Why PassKEYS are Replacing PassWORDS
ฝัง
- เผยแพร่เมื่อ 8 ก.ย. 2024
- Check out Secretlab’s BFCM sale at lmg.gg/secretl... and save up to $150 off chairs and $100 off desks!
Learn how passkeys work and why they're replacing passwords.
Leave a reply with your requests for future episodes.
► GET MERCH: lttstore.com
► LTX 2023 TICKETS AVAILABLE NOW: lmg.gg/ltx23
► GET EXCLUSIVE CONTENT ON FLOATPLANE: lmg.gg/lttfloa...
► SPONSORS, AFFILIATES, AND PARTNERS: lmg.gg/partners
FOLLOW US ELSEWHERE
---------------------------------------------------
Twitter: / linustech
Facebook: / linustech
Instagram: / linustech
TikTok: / linustech
Twitch: / linustech
One thing to note about biometrics in general.. law enforcement (in the USA) can *_NOT_* force you to give them the PIN to your phone or passwords for devices or accounts .. but they *_CAN_* legally force you to open or access something using your finger, face, etc. To be clear, I'm saying they are allowed to literally grab your hand and forcefully push your finger onto the device with the express intent of opening / accessing it .. against your will. They can't force you to give them a password or PIN.
You can use a PIN or password or pattern or security key (or whatever you use to unlock your device) instead of biometrics when you use passkeys.
Technically, they _can_ (physically, not legally) force you to give them your pin or password too.
*_Staring down a gun barrel is one hell of a motivator._*
@@WackoMcGoose AKTSHUALLYY ... ugh .. gimme a break.
Not to mention, they will have your fingerprint and mugshot when the book you!
@@josefmazzeo6628 Even if they could use your mugshot or fingerprints to get into your device / accounts .. it would be illegal, and any evidence gained that way would be "fruit from the poisonous tree" and inadmissible in court.
Passwords are stored in the balls.
Haha!
Facts
deep
I can verify that this is true.
Piss and passwords...so eco friendly.
In the US, you can be compelled by the police/courts to log into any account using your biometrics; i.e. face or finger print, regardless of your 5th Amendment right against self incrimination. They cannot, however, force you to reveal a password or pin.
It's good that we can use PIN or password or pattern or security key to access our passkeys. Biometrics aren't the only option.
"I forgor" -best defense ever
that's why when you're done with your phone or in emergency you can turn off your phone and it'll force a password if you have one
Excellent point
This is the real reason they're trying to phase out passwords.
The only way for a government to force you to provide a passphrase is with torture.
I really don't like biometrics as a basis for authentication. The scanned biometric value that gets compared is essentially just a really strong password, but if it gets leaked somehow, you can't change it. I'd rather change my password than change my fingerprint.
Your biometric doesnt leave your device. Your device just says "yup that's my user who is trying to authenticate" and then sends the passkey to the website. If you try to sign in from someone else's device using biometric it won't work because thier device only knows thier biometric not yours.
@@Redwan777 thing is using biometrics is just using 1 strong password for everything that you cant change once it leaks
@@Redwan777 "Yout biometric doesnt leave your device" here you are putting your trust in the device (device is not just a phone, anything that can collect your fingerprint).
The point he is making is "if someone somehow get your fingerprint, you can't do nothing about it".
@@Thiagola92my dude no-one will try to get your fingerprint, its hard af
@@Thiagola92 Of course, you can do something about it. As I said, the biometric data doesn't leave your device. The biometric only authenticates it's you the owner is trying to unlock the device and the one trying to send the passkey. The passkey is only bound to your device. So, if you fear your fingerprint is compromised, and an entity is trying to use that fingerprint, they can't go really far without physically acquiring the device that is holding the passkey. You can simply set another finger as your biometric authentication for your device unlock, making the previous fingerprint totally useless. If you don't trust the biometric system at all, you can use your regular device unlocking pin/pattern/password.
