Every day in every way, passwords are getting worse and worse Passwords turn 65 this year. They became a feature of computer users' lives in 1961, with MIT's Compatible Time-Sharing System (CTSS). Before then, sysops were real sysops. All jobs went through them, one at a time, and access by others was forbidden by laws written on blocks of stone. There are many, mostly sysops, who …
Well. like in the real world one can have comfort or security with regards to IT-systems. But not both at the same time. Of course there are lots of possible compromises in between but they all come with some kind of trade-off.
Ah, and the article from my headline can be found here:
https://www.theregister.com/2024/11/17/passkeys_passwords/
Passkeys are not meant by FIDO to be better _for_ _:the_ _users_ but better for the companies offering them to their users to fence them into their respective IT-eco-systems even more than ever before. Who would have thought ...?! ;-)
Fortunately my brain seems to be able to remember several 40 - 64-digits passwords containing small and capital letters. numerals and ASCII-signs as well. And I at least do trust KeyPassXC without any kind of cloud usage. And KeyPassXC can even manage passkeys in principle though not on all websites depending on some "specialties" of the corresponding owner of the service. I think that I am quite well off! But other's mileage may vary ...! ;-)
Another push to replace passwords with <anything else>.
Do you realize the difference between passwords and <anything else> ? You can change a password.
Biometrics ? I can't change my fingerprints any more than I can change my face (hey, I'm not a multi-millionnaire).
Pass keys ? Managed by who ? Do they guarantee that they can't be hacked ? Ha !
Do you know the definition of Democracy ? It's the least worst system of government.
That's what passwords are. The least worst system of security.
I know how to manage my passwords. I never use the same password twice.
Leave my passwords alone. Especially from pseudo-AI.
You have one face but 10 digits yet there is a move to make the default Biometric your mugshot. That is madness in my eyes.
As for Apple and Google password managers. I don't know about Google but the Apple one runs on your machine with optional iCloud backup. I know that it works when offline and you can see individual passwords so that you can copy them to a file that you encrypt (or should do...)
I agree with eliminating any dependency on kit that can be interfered with by the Toddler in Chief. However, he won't be there forever (please God make that end date ASAP) and we have to hope that the madness introduced by Project 2025 is consigned to the wastebasket/incinerator of history.
As said by Pascal Monett (for once, I agree with him) leave my passwords alone. TFA is nothing more than a PITA. Relying on a phone is a huge single point of failure especially if you use email on your phone. Lose your phone and you are DOA
"However, he won't be there forever" is a stupid view. We're living, NOW, what happens when he gets in. And there is nothing, and realistically can't be anything, that can guarantee someone like him won't be in power at a time afterwards.
So every system should be built to assume that he's in, and that he's the best that'll get in for a century. Government powers should be restricted, oversight increased, 'emergency' privilege escalations cut, and other measures put in place to make sure it's safe-ish for an outright fascist to get into power. Because when they do, it's too late.
Trump's gone in a couple of years, but who's to say he won't be immediately followed by someone worse? Or that there won't be a good US President next followed by someone who makes Trump look like a saint?
Trump's gone in a couple of years, but who's to say he won't be immediately followed by someone worse? Or that there won't be a good US President next followed by someone who makes Trump look like a saint?
Yes, assuming we manage to dodge Trump's attempts to turn the US into a dictatorship and get a proper president after him, it is up to myself and every other US citizen to demand real change that permanently prevents anyone else from ever following in Trump's footsteps.
That will mean constitutional amendments, and maybe even changes to the Supreme Court (since they seem to feel they are not limited by the text of the Constitution in their rulings) to insure that 1) presidents are absolutely and conclusively NOT above the law and can be prosecuted and jailed for their crimes just like any other citizen. 2) money is not "speech" and laws may be passed that limit the ability of people or organizations to contribute to political campaigns or advertising on the behalf of a campaign or political viewpoint. There are other fixes needed but these two are the most important. I think that the DOJ needs to be outside any control of the president, maybe it should be part of the judicial branch or maybe it is outside the three branches (but has checks and balances from all three) but the current situation can't continue.
