Passkey pop up everywhere, Mike Pound explains what they are! Check out Brilliant's courses and start for free at https://brilliant.org/computerphile/ (episo...
There’s a few differences. One is the length. Another is the randomness. The biggest, though, is that in a passkey, the server is verified as well. That means phishing is nearly impossible.
Yes, kind of. You’re still giving them your password every time you log in. And it’s on them whether they store it hashed or in plain text. With a passkey, you know that even if they’re hacked, they’ll never get your actual private key.
But, if they’re hacked, your key is probably the least of your concerns.
Doesn’t a normal modern password, hashed, essentielly do the same thing?
No sane service has your actual password.
Granted this was 1999 but I wish I could unsee the shit I saw one day when I did a SELECT password FROM user
No. When you log into a website your password is sent to the server. A passkey is not.
That depends entirely on the service.
Nothing prevents the password from being hashed client-side, only ever sending the hash to the service.
Then that hash is effectively your password
True, but with passkeys they’re never sent, by design.
There’s a few differences. One is the length. Another is the randomness. The biggest, though, is that in a passkey, the server is verified as well. That means phishing is nearly impossible.
Yes, kind of. You’re still giving them your password every time you log in. And it’s on them whether they store it hashed or in plain text. With a passkey, you know that even if they’re hacked, they’ll never get your actual private key.
But, if they’re hacked, your key is probably the least of your concerns.