in practice / How to Create a Secure Password

Passkeys are randomly generated passwords that are required to be managed by a password manager. All the major password managers support them, including Apple, Google, Microsoft, Mozilla, and 1Password - Passkeys: A shattered dream

• By requiring the passkey to be managed by a password manager, you get some anti-phishing protection. A passkey includes metadata, including the website domain that created it, and the password managers simply won’t provide the passkey to the wrong domain.
• If you’re happy with your password manager, there’s no real need to switch, but even very “sophisticated” password users have been known to fall prey to social-engineered phishing attacks.
• Passkeys can make it harder to switch password managers because the password managers are designed not to let you copy-and-paste a passkey, including from Google’s Password Manager to Apple’s Password Manager. I think all the password managers kinda like that, and there’s something good and bad about it.

• a passkey is not just “a really long password” but also one that’s never sent to the server directly - instead it’s used in a challenge/response protocol (like SSH keys). Which requires software, either the browser or an external password manager, to run.

• HN Most attacks we see now are credential stuffing attacks rather than pure brute force attacks using something like Sentry MBA, with a huge number of IP addresses (the last attack we saw was using over 6 million IP addresses). So throttling sign in attempts at the IP level is almost useless as is throttling at the email level, as the attacker can attempt at least 6 million known email/password combinations to see if those accounts exist on your site.

The only real defence against that is all your users using 2 factor, or creating a psuedo 2nd factor (email them if the attempt is from an unrecognised IP).

Of course the other helpful defence is to ensure your users aren’t reusing passwords, which is where Pwned Passwords comes in.

• HN: We watch as hackers use tens of thousands of different IP addresses to scan through millions of attempted account names and passwords, almost all of which are for accounts that don’t even exist in our database, looking for matches. They’re not guessing or brute-forcing passwords; they’re trying a very specific account name and password for each attempt. For example, account name “joe.user@example.com”, password “alligator101”. If they don’t get a match immediately, they may try a variant like “alligator100” or “alligator102”, then they quickly move on to the next entry on their list. And it’s interesting to see that the passwords on these lists are mostly quite good passwords.

So the world at large clearly knows how to pick good passwords; the reason people are still getting hacked is because they use the same passwords on multiple sites.