The problem is that republicans may not support such changes if they see themselves getting a "better Trump" in the future to insure a dictatorship happens under their control. So I think that a democrat who wins needs to act as Trumpy as possible as far as exercising dictatorial power from the executive branch (using it mainly to undo everything Trump fucked up) and tell republicans "you want to stop me, get red states to pass my package of constitutional amendments and I will ask blue states to do the same and I will sign bills that limit my own power to where it should be / had previously been understood to be before Trump".
"Government powers should be restricted"
I love how you idiots say these things when referencing Trump/Conservatives but will "bend the knee" and grant virtually unlimited power to any leftist tyrant you believe will "give me the thing I want most!"
It is not "we" who attempted to squash the free speech of millions of people because they disagreed with policy, it is not "we" who put a man in prison for posting a meme, it is not "we" who arrested a comedian for criticizing Islam.
You people would gladly surrender your liberty if you thought it would "avenge your political enemies" and feed your toxic empathy!
Be careful what you wish for, because I'm sure you will probably get it! The UK has pretty much got it, how's that working out for you!
::eyeroll::
Any more debunked bullshit you want to wheel out to go with that steaming pile? And yes, contrary to AI-generated nonsense, the UK is doing pretty well compared to the Republic of Gilead USA right now. At least until the next election – that's when we'll get to find out just how successfully dumb the flag-shagging, Brexit-voting, definitely-not-racist segment of the population is. Sadly, it's looking a bit like we're heading in a troubling direction and it's all feeling a bit 1933. I'd suggest that you have no idea exactly what you're wishing for.
"TFA is nothing more than a PITA. Relying on a phone is a huge single point of failure especially if you use email on your phone. Lose your phone and you are DOA."
Most TFA providers offer either email or an actual phone call, for which you can use other devices, as alternatives to SMS -- so you are not completely hooped. But your point is well-taken: TFA is still something of a PITA -- but still better than a password alone.
Two things,
1. Ref "eliminating any dependency on kit that can be interfered with by the Toddler in Chief. However, he won't be there forever (please God make that end date ASAP)" The toddler in chief has a long line of particularly vile people waiting to take his place, be careful what you wish for. Whether the voting public will accept any of them just because Trump says they should is probably all that stands between the US & Germany in the 1930s.
2. Ref "You have one face but 10 digits yet..." About fingerprints. I work with my hands & for several days after I work with anything vaguely abrasive most of the fingerprint reading devices in my life become uncooperative. The 'phone with its in-screen reader is by far the worst of them, but the only ones that aren't affected are the wipe across type ones on my X220s. The pad-type one on the X270 is only slightly better than the one on the' phone (but doesn't work at all under Linux without a fix that is beyond my technical abilities, or the use of systemD.) The fact that the X220 ones are immune suggests that they're probably not that good?
Whether the voting public will accept any of them just because Trump says they should
Trump's greatest strength fooling gullible poor people into thinking he cares about them and will fight the billionaire class and the "swamp" on their behalf, despite being a billionaire and now the biggest swamp creature of all. No one will be able to replicate that, even if Trump gave his blessing to a successor.
And I think there's good reason to believe he would not, unless his idiot son is running. He's withholding endorsements from a lot of primaries so far, and the main reason appears to be that he doesn't want to give his blessing to someone who later loses. So he's only endorsing those who are clear frontrunners, or waiting for a frontrunner to emerge. I think he would do the same for 2028, so Vance and Rubio might think puckering up and going deep up his ass will help their cause, but they'd be wrong.
As his approval numbers continue to crater there's a lot of finger pointing going around as to the reasons for his slide, and that's only going to increase and no one successor will be able to hold onto the white nationalists who were disengaged from voting until he came along while simultaneously not turning off more traditional conservatives. His force of personality and the cult like behavior he engendered is the only thing capable of that, without him to vote for there's no one who can appeal to one of those without turning off the other.
