Get used to the future before it arrives.
There’s a lot of kerfuffle about passkeys and other authentication methods.
Right now, at most services, you still have a password. Technically, this makes you vulnerable if it’s used, guessed, or somehow compromised. Eventually, as passkey adoption becomes more widespread, we’ll get rid of passwords altogether, but for now, passwords remain in play.
On some services, you can experience passwordlessness already. Doing so increases your existing security.
Become a Patron of Ask Leo! and go ad-free!
Go passwordless
Passwords are slowly being phased out, but most services still require them. You can simulate passwordless sign-in by creating a long, secure password and never using it, relying instead on other methods (like passkeys, email, or SMS codes) that don’t require a password. This dramatically reduces vulnerability to phishing, keyloggers, and database breaches.
Alternate sign-in methods required
The technique I’m suggesting requires that the account(s) you do this with have ways to sign in that don’t involve a password1. They might offer sign-in methods like:
- Passkeys
- An email to an associated account with a link to click or a number to enter
- A text message to an associated mobile number with a number to enter (or, occasionally, a link to click)
- The ability to confirm sign-in on a different, already signed-in device.
There may be other techniques. The key is that none of them require you to enter a password.
Make and forget your password
If the account still uses a password or requires you to set one up, here’s the process:
- Make an excruciatingly long and secure password (or as long as the service allows). I’d use 40 characters. (e.g. w3WVUXncc?t7QbTkuojVor8wfm!PHK9PqUd2#FEB)
That’s it.
You don’t have to remember this password because you’ll never use it. If you’re paranoid, of course, you can save it in a password manager, but doing so defeats the purpose since, should your password manager ever be compromised, the password would be there.
You can get away with this because you’ll never use your password to sign in. Ever. You’ll always use one of the alternate methods described above.
In fact, you’ll never use a password for anything on this account again.2 If worst comes to worst and the passkey doesn’t work, you’ll treat it exactly as you did when setting up the passkey the first time on your account. You’ll sign in one of the alternate ways I listed above. And you can always use “Forgot my password”, which will likely have different wording, to reestablish access to your account.
Related
How Do Websites Keep Passwords Secure?
A high-level overview of how websites and services should store passwords security, so next time there's a breach you'll know what to look for.How this is more secure
Are these passwordless techniques really more secure? Yes, because with one exception, there’s no password to steal.
That’s huge.
There’s no way for a hacker to gather your password from your activities because your activities will never involve typing or otherwise using a password. You won’t even have it in your password vault.
Phishing attempts to compromise this account will fail because they’ll ask for a password you never use, at which point you’ll know something’s amiss. Keyloggers will have nothing to log. Shoulder surfers will have nothing to see.
The exception? The service itself. Since it still requires a password, it will have stored something. If they’re doing security correctly, that something will not be the password itself but a hash of the password. Even if the service’s database is compromised, your password is not present. And it cannot be reverse-engineered from the hash.
The remaining risk, then, applies only to those services that handle security poorly, either by using a weak hash or by storing your literal password.
Everywhere else, you are significantly more secure because there’s no password to be stolen anywhere.
Do this
I recommend trying out passwordless options if they’re available to you. I’ve done so on my Microsoft account. Given how important that account has become, the fact that it’s working well is reassuring. I went passwordless even before passkeys entered the mix.
You can try out passwordlessness using the technique above. I think you’ll eventually find it just as convenient (or inconvenient) as traditional password-based sign-in. Even if it’s slightly less convenient, consider the security you’ve added to the account. Give it a try. If your service offers it to you, say yes. Otherwise, check the security section of that service’s settings to see if it’s an option.
Something else you might give a try: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: To be clear, all accounts have some additional way to identify you that doesn’t require a password. It’s required for “forgot my password” to work. The difference is in how convenient (or not) these passwordless alternatives are.
2: If, for some unforeseen reason, the service absolutely requires a password for something, you can use “forgot my password” to set a new one that you would then save.
“If you’re paranoid, of course, you can save it in a password manager, but doing so defeats the purpose since, should your password manager ever be compromised, the password would be there.” or you can use a password manager like KeePass or an encrypted .zip file which don’t store your password online, although if you do forget your password and you need it, there’s always the reset password option.
i`ve noticed for the past couple of weeks when i go to sign in to twitter or X if you prefer, a window opens in the top right that says sign in with google, i click allow and i`m signed in without doing anything else. they didn`t ask me if i wanted it, they just did it. is this safe?
