of its claims.
> Imagine if every time you connected to a website with HTTPS, you had to come up with your own encryption key. Would that be a secure system?
I can't take the author seriously with these arguments. Put your big boy/girl pants on and use your brain, stop using hypothetical straw-mans to easily knock down.
My question to the people here is are passkeys actually the future? Or are they an over-hyped over-engineered being forced on everyone? I say this as someone not knowing much of passkeys. And I'm not a fan of the "holier than thou" feeling from people proselytizing passkeys. Take the public's / user's doubts seriously. You wouldn't break into someone's home and force them to get a different lock mechanism for their safe, or front door.
---
Counter-points to "password bad"
> Password Overload
Use a password manager.
> Email Requirement
Passwords don't require email. Email is a used as user ID commonly. You can also use other mechanisms such as "store this long key in your records and if you forget your U+PW then use it for recovery".
> Single Point of Failure ... email acts as a one-stop shop for attackers looking to hack your accounts, either by getting into your email account itself or by sending you convincing password reset emails that send you to a phishing page ...
I agree. Solely having "what you know" info makes phishing possible.
> Service Provider Negligence
A weak argument that could be applied anywhere to "but I don't trust them to do the right thing". All we need is good U+PW auth libraries and clear education like https://thecopenhagenbook.com/. Give actually big fines for companies that have breaches, then magically security will get better.
> Human Error ... passwords rely on randomness to be secure, but they also rely on humans to generate them... Humans are very bad at generating random numbers
Use a password manager. This article reeks of a wannabe expert tone with the certainty, finality, and generality (I can speak confidently yet have an out because I used the word "most" or "possibly"!) of its claims.
> Imagine if every time you connected to a website with HTTPS, you had to come up with your own encryption key. Would that be a secure system?
I can't take the author seriously with these arguments. Put your big boy/girl pants on and use your brain, stop using hypothetical straw-mans to easily knock down.