I don't think you have to go that far on a daily basis. Android has a lockdown mode that can be accessed from power menu that disables biometrics. And on iPhone you can reboot the device to do the same. Can't say the same for windows laptops, tho (be it password or biometric).
This is not technically wrong, but also a dangerous misrepresentation of biometric access. A lot of biometric access does not use a passkey in the way described here, but stored it in a local server that can be hacked, and the data stolen. Things like paying for your groceries with your handprint, or scanning into work with a fingerprint. If a password gets hacked you can change it, but you can't change your face or handprint so easily. Biometrics are not always the best option.
See, this is part of what I was thinking. How is any stored credential any different from another? It's all data in the end that can be copied if accessible. He talked about public-key cryptography but wouldn't ALL credentials benefit from using that? Sounds like it's not passwords fault but the services that we use not having good security or usage of available technology to protect those credentials
A password is way easier to replicate than a fingerprint. You can even guess them in many cases. But you can't guess someone's face, voice or fingerprints.
I'm not sure how other technologies work, but he's specifically talking about passkeys. I'm pretty sure your face isn't actually saved anywhere but only specific features of it. And they're probably hashed too, so nobody could read them even if they got access to the data. But I don't know any of this for sure. You gotta look it up yourself.
Exactly what I was thinking!
Fingerprints are easy to change with a cigarette lighter and enough will power.
One of the major issues with biometric systems is that once what we'll call the access key is pwned, then it's effectively game over. You're unable to change your fingerprints, DNA, etc., so in the hypothetical, there may come a time when biometric security will become irrevocably insecure.
Just to note, passkeys can work without needing any input of your username or email. Once they are tied to your account, it just needs you to verify on your device.
Which is bad, because it can result in going from 2FA/MFA back to just a single factor.
@@CoolJosh3k but the single factor isn't vulnerable to phishing or bruteforce attacks. It's a win win
@@Mr.DarrenGriffin Every factor was ways it can be broken. For example, while you can’t brute force possession, possession isn’t 100% secure because it has ways that it too can be defeated.
@@CoolJosh3k It's not a single factor. They'll always require the passkey itself as well as either biometrics or pin. For example, even if you had somehow obtained my passkey, you still wouldn't be able to authenticate with any services, because you wouldn't have my face or pin. Additionally, the username is generally not considered a factor.
@@ivanmalinovski7807 It becomes essentially a single factor as soon as the passkey is stored on the device making the request.
My bank is trying to push the new app with passkeys, which I resist so far. Why?
We are on a party. Maybe by coincidence you see me using my banking app. I enter the 5 digit pin which is easy to remember.
We talk a bit and hey you hear about my newborn son.
You ask if you can scroll through some pictures and I hand you the phone for 2 or 3 minutes.
In that time you open the banking app. It only requires the easy to remember 5 digit pin to log in an authorize transactions.
You quickly enter your data, authorize and boom, 5000 € transferred. Confirmed by a single 5 digit pin.
Is this traceable? Yes. Is it smart? No. That's not the point. But is it secure? Also no.
Now you could blame me for handing my phone over. Okay...
Let's compare with the old fashioned way:
First you have to get my credentials out of my pw-manager. I wish you tough luck remembering a 20+ character random string with special characters.
Although you don't even get the chance to see them because the Manager just copy pastes them.
But let's say you are someone who still got the credentials. You again ask for my phone to browse my pictures of my son, open the banking app, enter the credentials and.... You get asked to enter a ChipTAN. Which is generated by a different hardware together with my banking card...
At this point you close the App, tell me by baby is cute and failed.
Saying Passkeys are 2FA is basically saying that password managers are 2FA.
The difference is that my pw-manager let's me set up a proper password and not a laughable 5 digit pin like the new app of my bank.
Recently a vulnerability was discovered in the fingerprint scanners on some Dell, Lenovo, and Microsoft Surface devices. Knowing that I'm a little skeptical that this is totally secure.