And it only gets worse if physical and mental decline that's becoming increasingly evident means he's not even around in 2028, or has deteriorated so badly he's simply ignored by most. Vance would be the incumbent, but he's not at all a likeable person and there will be a lot of Trump voters who will (correctly I think) believe he has no chance in a general election against almost anyone the democrats would run.
*Fifth Amendment
Federal Appeals Courts have already ruled that unlocking a device is a testamentary act, because it proves whose device it is.
Under the US Constitution, you can't be compelled to unlock a device and prove it's yours. That's testifying against yourself. If they try and make you, exercise your rights and ask for a lawyer.
and for some of us who do manual tasks like forestry, digging, thus having much skin abrasion, fingerprint devices dont work reliably. As most of us use multiple devices, easy _local_ transfer of data would be a godsend. Needless to say, its available in the "Cloud" which makes any thoughts of security futile
I agree. People are prone to injury which can severely affect biometric parameters. Are they to be locked out of communications because they suffered an accident or burns, for example?
I enjoy woodwork; my fingerprints can be temporarily altered/removed after using glass-paper (I was taught never to use the term 'sand-paper').
People are prone to injury which can severely affect biometric parameters. Are they to be locked out of communications because they suffered an accident or burns, for example?
Some people suffer amnesia. Are they to be locked out?
Biometrics in computers and phones are just additional authentication methods and you still have a pin code or password to rely on if biometric login fails.
"If the amnesia is sever would they even remember they have some sort of computing device that will respond to being stared at?"
The helpdesk at my workplace is very busy after each holidays because people do not remember their passwords. The same people usually still have their fingertips and or faces left after a reset.
But hey, let's all call biometrics evil, and scare people that their biometric data is transferred out of the computers, phones or tablets at any point!
I got hassle on my most recent US visit over my fingerprints being different to existing records.
Last visit was quite a while ago, when i was younger and I did all house & garden maintenance jobs with hand tools - now I'm older with various joint issues I use a lot more power tools and so far less abrasive wear and tear on hands / fingers.
So, "new" prints were notably different to "old" prints (new ones had a lot more detail as nothing has been abraded off by manual work).
A lot of grief from immigration over that "discrepancy" - though I think they loved any excuse to be a PITA as, in my experience, US immigration / passport control is by far the most aggressively unpleasant I have experienced in any country. *
.. and I'm from a country (UK) that is supposedly on friendly terms with the US (I'm also Caucasian so no racial prejudice triggers for the border staff).
* I should add, the least aggressive of all my visits was when I flew in from Dublin - maybe coming from an Irish location made them treat me marginally better? Or maybe I was just lucky & got one of the tiny % of employees who only scored 9 on the aggression scale instead of the usual 11.
My scoutmaster (many many many years ago) worked for Morton Thoikol. When we did the fingerprinting merit badge, his looked like someone had pressed ten grapes onto the fingerprint card. Not a good thing because 15 years later and he was throughly poisoned and on disablity.
Have another upvote, often doing some heavy DIY work can be enough to throw a finger print off
As for alternatives in the article, all this is doing is concentrating it in the hands of the mega corps. I am fine with my passwords and local storage using keypass thank you very much !
I watched a show/film recently, standard plot... We follow the hero as he hunts Evil Dude #1, kills Evil Dude #1. Face/Fingerint unlocks Evil Dude #1's phone, extracts clue to Evil Dude #2. Kills Evil Dude #2. Face/Fingerprint unlocks Evil Dude #2's phone...
The hero character looked visibly annoyed when one of the dead Evil Dudes had used a PIN to lock their phone, halting the murderous rampage.
I've got quite a lot of passwords and pass phrases that I've created over a number of years. They are all completely different and to the best of my knowledge none have been compromised.
I consider being creative is the key. Such as the phase:
noklipy Ofaic jamwopPy
P.S. No I haven't used that one anywhere.
They are not stored in a password manager but on two USB sticks which are only inserted when a password is actually needed - some I remember anyway.
I have one important password that's only stored in wetware, and if it's ever lost then I have more important problems!
