change your account passwords, use a password manager and switch to passkeys wherever possible.
Can someone explain to me how passkeys are more secure / better than passwords?
Passkeys are a cryptographic public key authentication system, similar to how SSH keys work.
Your password manager stores your passkeys. You must complete a private/public key pair challenge with the website you are trying to authenticate with in order to login using your passkey.
It changes the factor from “something you know” to “something you have”.
Most password managers require biometrics (something you are), or require a master password (something you know). Once this is paired up with a passkey (something you have), it means you are using multi-factor authentication to login, which is much stronger than using just username and password.
Wait does 2FA count as a passkey?
No, two factor authentication does not mean it is a passkey.
Email is something you know, but also something you have. You know the username and password to your inbox, but you have access to your inbox if you stay logged in, so this can be either factor. A phone number is something you have, so you can receive text messages with it as a factor. Passkeys are its own technology that fit into the something you have category. Once you have two of these factors combined, thats how you get the 2FA experience.
Got it, thank you.
A super basic explanation as I understand it.
With a passkey the server (like Google) only has half of the passkey, you have the other half.
So having the server half be made public is still safe, as it’s not useful on its own without the other half that you still have kept private.
Are there any genuine articles on this? I assume forbes is just clickbait
I haven’t seen anything on this one specifically, but if it’s anything like the previous releases of this size, it’s just a compilation of a bunch of older releases, not billions of new passwords.
That’s the thing, the article says it’s all new:
The 16 billion strong leak, housed in a number ion supermassive datasets, includes billions of login credentials from social media, VPNs, developer portals and user accounts for all the major vendors. Remarkably, I am told that none of these datasets have been reported as leaked previously, this is all new data. Well, almost none: the 184 million password database I mentioned at the start of the article is the only exception.
but the autistics on Mastodon aren’t going wild about this so I feel safe assuming it’s Forbes clickbait
Get yourself a Yubikey or two, keep all your 2FA codes on a physical keychain rather than some Authenticator app.
It’s a little unclear to me how recent this was. If I changed my passwords like a few weeks ago am I fine? They mention the investigation has been since the start of the year so I assume the password leak was from before that?
Anti big tech chads are vindicated again.
