• shortwavesurfer@monero.town
        link
        fedilink
        English
        arrow-up
        22
        arrow-down
        1
        ·
        7 months ago

        Yes, but a password is a shared secret. So both you and the person you are interacting with need the password and therefore it is more vulnerable. With a past key, only you have the private key and the company or service you are interacting with never has access to the secret. Basically, they encrypt a message to you using your public key and then your private key decrypts it and sends them a response back with the correct answer.

        • AtariDump@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          7 months ago

          With a past key, only you have the private key and the company or service you are interacting with never has access to the secret.

          But if you’re using it now, wouldn’t it be a present key?

      • Steve@communick.news
        link
        fedilink
        English
        arrow-up
        15
        arrow-down
        1
        ·
        edit-2
        7 months ago

        The difference is, you literally never give the private key to anyone. Nobody will ever ask for it.

        It works through public private key encryption. To login the site will send your computer a “challenge” (some kind of math problem) that’s first encrypted with your public key. That means only your private key will be able to decrypt the challenge. Then your machine will generate an answer, encrypt it with the private key and sent that back. If the public key decrypts the answer and it matches, they know you are you.

        • 4am@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          4
          ·
          7 months ago

          “Websites ask me for it every time I visit them bro 🤪”

          • IHawkMike@lemmy.world
            link
            fedilink
            English
            arrow-up
            9
            arrow-down
            1
            ·
            7 months ago

            Except they don’t. They may request a passkey which is just an oversimplification about what is going on behind the scenes, with information being passed back and forth as Steve described.

            But the private key never leaves the device. This is such a huge distinction that is easy to overlook. But it is very, very important.

            • 4am@lemm.ee
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              1
              ·
              7 months ago

              I guess my sarcasm needed the /s; was just mocking people who would try to retort with some half brained comment like that.

              Of course passkeys are better and more secure, I’m 100% on board with them.

              • IHawkMike@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                7 months ago

                Haha fair enough. I should have known from the quotes. It is something I hear a lot from people who don’t know the difference, and I’m sure you do too.

      • Vilian@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        7 months ago

        not exacly, if someone hack a site that has poor security they gonna have your password, it you put your passkey there, it’s useless, also people can’t see you writibg yoyr password if don’t write it