* I don't want biometrics, because while it is convenient, if there is a system breach, the data thieves have my encoded fingerprint, etc., ready to use in a replay attack (they just need to mod some software on their PC to make use of it). I can't get a new fingerprint, eyeball, etc.
* Passwords are fine for /me/, if the system doesn't limit them too much in length and complexity. The ones I use daily I have memorised. If I need one of the less-used ones, I decrypt my password file, look it up, use it, and overwrite (BleachBit) the plaintext file. I don't expect this to work for "ordinary" people.
Obligatory xkcd: https://xkcd.com/936/
* Whatever we use should not depend on a service on someone else's computer(s) ("The Cloud").
* Whatever we use should not depend on the Internet working, unless we already have a dependance on the Internet to connect with the host we desire to access.
* Whatever we use should not depend on a cellphone. I don't want my phone device, or any of its ID numbers linked to an account, due to privacy issues.
Decades ago when passwords were limited to eight characters or less, our mainframe had a program which generated quasi-random passwords, which while not true English words, were easily-pronouncable and -rememberable.
Obligatory xkcd: https://xkcd.com/936/
"if there is a system breach, the data thieves have my encoded fingerprint, etc"
Not true - the fingerprint is stored in TPM/secure enclave (or if using a biometric FIDO2 device stored on the key itself) - with an encryption key that exists purely within hardware. By design, even full kernel access to the overlying operating system cannot result in the TPM stored data (the biometric template) being read. Even if that were ever breached - the encryption key is hardware based - making the template hardware bound. It simply will not work/decrypt on any other TPM chip.
When you auth with bio it simply asks "decrypt this signal with what you have stored - is this a match?" and the hardware replies yay or nay to the operating system. It never reads the actual template (it CANNOT read the template - by design).
What you're suggesting is simply not possible.
The geniuses behind some TPM implementations didn't encrypt the communications to and from the TPM.
https://www.covertswarm.com/post/how-secure-are-tpm-chips
"Using publicly accessible tools which included a custom high-level analyser and a script to enable the parsing of the captured data, it was possible to decode and extract TPM transactions from the SPI stream. This resulted in a data dump that we were then able to use as a search repository."
Not true - they use a challenge/response system. The far end system (website, whatever) has a pubic key, your hardware (TPM, FIDO2, Secure Enclave) has the private key.
Why is this better?
When you enter a password anything MITM or a phishing site can capture it as you enter it. And in this day and age, can also capture the MFA code you enter and replay it instantly to the logon service. TOPT, SMS, etc - see Evilginx for example. Modern phishing sites even forward on the auth back to you, resulting in your browser logging you in to the real site - from your perspective you don't even know your credentials were just stolen. It's seamless.
MFA is utterly defeated in 2026 (even challenge/response MFA just gets blasted until someone gets fed up and allows the request). It's window dressing at best.
When you register a passkey (lets say with your bank) - bank.com servers have a store of your public key. When you try to auth to bank.com it responds with a fresh random challenge and encrypts it with your public key. Your hardware chip has the corresponding private key to respond to the challenge and a store that says "here's the signature to reply to bank.com" - it will only ever reply to bank.com, only your hardware can reply, and only bank.com can decrypt the response.
You can't be MITMd nor phished. The transmitted data in either direction is utterly useless to anyone but the two endpoints.
They can also be hardware bound - so the encryption happens entirely in hardware, never exposing the OS/memory/etc to the encryption data.
" device I don't control " - On device hardware based passkeys are really designed for organisations who had multiple system administrations with MDM solutions and so on. If you lose access, who cares, your settings get copied to a new system by your admin.
The consumer version is either FIDO2 keys, Synced (i.e. iCloud) keys, or stored within a password manager.
Storing passkeys within a password manager is, of course, not as secure as storing them within hardware (in this case passkeys can be stolen and replayed if the password manager or Apple, etc, account is hacked) - but they are still far, far, far more secure than using passwords and TOTP codes!
teh M$ mfa puts a code to the requestor to enter in the MFA on their chosen device.
