Passwords suck. Can passkeys replace them?

To help keep your account secure, from May 30, 2022, ​​Google no longer supports the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.

To keep your account more secure, Gmail no longer supports third-party apps or devices which require you to share your Google username and password. Sharing your account credentials with third-parties makes it easier for hackers to gain access to your account.

It’s an unfortunate fact that many people use the same credentials to log into different accounts. This password practice is a big part of what enables account takeovers, as it increases the likelihood that hackers can use compromised credentials to access sensitive information across accounts.

For look-up secrets that have less than 64 bits of entropy, the verifier SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account as described in Section 5.2.2.

Also, service providers can offer passkeys without needing passwords as an alternative sign-in or account recovery method.

When a user is asked to sign-in to an app or website, the user approves the sign-in with the same biometric or PIN that the user has to unlock the device (phone, computer or security key). The app or website can use this mechanism instead of the traditional (and insecure) username and password.

Unique Passwords and U2F are not perfect, but they are good. Unique Passwords reduce the impact of phishing, but can’t eliminate it. U2F doesn’t prevent malware, but does prevent phishing.

t’s important to emphasise that if you don’t reuse passwords, you are literally immune to credential stuffing.

Many companies send our passwords via email. Whether these emails come from our IT department, a colleague, a SaaS solution or elsewhere, it's not a good idea to send and receive passwords via email.

If you would like to use Google's cloud to store and sync your Chrome data but you don't want Google to access the data, you can encrypt your synced Chrome data with your own sync passphrase.

Probably you should change the password using GNOME Settings to keep it synced.

The confession-book, I suppose, has disappeared. It is twenty years since I have seen one. As a boy I told some inquisitive owner what was my favourite food (porridge, I fancy), my favourite hero in real life and in fiction, my favourite virtue in woman, and so forth.

The practice of throwing a bunch of purloined user names and passwords at various services to see what sticks is known as credential stuffing, and it’s hit the media industry particularly hard in recent years.

Onceability can be the result of the exaggerated demand for un-memorable passwords.

Take a moment to consider the alternative. No, not the IT department's fantasy world, that never-gonna-happen scenario where you create a strong, unique password for every account, memorize each one, and refresh them every few months. We both know it's not like that. The reality is that in your attempts to handle all those passwords yourself, you will commit the cardinal sin of reusing some. That is actually far more risky than using a password manager. If a single site that uses this password falls, every account that uses it is compromised.

Password reuse is a serious problem because of the many password leaks that occur each year, even on large websites. When your password leaks, malicious individuals have an email address, username, and password combination they can try on other websites. If you use the same login information everywhere, a leak at one website could give people access to all your accounts. If someone gains access to your email account in this way, they could use password-reset links to access other websites, like your online banking or PayPal account.

Here you can do some social good; we know how much passwords are reused and the reality of it is that if they've been using that password on one service, they've probably been using it on others too. Giving people a heads up that even an outgoing password was a poor choice may well help save them from grief on a totally unrelated website.

I'm providing this data in a way that will not disadvantage those who used the passwords I'm providing.

As such, they're not in clear text and whilst I appreciate that will mean some use cases aren't feasible, protecting the individuals still using these passwords is the first priority.

"Changing your password is definitely the right start," Tyler Carbone, chief strategy officer at secure provider Terbium Labs said. "The other thing users need to remember is that with this password exposed, it cannot be trusted for any other services either, so they need to make sure they aren't reusing it."

The gem provides a command line utility for checking passwords.

example of using this gem to show how many times the digits of Pi have been used as passwords and leaked.

Google figures that since it has a big (encrypted) database of all your passwords, it might as well compare them against a 4-billion-strong public list of compromised usernames and passwords that have been exposed in innumerable security breaches over the years. Any time Google hits a match, it notifies you that a specific set of credentials is public and unsafe and that you should probably change the password.

Download the billions of breached passwords and blacklist them all. Attackers have a copy; so should you.

A user need only remember the master password for the password manager — preferably something like a seven-word diceware passphrase, easy to remember, hard to crack.

"If someone knows your old passwords, they can catch onto your system. If you're in the habit of inventing passwords with the name of a place you've lived and the zip code, for example, they could find out where I have lived in the past by mining my Facebook posts or something."Indeed, browsing through third-party password breaches offers glimpses into the things people hold dear — names of spouses and children, prayers, and favorite places or football teams. The passwords may no longer be valid, but that window into people's secret thoughts remains open.

These massive dumps of free passwords lower the cost of an attack dramatically. Password reuse or password guessing attacks are script kiddie stuff. Defending your organization against such threats is basic due diligence.

Single-factor authentication based on "something you know" (e.g., a password) is no longer an acceptable best practice. "I'm pretty well convinced passwords are a horrible system," Professor Douglas W. Jones of the University of Iowa, says

There is MiniKeePass on the iOS App Store, but I'm not sure if I trust it not to make off with my data. Also, syncing between my PC and the app would be a pain. (1Password has local WiFi sync) There is also KeeFox for Firefox integration, but I'm not sure if I trust that either. In short, I trust KeePass itself, but I'm not sure if I can trust the third-party developers of the mobile app and browser extension.

Seriously, the lesson I'm trying to drive home here is that the real risk posed by incidents like this is password reuse and you need to avoid that to the fullest extent possible

In 2017 NIST (National Institute of Standards and Technology) as part of their digital identity guidelines recommended that user passwords are checked against existing public breaches of data. The idea is that if a password has appeared in a data breach before then it is deemed compromised and should not be used. Of course, the recommendations include the use of two factor authentication to protect user accounts too.

Here at Twilio we’re fans of using a second factor to protect user accounts, but that doesn’t mean we’ve forgotten the first factor. Encouraging users to pick strong passwords is still the first line of defence for their accounts.

Another problem with simple login-based authentication is that there is no way to control how much access an individual third-party application gets: it's an all-or-nothing deal based on whether you are willing to give the program your password.

When third-party software runs amok with your login information for a Web application, the only way to stop it in some cases is to change your password

One article even proclaims the death of passwords for gaming apps because of this new trend. This could signal a big change for security (assuming every user has a mobile number).

Should you be concerned about LastPass uploading your passwords to its server?