If i suspect a password is compromised I can change it. Not sure what would happen if the same happened with a passkey.
I also wonder what happens if the device they are stored on dies or is lost/stolen. Is there a way to recover one's credentials?
Until I recieve satisfactory answers to these questions I'll stick with my password manager.
Your fingerprint only exists to tell your device that you are you. If someone has your fingerprint they would still need your device to actually do anything
my bank will be asking for my fingerprint soon enough...some dude and his laptop is not where i plan on leaving the only set of fingerprints im gonna get....ive committed no murder so nobody with a database fetish (which is a very real problem already) gets my fingerprints@@bronkolie
....you do not take your personal security very seriously if you dont think your biometrics should be kept away from an old laptop... cuz theyre all old laptops eventually....how much you like the idea of your biometrics being on a windows xp computer hdd?
theyre all eventually that...password security isnt as good as what you think
@@bronkolieif they can get your fingerprint then your device is within their reach too
You can use PIN or password or security key or pattern (or whatever you use to unlock your device or password manager) for your passkeys instead of using biometrics.
You can revoke passkeys.
The Dell and Microsoft laptops required physical access to compromise, not sure about the Lenovo
The sites promoting passkeys aren't exactly doing a great job explaining to normies why a 1234 PIN is better than a 123456 password.
It’s tough convincing experienced security professionals too.
True, but it can be simply stated as "can't leak your password if there is no password (taps forehead meme)".
Indeed the communication is poor. Put simply a passkey removes the need for the service (website, app, whatever) to store something *secret* about you. All it stores is a public key that if leaked doesn't matter as it is a public key after all. The secret is now something *you* own and are in control of. This means it is not possible for some random person in another country to login to your account as they don't have in their possession the device that stores your private key. Of course it is not perfect, someone with physical access to your device and knowledge of the PIN/passphrase/biometric used to lock the device could still break into your account but it improves security by shrinking the attack vector from anyone with internet access and the login page to people that can get physical access to your device and know how to unlock it which is already a risk factor anyway. You're simply making your attack surface much smaller and simplifying the process. Think your passkey is compromised in some way? Delete it on the site and generate a new one. As for biometrics and people arguing "I can change a password but not my fingerprint" that doesn't really matter, you don't have to use a biometric to secure your passkeys (it is just the most common as it is so simple, quick and secure). You can use a hardware security key with a strong passphase and it does the same job.
@@nuglord2084 why?
@@lithiumflower31337 Until someone steals your passkey. Multi-factor is the solution not single factor.
Isnt American law that biometrics are something that can't be withheld from authority's seizure but passwords are protected?
You can use PIN or password or security key instead of biometrics.
You are correct. But you don't have to compromise convinence of biometric. If you think the police is visiting you soon, you can turn on lockdown mode on android or something similar on iPhone from deep into settings. Both disables biometric and forces the pin/password authentication ( which you are required to set when setting biometric)
yes, something like that. its very easy to get around though we just use a hash function to convert biometric data to a string of characters and store that instead.
People are regularly ordered to hand over passwords in the USA and then sent to prison for refusing to comply.
To add to what other have said: You can easily cause it to disable fingerprint unlock on Android by 5 failed attempts (use the wrong finger) or rebooting. Of course, this assumes you have the chance to do this before you're detained.
The thing that annoys me is when sites require a capital letter and/or a symbol when creating an account. It's even more annoying when they don't tell you this until AFTER you fill everything out and click "Create Account".
like me, but I sometimes forget I once included special char., so I intentionally "create account" to see the password req.
Especially when you go back you have to fill everything on again because it got cleared
@@shaod2936this
Or when there's a 16 character limit
fr! especially unimportant websites. like i'm just trying to get something real quick because I need to login then they keep pulling shit like that. like who cares about your website being hacked just let me download the damn file.