They won't know the code if they've not made the request & can see the code on their screen.
yes, if the miscreant has access to both the requesting system and& the MFA device then they could defeat the MFA but if they've got all that & got past the password protections to open those devices then surely all bets are off anyway.
i keep getting emails from facebook re someone trying to set up an account using my email address. i keep getting the MFA number to enter into the facebook page to create the account.
Obviously i'm ignoring those MFA requests & have no desire to create a facebook account, i already have 1 on a different email address i don't use (facebook not the email address).
Without entering that code they can't create an account.
Sure, if your threat model is 'nation state', you'll want some sort of key system that can't easily be duplicated, but for the rest of us 'losing the device with the passkey' is sufficiently common that any passkey system that doesn't have a password/TOTP backup of some kind will result in loss of access. So the idea that it's somehow 'far far far more secure than using passwords and TOTP' assumes that Google (or whoever your ID provider is) doesn't use passwords and TOTP to validate creation of a new passkey if the old one fails.
There are 3 fars too many in your last sentence, since that's exactly how most consumer-grade ID providers implement passkey resets, and authentication security actually requires careful design of the whole system, not just the one type currently preferred.
The article kind of touches on why this is a confusing clusterfuck. There are two/three types of passkeys:
1. Hardware bound (TPM, secure enclave, FIDO2 key) passkeys - this was the original design. Passkeys stored in hardware. Certainly more suitable for organisations over individuals. When a device gets lost - who cares, even if its an admin device, another admin can reset the account so changing to a new device is seamless.
2. Cloud synced passkeys - You sign in to Apple/Google and all your passkeys are automatically transferred over the cloud to your new device. Very much consumer grade, but vendor locked. Not as secure as the above - but solves the problem of needing multiple admins/org/etc.
3. Password manager passkeys - The least secure but most accessible. You log into a single app (maybe with a password, maybe not) and the app remembers all your passkeys. The biggest problem here of course is that if your password manager gets hacked your passkeys aren't hardware bound and they replace both the password and MFA of the previous system you used. Still preferable to sending usernames/passwords over the internet for every login in 2026.
Honestly - the best system for individuals is probably cloud based passkeys on Apple/Google, or 2 x FIDO2 Keys - a live key and a backup (don't buy a Yubikey - they're expensive because of the brand name not because they're any good - buy a Token2 for 1/3 the price). If you can't do those, maybe consider a password manager (with the above caveats).
Every service I use that uses a passkey, bar one, also allows fallback to password and SMS code in the event of failure, lost device, or setting up a second device (where permitted). As well, in almost all cases, a user can reset their password by entering some personal data and confirming an SMS code. I worked through the logic flow charts for account recovery and password reset for all my critical services and was thoroughly dismayed. One service in particular allows not only 'choose another method' if login fails but also actually _prompts_ for a password reset to either phone or e-mail after three failed attempts, so all you need is to intercept one of SMS or e-mail and know (or guess) a little info about the user. In all but one of my cases, 'passkey-level security' is an illusion.
It's not that passkeys are bad, but organisational implemenation of alternatives and account recovery is terribly weak.
There is only one service I use that implements passkeys and account/password recovery securely (or at least what I consider securely). It's a government service that allows all other login methods to be turned off. If your passkey fails, you then have to go into their shopfront to recover your account (assuming you don't have a second device with its own passkey, which they do allow). I went into their shopfront once for another matter and it was like a security ID interview; they actually took it seriously.
I've heard the same approach suggested for physical security. Leave a door key under the plant pot on your front porch, but make sure it doesn't open your lock. By the time the burglar has discovered that, they'll be getting antsy about neighbours and doorbell cameras and will probably give up and go elsewhere.
If it adds to actual security all, e.g. by circumstance and delay, I consider that bonus points.
The (admittedly probably marginal) win is that it might irritate some potential burglar a bit.
OTOH at that point they might jam the key in, regardless of fit, and snap it off just for spite.
Have it open a dummy door that goes nowhere and when it is opened some very bright lights and loud audio playing "Alert ! Burglary in progress" starts blaring across the neighbourhood.
