I trust 1Password. They are very open about how they encrypt data and how the key is derived. I like how they store your encrypted data locally in a SQLite DB. My only real concern is with storing passkeys because they cannot be stored locally yet and you are granting 1Password control over your access to any site you need a passkey stored with them. They are working on a passkey exporting process. I would feel better if I could have the same Passkey stored by 1Password and Azure and Google.
What is the advantage of passkeys compared to managing unique passwords with 1pw? Is there any tangible benefit to switching, besides that Google et al will stop hounding you to do so?
Passkeys are asymmetric keys so a hacked site cannot leak the hash or even the plaintext of a passkey. And the private key is never exported to insecure hardware. Funny how so many Linux gurus have been shitting on using passwords for SSH for decades in favor of using SSH keys and now that there is an actually effort to use what are essentially SSH keys tied to a specific domain they are rejecting it.
Sorry, I'm still not clear what the advantage is, compared to storing unique passwords in 1pw. If a site is hacked, the only thing at risk is my data on that specific site, which would be the case either way. I definitely understand how they would be easier and more secure for people who don't use a pw manager, but that's not my question.
There are some obvious, significant benefits I can think of off the top of my head:
- Passkeys give the website no secret to keep.
Breach of the passkey public key is not an event worthy of credential rotation.
- Passkey authentication is submitted via a rigorously-defined mechanism intended for machine-to-machine communication.
Ever had your password manager try to fill the wrong field with your login credentials? Passkeys cannot make that mistake. There's no heuristic mechanism at play trying to figure out where to insert the passkey.
- Passkeys are immune to credential theft via MITM
Sure the MITM could hijack the session, but not the credential. (I know this one is a stretch, but you asked for anything)
They aren't that much more secure than a random 256 bit unique password for every site stored in a secure password manager. They are designed to raise the security for the average user, not the most security conscious.
This is a weird take. The passkey can be up to 1400 bits in length which makes it significantly more difficult to brute force than a 256 bit password. Not to mention some sites won’t even let you type in a password that long, and then ofc rainbow tables.
Passkeys are significantly more secure for everybody.
a truly random 256 bit password would require more energy to brute force than the sun will emit during its entire lifetime. a 1400 bit long random password is not any more secure in practice.
I don’t trust 1Password, but not for technical reasons. They like to play subscription games and hold accounts hostage. I’m moving to apple passwords myself.