No antivirus is the best antivirus
Not using a computer is even safer
To tru
Yup, Thats why You should not have a house and live in a balloon fortress because who needs Safety huh.
No Me!
Its soo comfortable....
Antivirus == More Range/Freedom on what ever you visit/ download.
No Antivirus == Always Paranoia/You lost 1000$ from bank
common sense is the best antivirus
@@theopenermemes7407kinda yes, but what do you think you will always be on a safe site lol.
Everyone says that before a new scam arrives.
I can't believe you shared my password to the whole world.
Everything is over for ya, pal.
You should change your password ASAP if it appears on any public lists or data leaks.
@@film2240 Whoosh
Hey, i have that exact same password on my luggage!!
GET ME LONESTAR!!!!
HUnter2
Considering the implications with the US 5th amendment and the fact that you can't change your biometrics if they somehow get leaked, it seems like this should remain strictly a second factor of authentication and not replace passwords entirely.
You can use a long PIN or password instead of biometrics, or use a security key (e.g. Yubikey, Titan).
@@bigjoegamer uh yeah that’s what I’m saying. Biometrics shouldn’t replace passwords or pins.
@@pchris "Biometrics shouldn’t replace passwords or pins."
I agree. I would be less excited about passkeys if they required biometrics.
Oh yes! More stuff to make it impossible to be anonymous! I sure do love the future where being tracked is a necessity and dissent is the gravest possible sin.
The issue I have with these kinds of authentication is that, I'm giving the keys to my accounts whenever I interact with anything in this world.
A password is only in my brain (and in that plain text document that I have easyly accessible at all time), but my fingerprints are everywhere I go, same with my damn face, why would I want to downgrade to what is practically a public key?
Because your password is not only in your brain, it is also stored (probably in plain text) on the server of the company you are logging in to.
@@pauldzim First off... Unless you're time travelling back to 2000 pretty much no legit site is storing credentials in plain text... And even if they did it shouldn't matter because you are using different passwords on every website... Right?
@@Pyroteq I cannot say I use a unique password everywhere, but if the website seems like is going to use plain text, then I wont bother with anything more complex than 1234abcd.
It's true that there are some things that do have unique passwords, like mail accounts, PayPal, banking, etc... but that's the minimum, and in all these years the only intrusion I had (in my R* account) was becouse a data leak, and as my mail had a different password, I was able to recover the account and bomb the attacking mail with infinite spam.
@@Pyroteqyou are so wrong
I work in multi billion company and they store some pass in plain text and some in md5
And the passwords they store protect MEDICAL information
Kinda sad there is no mention of the elephant in the room here: vendor lock-in.
It might seem like there is no real difference between passkeys and just using a password manager in this regard but there is and if left unattended will be a huge problem in the future.
3:44 Ahh yes, good ol' password #63, can't say I've used it as a password myself, but it sure is fun to say!
I have a bad feeling that password #48 is actually censored.
@@CyanRooper in this instance, it actually isn't censored! If you go to the page itself (url at the top of the screen), you'll see that #48 is unchanged. It's funny how they've actually blurred some of the words since posting the video, like they've done for #27, but #31 and #51 still show up unblurred just briefly at 3:40
What I want to know about Passkeys that NO ONE EVER TALKS ABOUT and is ABSOLUTELY CRUCIAL is: What happens when you lose your device? coz the private/public key is generated from your device right? So if you lose it, don't you lose the private key as well? and also don't you need a service to synchronize your keys anyway?
Plus there's the whole "hey, what if I need to log in on a device WITHOUT biometric hardware?" like.... at work. or at school. Which can be QUITE OFTEN
Exactly what I was about to Google then I just gave up lol
It‘s the same deal as if you forgot your password, websites have ways to send you an email, for example, to recover your account.
Google, Apple, Bitwarden and other keychain providers support passkey synchronisation, and you can often use a physical security key as a passkey (which you can use on all devices).