Hopefully would result in some brown stains at the very least !
...one way of creating passwords might be to use one of the many combinations of three words from What3Words that just happen to be on the grounds of your residence.
Of course, those of us in the British Isles can also use the four-word version from: https://www.fourkingmaps.co.uk/
For example, the following might be an appropriate password for the "artist" formally known as a prince: pussypounder.weeb.pissartist.fartlozenge
"It is, of course, getting worse. The whole idea of agentic AI is pinned to the donkey by the assumption that your agents need your access rights to act on your behalf. There being no industry-wide best practices, no inherent management principles, or indeed inherent anything, this means giving AI agents your passwords – something that in a sane and godly world you would not do."
No industry-wide best practices? You mean, like OAUTH, which has been around for two decades?
"The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service" - RFC 6749
HTTP services are not the whole of computing. By introducing a 3rd party it increases the attack surface. It is an authorisation service, not an identity verifying service. Needless to say the usual suspects all have a hand in it.
Now, all important services require password in Bitwarden + Token, OR, Bitwarden printed recovery key if Token is lost (so I can get the password AND the MFA TOTP seed which is also stored in Bitwarden). If Bitwarden goes down I will spin up a self-hosted instance and import the most recent encrypted password export (which I take every so often) and migrate to a different solution.
I risk assessed Bitwarden in light of the recent news and decided I will stick with it for now. Its a single source of failure, but then I have to be realistic with what risk I am mitigating. If my house burns down I lose the token AND the printed recovery key..
As a plug for hardware keys: It holds all the passkeys and TOTP MFA codes, you have to touch the key to confirm physical presence which is nice, and there is pin with a 10-attempt lockout in case it gets lost. It has NFC so I can use it with my phone too. I find it much nicer to use than a phone authenticator app. The passkeys are stored on the token not the PC's TPM for some portability.
I'm assuming its a reference to Apple's Lightning connector. Seems pretty good to me - works across several generations of Apple devices, and while the cord does eventually wear out, that's the same with all cords.
The consistent move to USB-C has been nice, too - chargers and data cables that work with anything. Except when they don't; we have 2 devices that will only charge from a cheap knockoff USB-C cable (or maybe it's the power adapter?), not from the Apple or Chromebook USB-C cables/chargers...
There are 2 scenarios where people really "care" about passwords.
1. If they can't remember them. Queue rage about "it fucking IS this password I'm entering" or "ffs why do I have to reset it". Get out of my way, Auth, and let me do what I want.
2. If they get compromised.
For many people 1 happens a lot more frequently than 2.
The trade-off therefore becomes - I'm ok with slightly shit security (writing down my passwords, re-using the same ones, using weak passwords, etc) *unless or until* something bad happens. If nothing bad does happen it just reinforces this as being the "correct" perspective.
If you try and have a debate with an average non-technical user about using different passwords or a password manager you can fully expect them to have switched off before you get to the second sentence.
Unfortunately convenience will always outweigh security. It's very convenient that your face and the phone in your hand are always near each other, and there's nothing to remember, and your face is unique etc etc. / SIGH.
The problem is when you have to simultaneously access 10+ different systems each of which has a separate login and you get REALLY bored of having to lookup a password every time, so you reuse passwords. I personally have well over 300 passwords I have to remember for work and probably close to 100 personal ones. I try not to reuse, but I'm not perfect.
Passkeys only work from a particular device so are very limited in use, even if they are more secure.
Whenever this comes up I am reminded of the fact that the most secure computer is one that is not connected to anything and that nobody is allowed to use. 100% secure, but also 100% useless. So we are always down to allowing some connectivity and some access and trying to maximise usability whilst minimising exposure. Many IT depts get that balance badly wrong because they become security obsessed, although that usually ends in unemployment when the day comes that the CEO is locked out of his laptop due to over-zealous security.
One option less bad than reusing a password itself is memorizing a formulaic pattern for lower-value stuff. Derivatives of a template (which only you know) can be quite effective. For attackers to break the pattern, they would need access to enough plaintext passwords to discover the pattern. That's quite a bit more difficult than straight replay.
