Fed up with PassKeys aggression. Am I doing something wrong?

Jezmund_Berserker · July 2, 2025, 3:00pm

I recognize that I’m a security outlier (most on this forum probably are) but passkeys do not provide “vastly more” security for me personally and I’d be just fine to skip this fecal-festival of a rollout across the internet. I’m glad that for you it’s a small price for the upside. It is not so for me.

nfdksdfkh · July 2, 2025, 3:17pm

You can’t control what companies do on their end, sadly. Bad practice in terms of not hashing and salting master passwords properly, a compromised DNS, or poor website design that permits XSS are examples where you might do things right but someone else’s error means your credentials might get compromised.

webwalrus · July 2, 2025, 4:00pm

No disagreement from me. The issue is with how it is being rolled out. All they would have to do is say something like “as of August, regular password sign in will not be supported. You will have to migrate to a passkey. If you would like to do that now, click here. If you would like to learn more about passkeys and how to effectively manage them, click here.”

It is possible to push users in the direction that you want them to go without actively doing things that potentially screw them over.

WayneG · July 2, 2025, 4:11pm

I wasn’t an early adopter of passkeys. The first time I tried it on my pharmacy’s site it didn’t work. Nor did it seem to work correctly for the next month or two. Then one day it did. Now with the exception of a couple of social sites that I rarely use I am using passkeys on all my sites that offer them.

Counting 1Password I do business with several Fido Alliance Board Level Members. The way I see it, once everything started working for me adopting passkeys was the logical choice. Why try to hold back the tide?

liminal · July 4, 2025, 4:02am

Hopefully SHA2 algorithms and not not MD5. MD5 has been considered insecure for something like 15 or 20 years now if I recall correctly.

webwalrus · July 4, 2025, 10:48pm

I stand corrected, but the principal is the same. An eight character password would hash to the same as a much, much longer password. Password length should not be the issue.

rob · July 5, 2025, 7:02am

Still companies use MD5

Here’s a random recent breach (May 2025) where MD5 hashes got leaked:

(And there are more)

Alevyinroc · July 5, 2025, 7:14pm

I thought it was slightly more recent, but apparently it’s been nearly 30 years