If you have a passkey saved for a website on your phone, Chromium-based browsers on desktops offer you to scan a QR code on your phone to verify your passkey on there to log into your desktop, meaning you don‘t have to have the passkey on the device in question.
Also, note that for now most websites with passkey support always have other ways to sign in (password, email OTP,, etc.), passkeys are meant to simplify signing in :)
wondering about this as well, pls tag me when someone responds
If your passkey is stored on your phone, it's likely synced with other devices. This is especially the case with with iPhones. And you can use your phone as a passkey, even when logging onto devices. For example, when I use my personal account to authenticate with Google on my work laptop, the browser attempts to make a Bluetooth connection with my phone, which is then used for authentication. It actually works great. If Bluetooth is not available, it also works with QR.
I'd consider it best to have the passkey in a password manager (Bitwarden and I believe 1Password supports it) or have a couple of physical hardware keys (like Yubikey or Google Titan).
Short answer is that you go through account recovery as if you forgot your password or lost access to all MFA methods for the account.
Long answer: is that it depends on your device and the service you’re authenticating with.
What you usually do is use another device you’re already logged into to verify the new login.
USB security keys are honestly the most convenient passkey device since they can be used on multiple devices, fit on a keychain, and often support NFC to work with mobile devices without an adapter. Each device you log into with the AppleID is also registered as a passkey.
Most services let you use a passkey without preventing you from using legacy authentication methods already set up on the account. I’d suggest this if you’re curious about passkeys.
Apple requires that you register two FIDO2 hardware keys before they’ll let you go fully passwordless. They suggest leaving the second key in a fire safe or something.
Passkeys are a big topic.
If only they kept our passwords in a plain text document…
THIS MAN RIGHT HERE IS UNDERESTIMATED
Or on a piece of paper...
He is storing his password in the ketchup stain on his shirt. XD
Honestly would like a more tutorial like video on this topic. Can you use this for any website? I don't I've ever seen a website with this option.
Each website has to implement this option. However it is getting much more common to have the option to use passkeys.
eBay is another
Google, iCloud, PayPall are my most use Passkey websites right now although I believe GitHub and others also support them
Passkeys dawt directory is a listing site of all the sites that have it. The big ones all have it
On top of only working on sites that offer the option, your passkeys are a unique ID for that account, if you move to a new device those keys have to follow you or you'd look like a new person to them. This raises the question of what happens when you have an apple and an android phone? Well they only care about keeping you in their ecosystem and you wouldn't be able to be the same account on each device because wall gardens are the new hotness. Until they get off their bullshit and stop with the anti-competitiveness and let you move keys from device to device and even company to company, I couldn't recommend passkeys.
1:25 What are you talking about? Passwords aren't stored on a server either. They use the same technique as described after that
I personally think biometrics are less secure. The idea that the very thing that you leave everywhere is a bad idea. This is why I prefer a FIDO key.
Why isn't there a combination of FIDO + Biometrics. In that case even if you lost your FIDO stick, it would still be pretty difficult for the person who found it to break into your account
There is! Some Yubikeys have a fingerprint sensor.
Passkeys rely on certificates stored in security hardware found on modern phones and PCs. That hardware is the same as a Yubikey, it’s just built into the device.
Biometrics or a PIN unlock that hardware. Only the certificate is used to authenticate with whatever service the passkey is set up with.
Biometrics are secure enough to be allowed and encouraged by NIST CMMC guidelines.
Public key cryptography combined with multifactor authentication (preferably OTP-to heck with biometrics) has been around for decades. The fact that it's only just now becoming prominent is honestly a disgrace.
its a disgrace people trust an company demanding such a thing.....biometrics are not to be given to anyone just willy nilly....no matter how arrogant they IT guy is...his buffoon emplyee will sell that laptop fill of data without wiping it......half of it departments dont even wipe the hard drives on the office printers they send back from a lease.......full of signatures and all kinds of printed and photocopied private data....gigs of it
True that.