It’s not ideal. Here’s an article, written about Facebook, that applies pretty much to signing in with Google. You can substitute “Google” for “Facebook” in most instances in the article.
Should I Log In With Facebook?
Article is very unsatisfactory. Blah, blah, blah about passwords and not using them but no clearly defined explanation as to how to set something up that is passwordless. A link would be nice.
That’s because THERE IS NO PASSWORDLESS YET with a couple of exceptions (Microsoft being one of them).
The article lays out how to simulate passwordless: set a long complex password and forget it. That’s the whole point — simulating the passwordless experience with services that don’t yet support it.
Sorry, but this non-trusting octogenarian will stick with methods that don’t require me to sell my soul to a Google or Microsoft account. I avoid them like the plague … as well as putting my stuff somewhere into someone’s “cloud.”
“The remaining risk, then, applies only to those services that handle security poorly, either by using a weak hash or by storing your literal password.”
And therein lies the rub. Far too many data breaches occurring. Authorities need to make sure that companies maintaining consumer databases do so in a secure manner, via legislative enforcement with severe punitive measures. It’s scary how many third-party organizations maintain user databases even when not directly interacting with the users.
I’m a huge 2FA fan, especially via verification code sent to the smartphone. Even if a password is compromised, the criminals will never have physical access to my smartphone.
I use Bitwarden password manager with a very strong master password protecting the vault., and 2FA wherever possible. I have to admit, somewhat embarrassingly, that I struggle with the passkey concept.
The talk about getting rid of passwords has been around for at least 20 years. The whole concept is dependent on using biometrics and/or a specific device; otherwise it boils down to the “simulation” that Leo is talking about. Without biometrics, you need to key in an entry to access your device or service (because right now that’s the only practical method). They call this entry a “pin” (some incorrectly call it a passkey) to distinguish it from “password”. This pin has evolved from a 4-digit number to a long character string, which is effectively a password with a different name. If you don’t use a keyed-in entry or biometrics, then you’re using some kludge method that’s different for every service or device.
There are practical problems with passwordless. First, there are a multitude of technical approaches (i.e. no hard standard that everyone accepts). Microsoft and Google use different approaches. Second, getting people to give up their biometrics will be a hard sell (no, nobody can guarantee your biometrics won’t be stolen). Third, if your authentication is based on a specific device, good luck if that device is lost or stolen. Conclusion: Based on progress, adoption and problems with “passwordless”, I would not hold my breath. As for the claim that “it is more secure” … Says who? Based on what long term real-world data? Based on which approach? And remember that we used to swear that passwords were secure as long as you, the average user, and big huge companies did everything perfectly.
They might call it a PIN, because you unlock your device with a pin (or biometrics) before using a passkey, so it looks like the PIN is opening the passkey.
While I don’t completely understand passkeys, a pin is more secure than a password because it’s stored on your computer, and is used to log into your local device. It works much like having a local-only account, without a Microsoft account on Windows.
As I understand the basics of passkeys, your passkey for an account resides, encrypted, on your local computer. When I go to my Microsoft account online, and attempt to sign in, I enter my Microsoft email account, then I see a code in my web browser to enter on my phone, when I receive the verification notification from Microsoft. I enter the code, and I’m logged in. I may be experiencing this scenario because I also have 2FA enabled on my Microsoft account, but the point is that there is no password associated with my Microsoft account for anyone to ever steal from anywhere. When we get to true passwordless authentication, it’s my hope that all I’ll have to do is go to the website, and be immediately logged in with no othr action required on my part.
Ernie
I use KeePass offline. I manage it myself. To unlock the database, it requires the master passphrase AS WELL AS a locally generated key file. I keep the database and the key file ALWAYS separate from each other, i.e. on different physical devices. I would never keep my passwords on any cloud no matter how convenient it might be. I find my method quite convenient and secure.
Many 2 factor security systems (on websites I subscribe to) ask me for a password and THEN send a “code” to my phone which I have to key in to gain access.
So, double the work… No better security that I’m aware of!
The added security is derived from the fact that you must also have your phone to authenticate. There may be a bit more effort, but the fact that your password is useless without your second factor (your phone) makes things an order of magnitude more secure for you on the accounts where you have 2FA enabled.
Ernie
I found the article confusing and somewhat nebulous, it never shows how it works with an example which is how I learn most of the time.
I do use 2FA on all accounts that allow it and I also use 1password but the example of setting a long password and forgetting it makes no sense to me however I have used the “forgot password” option on occasion.