[snarbles]

The conclusion of the article seems to be that passwords should be encrypted with asymmetric encryption instead of being hashed. I really couldn't disagree more. We see how competently companies manage their security. It's very easy to imagine a scenario like a company using the same key to encrypt every password. They accidentally push it to github or otherwise get it compromised and now a dumped database becomes a table of plaintext passwords, no rainbow tables needed.

What we really got wrong about passwords is using them in the first place. I don't know know anything about how passkeys are implemented. I would hope they aren't tied into any OAuth nonsense (IMO OAuth is a cure worse than the disease), but even if the implementation were flawed, passkeys are the right kind of solution: cryptographic authentication that plays to the computer's strength instead of depending on something humans aren't good at.