Biometrics?
I have a (purportedly) smart phone that requires a fingerprint to unlock but will erratically accept any of my fingers except the left index finger which never seems to work. I'm sure some other phones have less eccentric sensors/software. But I have to wonder how many don't.
Use long ones, each different, store them in a password book and hide it well. Paper is safer.
Don't use password managers or AI of any description. You'll be fine.
2FA is a pain in the arse as it gives you an additional point of failure, usually via the most stolen/broken item on the planet. One that is also vulnerable to your telco cancelling your sim card without warning or explanation. Cheers Vodafone.
Don't use biometrics. You can't change them, they are not reliable, and aggressive crims will just 'borrow' your face/fingers if they need to.
"When it all works, it can't be beaten. Go to an online service, the system fills in your username, dab the fingerprint sensor, and you're in."
Malarkey. Can't think of much worse than surrendering authentication sovereignty to cloud shit, except perhaps ALSO letting Big Tech worm its way into my phone with creepy biometrics. Even MFA sucks because I'm not installing a stupid app and no, you can't have my phone number, which is for all intents and purposes, the new unique identifier of the modern era.
Passwords will endure because no other paradigm gives the user as much control. Not all of us are compliant cloud consumers willing to do what Big Tech expects. There's a reason Big Tech has put so much effort into building authentication rails despite it not being directly monetizable.
I've noticed a trend recently where websites don't use passwords and instead ask you to enter your email address and they send you a one time link that automatically logs you in, or you use an app where you can say 'yes, this was me' without entering any password. My car insurance does this and I know I use a few other services that do too. This seems like a great idea, until it isn't.
I have a friend who used a hotmail account for his main email. He had it for years and signed up for everything using it. He also used the MS auth app on his phone which pops up an 'is this you?' message each time he logs in online and he can only successfully get in if he taps yes. No password required. He must be one of the most unlucky people in the world, because one day when he was logging in, someone in Russia was also trying to log in at almost exactly the same time. The popup appears on his phone, and as he's expecting it, he doesn't check the location and just hits 'Yes'. A second later another popup appears, this time for his login. Then the penny drops. He's just let someone into his email without needing a password. Queue a panicked phone call to me.
This is where the 'send a link to email for login' is a real issue. The miscreant went through his email and searched for any services he'd signed up for using it, then methodically went through each changing the login details. If the service used this 'email a login link' thing, he didn't even need to change the password to get access. He just had to put the email into the login window and he was in. So we were in a race to change account details on services before he got to them, or change back ones he had already changed, and this new login method made our life ten times harder.
The main issue of course was Microsoft. There is an option to logout all devices from your account, which was our only way to eject the miscreant and regain full control again. But MS being MS, this option takes up to 24 hours to log all devices out! What!?! We had no way to eject him other than wait 24 hours.
We ended up changing the associated email on all the accounts we could remember, but I still spent hours watching the inbox looking for changes to account signups we'd forgotten, pouncing on any password change emails that came through before he had a chance to use them. Thanks for that MS.
The other worst offender was GoDaddy. The miscreant logged in there and instantly transferred all the domains to a different GoDaddy account. GoDaddy were not interested in helping at all. No matter how much evidence was given, they refused to do anything. It was only after over a week of them saying no and us suppling a police crime number that they finally relented and reversed the transfers. Reporting it to the police was the only thing that moved them. I’m just glad the miscreant didn't repoint the domains or transfer them completely out of GoDaddy to a different provider in that week or things could have been very different.
"i think google has an option to logout of all sessions, the miscreant would then have to login again"
Unfortunately this was Microsoft Hotmail, which does have a logout all sessions, but it take 24 hours to log everything out. So the miscreant still had 24 hours to run amuck after we logged out all sessions.
'Magic links' are a known security vulnerability. As reported right here on El Reg, some of the links aren't even sufficiently random to avoid guessing another valid link (and then a miscreant using it for nefarious activities).
