18 comments

[ 3.0 ms ] story [ 51.9 ms ] thread
Interesting read. I think something that bothers me more than trying to remember passwords (I have a system) is when an app or website won't let you see what you've typed! It's so easy to make a typo, especially on a phone and nothing infuriates me more than that "wrong password" message popping up when I can't even view what letters/numbers I've typed in before hitting enter.
This is one of the most misguided security features - in some cases in public places maybe. But anywhere else let me at least see what I’ve typed (or as the iPhone does show me at least the last character as I type it).
I still run into arbitrary password limitations (no special characters, 20 character max, etc). I go through the “reset password” process just to see what arcane rules I had to follow, which is enough to help me remember my password so I can log in.
I seriously have to reset passwords every 2-3 days for different websites AND I use a password manager. It's maddening and embarrassing and sometimes it feels like someone is playing a mean joke on me
It's not ideal, but you can just open up your browser tools and change the input type from 'password' to 'text' so you can see what you're doing.

Tricky on a phone though... .

On iOS you can do this with an extension called Web Inspector. It’s quite literally what the name suggests, albeit more limited than its desktop counterparts.
Will a ‘passwordless future’ gain traction though? I keep hearing the term ‘passwordless’ but right now it’s a niche thing with only techie types early adopting it. I own a Yubikey and use WebAuthn where it’s supported. But only some services support WebAuthn. For this to take off it needs to be ubiquitous and widely supported. Also this article says people won’t be locked out, but if you lose your Yubikey you need some recovery mechanism in place, and not all services support a ‘recovery code’ option meaning you have to contact support, verify your identity with a passport scan and other KYC checks.
Apple Passkey solves most of these issues and will be releasing later this year.

1. It uses your iphone as a security key, which many people already have

2. your private key is synced to your icloud account, so you don’t need to worry about what happens when you lose your phone

> Disclosure: I do not have a password manager

Written by someone who writes articles for a tech mag and doesn't use a password manager?

Thanks to my use of a password manager for many many years now, I don't know any of my passwords at all. I guess I've already failed. Before we start worrying about BigCo helping us log in, let's at least get the basics correct first.

I use a password manager and recently ran into an issue where I couldn’t remember the passcode for my iPhones guided access that I set for my kid. I managed to guess it, but it expresses the fundamental problem of actually adding and managing the passwords, in spite of not knowing what they are.
I would write down passwords like that. Put them in a notepad and secure it physically (unless you are under state surveillance of course).
I would be more concerned about being surveilled by the adversary with routine physical access to you.

"Write it down physically" is great in typical threat models where you have mostly network adversaries, but this particular situations is a bit

If your face becomes your password, what happens if you are in an accident and get a broken nose, lose a couple of teeth, and get some stitches? Will you be locked out until you heal? If there’s permanent damage to your facial structure, how do you “reset your password”? (I will admit I have not done a thorough survey of the existing literature; I’m guessing others have thought of this problem and it has long since been solved.)
I refuse to use any FaceID system but the fingerprint scanner on an iphone is just a quick-access unlock vs a manually entered passcode/password. Eg. if you lose your thumb that unlocks your cellphone you can still enter your full length password and reconfigure the biometrics.

Seems like this article is about a new consortium trying to do global single sign on and is selling it as "no more passwords!"

The article isn't stellar about explaining what they mean. FaceID and TouchID as implemented by Apple requires you to type in your password every couple of days to ensure you don't forget it. They augment your password (and weaken overall security) but they don't replace your password. I can't speak to every similar Android and Windows implementations, but I charitably assume they've followed the same path, Google Pixels have at least.

So to answer your question specifically for an iPhone, if you're using FaceID and get in a face-mangling accident, you type in your password until your face heal enough to stop changing and then set up FaceID again with your new mug.

Let's just get rid of user accounts altogether. We started wanting to get rid of emails then got insecure about our passwords...all in the quest of anonymity and security.

99% of us don't get hacked. 99% of us are ignored by everyone in the world. But we care about our privacy nonetheless. And we care because all these services are after data they don't need at all.

It's so annoying when during sign up for a service you are asked to provide company name, country, phone number, email, full name, date of birth, password etc. Does a reality exist where I just won't have to sign up at all?

Accounts are portals into the always connected digital world. In effect their only use is to connect a piece of information to you. Is it impossible to do that in a completely anonymous way?

it's not. just outsource the login. one of my apps i only support google login. only thing i save in my db is some meaningless identifier. no emails, no names. i don't need em.