Blood or DNA sample required next.
Security be damned, I'd rather eat my own hands than use my biometric data in place of passwords. I can change a password as-needed, but my biometrics are effectively fixed. Also, why would I want to risk large companies having access to by biometric data?
Ideally they store the result of some function, not your actual biometric. This way they can still verify, without ever keeping a copy.
Same way a password hash can tell you if the password is correct, while never actually storing the password.
@@CoolJosh3k That would be ideal, but I don't trust them to use the ideal solution.
@@eldibs Same. I reckon some companies who claim to store things securely still have a straight up copy of account passwords.
While its good that people can learn about the existence of private and public keys, the explanation was way to short to learn anything, maybe having a dedicated video about how it works would be better?
The thing about passkeys that’s clunky at the moment is when you have multiple devices. The password managers are starting to be able to sync them, but I guess that negates one of the benefits.
A sufficiently knowledgeable and prepared attacker can get into just about anything, but putting more layers and more security in front of them to slow them down might cause them to stop. If they really want in, they will find a way, but at that point, we're talking about black hat guys being paid by mafia men to hunt you; random user five doesn't have to worry about that.
The bigger issue is that you can just talk to customer service and tell them to change the account authentication, bypassing all security. Until that's not allowed anymore, everything is just for show.
No backups are the best backups
i did not found my 3 most used passwords in the list. Being asd, 123 (probably because they are only 3 chars long xD) and raspberry (raspberrypi). When you are setting up some kind of local virtulised systems with a very short lifetime, you don't fancy passwords
Thabks for the passwords!
You forgot CorrectHorseBatteryStaple
I have multiple 20 length passwords that I use for about 3 months, during which time I make some small easy to remember adjustments.
Only if they found the exact decrypting method, be quick about it AND also account for a HW passkey... Well, I would just be impressed at that point.
My mum got an Amazon account in about 1997. Up until last year her password was three lower-case letters.
27, 51 and 63 are some fine passwords
1:59 Gee, it really is a shame that passwords are stored in plaintext... oh wait *they aren't*. Passwords aren't insecure at all just because they're stored on the server, they are hashed and salted to ensure that in the event of a data breach, it's near impossible to retrieve the original password.
Oh, that’s right. It’s all of the password servers that keep getting tricked with simple usb devices that spoof the correct digital signals. I totally forgot about that.
The good news is that I can play this video as a joke for my peers who professionally manage enterprise security systems, because no serious security system relies on biometrics without using other methods (passwords). I’ve yet to see a biometrics authentication method actually implemented that wasn’t easy to circumvent or that relied on purely on-premises data that couldn’t also be easily retrieved without any meaningful authentication.
I'll keep my current multi factor authentication thank you. Something I know, something I have, something I am.
lol the batman password editing
So, the passkey is dependent on a biometric or having a cellphone?
If this is the case, I can see multiple limitations...
Passkeys also work with physical hardware tokens, computers and be stored in password managers.
If someone gets a copy of your hand and finger prints you can't change that
Then just use a master password, your choice!
Lot of people freak out about 4 digit pin or biometrics. However I like to think that some passkey service will allow to use yubikeys.
I wont be using biometrics, and won't be using passkeys, until someone proves to me my biometric data cant be stolen, and/or everywhere supports HW keys instead of biometric keys... in which case I'll use a non-biometric HW Key.
Amazing. What if I lose my phone or the private key storage breaks?
Generally you'd be heck'd, but realistically just like today, you'd call up customer service tell them you've forgotten literally everything about who you are and bypass all the account security, probably just giving you a password to use over email defeating the whole purpose. But if you make a backup, you can restore from that.
You can't
They are stored in the cloud
@@wnsjimbo2863so they are tied to what exactly? My Google/iCloud account?
This is the second video on passkeys I've seen in the last couple of days.
What's going on?
Is Yubikey secretly sponsoring stuff?
would be better than a while back when they were loudly sponsoring every channel that would take their money.
