Jump in the discussion.

No email address required.

I don't know what this is, I'm not reading it, I just know that I just plain don't like it!

https://media.tenor.com/DGVx4gZzXsQAAAAx/ren-and-stimpy-horse.webp

Jump in the discussion.

No email address required.

Tl; dr: passkeys are a public-private key cryptographic way to authenticate a user, rather than shared secret (the password).

Everyone gets so caught up pushing the "just use a PIN, it's more secure!" line that it sounds like bullshit with an ulterior motive. But, it's a good idea if done right.

Jump in the discussion.

No email address required.

So today Chrome is using encrypted sqlite databases to store session and separately passwords. These are encrypted with keys provided by the Windows system itself and in some of the things I've done I've needed to decrypt them. It's not hard to get the information you need from Windows to do so. At least keeping the passkey in your mind is fairly secure

Jump in the discussion.

No email address required.

These are encrypted with keys provided by the Windows system itself

I'm assuming you mean in the default state and not when using the sync passphrase setting

Jump in the discussion.

No email address required.

Im willing to bet its crappy enough i can grab it.

Jump in the discussion.

No email address required.

Does their implementation just rely on windows, and not have some kind of master password you remember? Because if so, that's r-slurred.

Authentication relying on 2 or more of "something you know", "something you have", and "something you are" is considered good. If you reduce it to just one, and pick "something you have", that's terrible.

Jump in the discussion.

No email address required.

https://i.rdrama.net/images/17270383725592525.webp

Here's how you would decrypt it with .net and no user involvement have fun

!codecels

Jump in the discussion.

No email address required.

is there an equivalent for macos?

Jump in the discussion.

No email address required.

Mebbe, idk how chrome encrypts stuff on mac they might not bother

Jump in the discussion.

No email address required.

looks like macos is yet again a little more secure:

https://medium.com/@stevemarkperry/how-chrome-stores-your-passwords-windows-macos-and-why-you-still-shouldnt-let-it-de3774886733

i kind of hate apple, but the computers are just better.

Jump in the discussion.

No email address required.

hope ur granny doesn't reuse that super secure master password anywhere else

Jump in the discussion.

No email address required.

That's why you pair it with "something you have" and "something you are"

Jump in the discussion.

No email address required.

99% of people find whatever 5 stage auth thing u have in mind tedious and will ignore or abuse it

Jump in the discussion.

No email address required.

Step 1: sign into password manager

Jump in the discussion.

No email address required.

becomes step 1: enter password123 that u use everywhere else

Jump in the discussion.

No email address required.

I have: this password

I am: the person who has this password

Jump in the discussion.

No email address required.

>that's terrible

for some things it's perfectly adequate. You wouldn't save your cookies or sessions on an untrusted computer anyways.

Remembering passwords is a real hassle and should only be demanded when it's worth it.

Jump in the discussion.

No email address required.

Passkeys are simply a token signed by a hardware key (TPM in Windows). There is nothing to decrypt and nothing to exfiltrate.

It's effectively federated authentication. You authenticate to your machine and that is trusted for authentication with the sites you visit, they just need the PK.

If you want a more secure version then you get a yubikey. You are not using a key, even if encoded in a readable format like PEM, the private key is ~450 characters of b64.

Jump in the discussion.

No email address required.

they want to use no passwords a passkey like ur face

Jump in the discussion.

No email address required.

Your face isn't the passkey itself, your face unlocks access to a private key, and that is the passkey.

Jump in the discussion.

No email address required.

no it's not ur face it's this other thing that you unlock by usin only ur face

:marseyshitforbrain#s:

Jump in the discussion.

No email address required.

My face!?!?!?!??!?!?

:#marseyragingtalking:

Jump in the discussion.

No email address required.

The final answer is The Mark

Jump in the discussion.

No email address required.

*CALL THE POLIIIICCCCEEEE!!!"

Jump in the discussion.

No email address required.

Hello, police? Hi, yes, it's Marsey again...

:#marseygossipsmugtalking:

Jump in the discussion.

No email address required.

Link copied to clipboard
Action successful!
Error, please refresh the page and try again.