501
Concerns Raised Over Bitwarden Moving Further Away From Open-Source (www.phoronix.com)
submitted 16 hours ago by AsudoxDev@programming.dev to c/technology@lemmy.world
105 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] ilmagico@lemmy.world 2 points 15 hours ago* (last edited 15 hours ago)

I don't use passkeys so I don't know. Maybe I should research into passkeys, what's the benefit over plain old (long, randomly generated) passwords?

[-] jqubed@lemmy.world 5 points 15 hours ago

I’m no expert in this but the passkeys really on some sort of public key, cryptographic pair. Your device will only send your encrypted cryptographic secret when it gets the correct encrypted cryptographic secret from the destination. This makes it much harder to steal credentials with a fake website or other service.

[-] ilmagico@lemmy.world -1 points 15 hours ago* (last edited 15 hours ago)

Ok, from a quick search, it seems passkeys rely on some trusted entity (your browser, OS, ...) to authenticate you, so, yeah, I'm not sure if I like that. The FIDO alliance website is all about how easy, convenient and secure passkeys are, and nothing about how they actually work under the hood, which is another red flag for me.

I'll stick to old-fashioned, long, secure, randomly generated passwords, thanks.

[-] 4am@lemmy.world 3 points 13 hours ago

Passkeys rely on you holding a private key. The initial design was that a device (like a browser or computer/phone) stored the private key in a TPM-protected manner, but you can also store it in a password manager.

This is more secure than a password because of the way private/public key encryption works. Your device receives a challenge encrypted with the public key, decrypts with the private key and then responds. The private key is never revealed, so if attackers get the public key they can’t do shit with it.

Just be sure that your private key is safe (use a strong master password for your PM vault) and your passkey can’t be stolen by hacking of a website.

[-] ilmagico@lemmy.world 0 points 12 hours ago

I see, that makes sense and should be more secure, in theory. Thanks for the explanation.

The issue I have is, whether I need to trust a third party with my private key, e.g. Google with Android, Microsoft with Windows, etc. (yes on linux it's different, but that's not my only OS).

Also if the private key does get compromised (e.g. local malware steals it), hopefully there's an easy way to revoke it.

this post was submitted on 20 Oct 2024
501 points (98.8% liked)

Technology

58792 readers
3707 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world