If you want to learn more, learn about the FIDO Alliance and passkeys and FIDO2.
It's not just about Yubikey. Passkeys can be stored on password managers, macOS, Windows, security keys (not just Yubikey), Android, iOS, and other devices and software. Hopefully passkey management will come to Linux, too.
google started lately pushing usage of passkeys
taking passwords out of the heads of the account owners and taking security away from them is dumber than using the password managers that have been hacked in the last few years
youre better off with a handwritten list next to the keyboard than a piece of software writing your passwords for you@@bigjoegamer
@@bigjoegamerAh yes, FIDO2 is what the other video was about.
Spent most of this video distracted by the lunch stains on the jumper... :->
oh yes daddy, bring the orwellian dystopia of technology closer and faster to me. I want convenience!
@3:44 I wanna know what number 27 and 63 are lol
Multi-factor authentication will always be the best method.
I feel that a better explanation is how it's not the biometric data which is used but the key created for that site is used and this should be clarified
I love when the quality options are 144p and 1440p :D
It's like in the movies when the military uses 2 physical keys to access the big red button. 😅
It should be emphasized that while passkeys are pretty much unbeatable in remote attack scenarios (until Quatum computers break the cryptography), these are the WEAKEST security method against physical attacks. Ok, there's an even weakest security method, a swipe pattern that anyone can see by looking at the dust pattern.
I think you got a bit of Moms spaghetti on your sweater already
If ur fingerprint or face photo gets stolen then what
its awesome how the most used password is 123456.
That means we've improved from spaceballs, which was only '12345'
meanwhile everyone with a phone passkey of 6969 getting scared
Great! Thanks! Expose my youtube password to the whole world!
Thanks for the video!
It's like that recent Mission Impossible.
I'm no software engineer, but I think the problem with fingerprints on smartphones is they are not truly recording your fingerprint. They're just creating a unique ID for each fingerprint in their own way. So you can't "save" your fingerprint data and use it elsewhere. It would be good if it were universal. Like capture the image of your fingerprint and use that as the unique ID that can be used in any fingerprint sensor.
Laser James is one of 3 best conveyors of information besides Riley & AlexClark&Lois. Whether he's using his own writing or that done by others, his delivery and style are freaking amazing. His stand up is pretty good too.
From the title, I thought you were just gonna be like "Don't use anything at all, it'll be more secure" lol. But yeah, my password's a lot better than "qwerty". It's strong enough that no one (Not even you) could guess it. :)
No back up is the best back up
Damn, they used all my passwords.
CorrectHorseBatteryStaple?
That red smudge on his sweater tho
All I got from this was my brain deciding "Passkeys are stored in the balls"
Accurate.
But it's basically a password manager, but an automated one where you don't ever deal with the "username/password" bits, not even during account setup with the website, just click/tap/scan the sign in thingy and you're in (probably requires a fingerprint press or master password entry, but that just like a traditional password manager today).
i have dozen account on multiple services and still use 3 password. but somehow it got leaked out and i need to redo all of them. its so frustrating tbh. we need more passkey services
At least use a password manager, man. I highly recommend Bitwarden.
0:55 passwords should not be words.
After using my fingerprint for signing into everything on my laptop, I REALLY wanna get a USB one for my desktop. Just need to find a reputable one that doesn't have the fingerprint ON the usb stick. I need to have a wire to the same place as my mouse and keyboard.
Just find a certified Windows Hello compatible webcam or fingerprint reader.
You could probably use a usb extension cable to achieve that.
Now that I think about it, imagine if the power button on desktop PCs featured built-in fingerprint readers just like on some laptops these days. Or imagine if some DIY keyboards had the option of putting a fingerprint scanner on them for users that want the added security.