One organisation I deal with has recently stopped using magic links (sent in response to entering your e-mail or phone number) and has instead upgraded security to use ... wait for it ... a username and password.
I had to use 2FA to enter the portal to review my pension pot. Before letting me in, the portal asked me to accept the T&C's of its use. Hmm. Being a bit cynical, I read them, it was only one page. It transpired I had to agree to give them access to my pot of savings...... Their liability was limited to £1k. My liability if their software was compromised was unlimited!
I contacted my pension man and said, in no uncertain terms, that this portal-mob were not allowed access to my pot. If that couldn't be done, the pot was going elsewhere.
They can't be stolen or duplicated, and are strictly a per-device system. That's something that can be explained to anyone, although probably with different words, and the advantages made clear. Use passkeys, and you won't need passwords and you'll be safer.
i use apple passwords to share my passkeys & passwords across my personal (mbp/ipad/iphone) & work (mbp/iphone) devices & they work fine for getting me in to my personal logins on sites across all those systems,
is something going on in the background to create new passkeys per device that i don't know about?
only took a few seconds to share to my work profile & is seamless.
i don't think its being duplicated, works with touchID on those systems that only have that & face ID on my iphone/ipad.
Look, there's a reason passwords endure. That is always the case when systems endure despite people decrying their faults and providing alternatives for decades (e.g. IPv4). It's never because people are stupid; there are always good reasons. Maybe not the reasons you like, but good reasons.
In the case of passwords, it's because they are easily understood as a concept, can be easily changed if compromised, can easily work entirely offline, and don't have any single point of failure except for the user's brain. There is no other system that has the same properties. 2FA locks you out if your phone has any hiccup. Biometrics - ah, the credentials that you literally leave everywhere you go and can never change, great idea.
I'm not saying that passwords are the one true system and everything else is bad, far from it, but let's not be naive here. There are good reasons for passwords, and pretending there aren't won't help anyone.
Your sparkling new Mac mini might sport a processor of unrivalled brilliance, but Apple forgot the fingerprint sensor.
It's on the extortionately-priced Magic Keyboard that you didn't buy at the same time. Some people love the sensor, but hate the keyboard, so resort to hacks [machine-translated from Japanese].
I have some passkeys on a Yubikey and it works reasonably well, except for the NFC. The problem is there seems to be two schools of implementation for them - one allows you to make multiple passkeys on any device, and the other only lets you make one passkey, almost always on a phone only.
Examples of the former are Amazon and Microsoft. Examples of the latter are PayPal, eBay, TikTok, WhatsApp...
The reason the latter is an issue is that you don't control passkeys on a phone. You have to hope the service (iCloud keychain, Google etc) won't decide to revoke their service.
Not sure it's a good thing that I'm as old as passwords. ;(
Am also not "typical". Why use Big G when you have your own domain? My 2FA site (thanks, https://github.com/Bubka/2FAuth !) runs locally as well as online, with the latter only allowing IP's I specify via a simple .htaccess entry, easily updateable via SSH if I'm on the road.
My manager? An encrypted drive, no access to the system if I'm not sitting in front of the keyboard, a PHP script I munged some years back that can do alpha upper or lower, numbers, special chars, or a combo of all that, 2 to 63 chars, feeding an encrypted db on my daily driver that has a local-only access via an Apache vhost on the same machine, which if desired can place the desired entry on the clipboard then wipe it again after use.
Old? Not yet. Paranoid? Just enough.
I do have all my important username / password combos (and sites they relate to) on a piece of paper *.
Though that is kept, securely, at my solicitors (as it's for scenario of my death so next of kin can avoid all the PITA delays of not having logins to various things so would greatly speed up getting my affairs in order.
Yes, I could be in a load of grief if that was stolen from the solicitors, but in the overall scheme of things it's a very low risk.
*It also has other needed for dealing with death details such as financials - e.g. my bank account names, numbers & sort codes (as I do not do online banking so no credentials for online banking).
Biggest pain is occasionally having to update details at solicitors when some site does an enforced password change due to a screwup on their side (stares hard at a water utilities company)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2026
