undefined | Better HN

0 pointsabdullahkhalids4mo ago0 comments

My password manager (keepassxc) has a browser extension that only lets you autocomplete the password on a page if the url matches the one stored in the database.

Sure I could manually copy the password from the database, but in practice, this is fairly good security. It also doesn't treat the user as an always-idiot, which is a good thing in my book.

0 comments

ewoodrich4mo ago

I'm struggling to think of a reason why being "treated as an always-idiot" is an actual negative in this specific example.

I use Bitwarden and when the password autofill doesn't work as expected my first assumption from many previous experiences is that it's because a website changed something slightly in their auth flow or a particular page has a weird redirect/embedded login scheme different than the primary login, or similar "modern" web weirdness.

So if I get phished and let my guard down just that one time due to panic, sleep deprivation, or whatever else I'm glad that it gives me a second layer of defense against me reflexively clicking a couple times to copy/paste the password manually. A passkey dropdown with "No passkeys saved for this site" would be a massive red flag and stop me in my tracks before trying to do something else stupid.

abdullahkhalidsOP4mo ago

Passkeys do protect you from such mistakes in a way the current implementation of the browsers/password managers/web-specs don't.

But that is after 10s of millions of dollars or more have been poured into the development of passkeys, resulting in new standard specifications, diverse implementations of password managers, etc.

Now, imagine the counterfactual world where those same dollars were devoted to improving the password infrastructure. Could we have forced the average person to always password managers with long randomized passwords? Could we have build better webspecs around password entry workflows, and forced websites to fix the issues you face? I think the answer is yes.

Against this counterfactual world, passkeys are not in practice much better.

stavros4mo ago

Except we already are living in that counterfactual world. Companies haven't been sitting on their hands while lamenting how bad passwords are, we've spent many times more money trying to make passwords secure than we've spent on developing passkeys.

1 more reply

skybrian4mo ago

That works for you, but the website doesn't know you use a password manager, so they'll often want you to use SMS as a second factor.

Passkeys require some kind of password manager. That's the main benefit. The adoption problems are because a lot of users don't really understand password managers.

abdullahkhalidsOP4mo ago

I bet that Google+Apple+Microsoft could have gotten 95% of the world on password managers by building excellent password managers into the OS, and demanding that one can only login into their websites with passwords that have at least 100 bits of entropy.

And it could have been done 10 years ago.

skybrian4mo ago

I don't think a password manager would get much adoption if it refused to save the passwords you already have?

Google's password manager does nag you about bad passwords, but it's easy to ignore.

Looks like it's been around ten years since it was introduced. It doesn't seem like enough.

1 more reply

j / k navigate · click thread line to collapse

0 comments

ewoodrich4mo ago

I'm struggling to think of a reason why being "treated as an always-idiot" is an actual negative in this specific example.

abdullahkhalidsOP4mo ago

Passkeys do protect you from such mistakes in a way the current implementation of the browsers/password managers/web-specs don't.

But that is after 10s of millions of dollars or more have been poured into the development of passkeys, resulting in new standard specifications, diverse implementations of password managers, etc.

Against this counterfactual world, passkeys are not in practice much better.

stavros4mo ago

1 more reply

skybrian4mo ago

That works for you, but the website doesn't know you use a password manager, so they'll often want you to use SMS as a second factor.

Passkeys require some kind of password manager. That's the main benefit. The adoption problems are because a lot of users don't really understand password managers.

abdullahkhalidsOP4mo ago

And it could have been done 10 years ago.

skybrian4mo ago

I don't think a password manager would get much adoption if it refused to save the passwords you already have?

Google's password manager does nag you about bad passwords, but it's easy to ignore.

Looks like it's been around ten years since it was introduced. It doesn't seem like enough.

1 more reply

j / k navigate · click thread line to collapse