• @Valmond
    link
    English
    22 months ago

    So one password to access them all basically?

    That’s quite a weakness.

    • @Spotlight7573
      link
      English
      42 months ago

      So one password to access them all basically?

      That’s essentially how all password managers work currently though?

      • @Valmond
        link
        English
        12 months ago

        True, I hoped for something better :-/

        • @Spotlight7573
          link
          English
          32 months ago

          If it makes you feel better, most PINs on modern devices are hardware backed in some way (TPM, secure enclave, etc) and do things like rate limiting. They’ll lock out using a PIN if it’s entered incorrectly too many times.

    • @johannesvanderwhales
      link
      English
      42 months ago

      It’'s really up to the end device (and the user of said device) to decide how much security to put around the local keys. But importantly, it also requires access to the device the passkeys are stored on which is a second factor. And notably many of the implementations of it require biometrics to unlock.

      The “one password” thing is also true of password managers, of course. One thing about having one master passphrase is that if you do not have to remember 50 of them, then you can make that passphrase better then you otherwise might, plus it should be unique, which prevents one of the most common attack vectors.

    • Beej Jorgensen
      link
      fedilink
      English
      22 months ago

      If you get my master keepass password, you have all my passwords, too.

      • @Valmond
        link
        English
        12 months ago

        As I said to Spotlight7573 yes true, I just hoped for something better.

        • @johannesvanderwhales
          link
          English
          22 months ago

          If you’re paranoid about this, go buy a yubikey and use that to secure your device/access to your passkeys. Being able to secure your own data instead of relying on the admin who may or may not know what they’re doing to secure the server is an advantage of passkeys.