Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Whether or not they're the same as a bit of a red herring, the question is whether the marginal added benefit of cryptographic phishing resistance is worth the trade-off in UX which introduces new kinds of vulnerabilities due to undesirable user behavior and/or implementation workarounds. And to answer that question you can't just dismiss the security offered by password managers—it's a very real protection that needs to be factored in to your assessment of the strengths and weaknesses of each system.


Take it up with the person who said the two countermeasures were literally equivalent. You're not going to get anywhere with me on this.


Which user/comment are you referring to? The top-level comment? I'm the person you replied to initially, and that's not what I said, so I'm assuming you're referring to something else.


passkeys stored in a password manager aren't any more secure in practical terms than random passwords stored in a password manager

It is my contention that this statement is:

1. Categorical,

2. False, and

3. Categorically false


And you would be wrong. You somehow jumped from "in practical terms" to "literally equivalent".


They are not comparable in practical terms.


Maybe, maybe not. You went out of your way to attack a straw man instead of showing any of that. So why should I believe you now?


I have no idea who you are, am comfortable with who does and does not believe me here, and think you should do you. But no: the two approaches do not offer comparable practical security.

From the questions and comments across the rest of this thread, the misunderstanding here seems clear: the person I'm responding to did not realize that FIDO2 cryptographically binds credentials to sites.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: