Why you should care about the difference between a password and a passkey
Oct 26, 2024, 6:00 AM

The difference between passwords and passkeys is important to understand. (Getty Images)
(Getty Images)
The best passwords, even “long and strong” ones, can’t always keep out international criminal gangs. So as the bad guys get smarter, you have to stay one step ahead.
Passwords are easily stolen from users in phishing attacks or data breaches and then sold on the dark web.
Checkbook.org spoke with Chester Wisniewski, director and global field chief technology officer at Sophos, a British cybersecurity company.
“A password is just a secret between me and my computer that I have to share to prove my identity,” Wisniewski said. “And we know humans are pretty terrible at keeping secrets. We’re also terrible at keeping passwords.”
Microsoft, which believes “no password is a good password,” currently detects more than 4,000 password attacks every second.
Identity theft: Can you really protect yourself?
Herb Weisbaum, contributing editor for Checkbook.org, told KIRO Newsradio’s “Seattle’s Morning News” on Thursday it’s time to upgrade to passkeys.
“You can think of it as a password, except for you don’t have to remember a password,” Weisbaum said. “You don’t have to generate one. You don’t have to store it. You don’t have to worry about somebody stealing it. Nobody can trick you into giving it away.”
According to Search Labs, a password is a user-created string of characters that you type to log into an account, while a passkey is a cryptographic key generated by your device that allows you to sign in without needing to remember or type a password making it significantly more secure. A cryptographic key is defined by Hashedout as a string of characters (often random or mathematically generated) that’s paired with an algorithm to secure data.
Whew! While that’s a lot to comprehend. Think of it as using your thumbprint to unlock a door. That thumbprint is unique to you. The door authenticates you. Passkeys are even more complicated because they have the added element of an algorithm.
“The biometric data stays in your device. It doesn’t go anywhere, the same as when you unlock it with a fingerprint or a thumbprint,” Weisbaum explained. “The only thing that would go up in the cloud is if you use a password manager, which everybody’s suggesting, to save these things so you can use it between devices that the key goes up on the cloud encrypted, just like when you use a password manager today, that stuff goes up on the cloud encrypted, but your biometric data never leaves your device.”
Avoid the ‘Doom Loop:’ New rule makes it easier to cancel subscriptions
When you sign up to log in with a passkey, a unique encrypted digital key (private key) is created on your device that’s associated with a public key that identifies the app or website where the registration is taking place.
The passkey on your device is bound to that site, meaning it can’t log into a fake Chase Bank or T-Mobile website or app. The company’s servers never get the private key, so a criminal can’t intercept it.
Weisbaum said that moving to passkeys will be a little difficult to begin with. Different platforms may not even call them passkeys. He explained that the second best way to secure your data is through adding multi-factor authentication to your password.
Weisbaum added that nothing is foolproof when it comes to cybersecurity, but this is progress.
You can test drive the technology by creating a demo account at passkeys.io.
Bill Kaczaraba is a content editor at MyNorthwest. You can read his stories here. Follow Bill on X, formerly known as Twitter, here and email him here.