You should be able to use your phone as a passkey for windows hello
wait till you bank needs a fingerprint...then add 10yrs...and you realize your fingerprint is on an outdated easily hacked old doodad out there somewhere...and the company sold its entire database when it went titsup and now your fingerprint is on 300 different chinese databases and you bank refuses you that security/insurance...but hey...you saved 1/2 of a second way back when
QR Codes are a security risk, but the passkeys using biometrics are actually great.
How so? The QR code is just machine readable nonsense, the authentication comes from the fact that you are the only one who could encrypt that and send it back to them, as no one else has/knows your private key.
The best password is something over 25 characters long which is completely random and only you can remember. Everything else can be bypassed and hacked. Physical keys are the worst, all someone has to do is gain access to your physical key and pin/fingerprint which is substantially easier.
Oh yeah, someone JUST has to gain access to your physical devices, and also your PIN. Super easy.
I remembered the video I just watched few days ago about IBM promoting passkeys. They call it "FIDO".
The FIDO Alliance is the group name behind Passkeys. Made up of all the big tech companies you know and hate.
That said, SQRL is basically passkeys but better as it's an open protocol that's free for anyone to use/implement and doesn't care where or how you use it.
But what if I've lost my device and need to log into stuff from someone else's computer. Maybe I'm missing something but it seems easier to get locked out with passkeys than passwords. I use Bitwarden as a password manager and both my parents and my wife have the recovery codes in case I get locked out completely or kick the bucket. How does this work with passkeys?
3:45 why isn´t password number 27 and 63 visible? are u using it? ;)
Nice video!
The best amount of money is the amount of money
how can I change my face or fingerpring if some day leaks out?
what bothers me the most is that stain...
depending on the definition of password there is always one, some characters string is used to verify it's you
The key difference here is that the string of characters sent over the wire is different every time. Your private key remains private.
@@scaredyfish if there's challenge that shouldn't be really called passphrase then I guess?
Passkeys does work.
The fact that they censored passwords 27 and 63 but not 31 or 51 has me confused about Internet censorship.
27 and 63 are passwords they use.
@@Puremindgameswhat?? No 😂😂 this is a ss of a public Wikipedia article, the words are pussy, asshole and Batman 😂
The words they blurred are p**sy, a**hole and Batman.
Most likely those passwords are rude/profane words, so for the sake of the family-friendly youtube videos, they censored them.
@@DeHackEd and 31/51 aren't?
3:40
46 batman??? 😂
Cool !
Why was batman censored from the top 100 passwords list?
This is only working until quantum computers are "mainstream" also there are by now a lots of lists of undecrypted passwords list waiting to be decripted by quantim computer when a bad party get hold of them
You should have tagged the video about cryptography somewhere in this video.
What's the link to that video??
3:40 they blurred “batman” (#46) ?
Why is video quality unavailable? This is stuck at 240p
What happens if your device becomes unusable (hard drive is fried)?
why did you blurry "batman", password 46? 3:39
Working as a Industrial Mechanic on a External Grinding Machine i have my Problems with Fingerprints xD
Pin is an option
Why was the 27th password blurred
passwords handled correctly are cryptographically more secure than asymmetric systems.
Bout if you lose your device, or screw up with your biometric? Guess you would have to remember your security questions but isn't that just another password, this time something with actual words rather than a 'random' length of string
If you don't have a password, they won't be able to guess it.
My notes app is my password manager
Sad that there’s no mention on how big tech restricts in one way or another alternative solutions that would allow passkey features be offered by third parties. Say e.g. integrated into your password database, or synced across various ecosystems.
Afaik current solutions had to reverse engineer Google Chromes internal API calls in order to work in the browser. Android only promised support, but is already collecting the users with their own solution. Shady at best. I really expected some mention of these kind of open problems. Honestly a bit disappointing.
you need passphrases and a titan key
Ok so 51. Fuckme isn't blurred out but 46. Batman is? 😆
Biometrics are safe! But not on windows 😂 Yubikey is king imho ❤ but nothing is unbreakable.. even airgapped devices have been compromised.