|
|
|
|
|
|
by Renevith
1280 days ago
|
|
|
"A random password stored in a password manager is literally what a passkey is." This is not quite true; a passkey is still somewhat more secure than a password in this scenario. With passwords, the password itself is sent to the website and a hashed version is stored in their database. If someone can intercept your connection to the site (MitM) or can access their database (hacker), they might be able to get your password and log in as you, especially if the website doesn't implement their hashing very well. These attack vectors don't apply to passkeys, even generated and synced by a software password manager: the private key never leaves your computer, only the corresponding pubic key. The website generates a unique challenge on each login that can only be solved by your private key, so intercepting a particular challenge or stealing the public key from the website database doesn't let anyone log in as you later. |
|
|