this post was submitted on 22 Dec 2025
101 points (91.1% liked)
Technology
77899 readers
2569 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Doesn't a normal modern password, hashed, essentielly do the same thing?
No sane service has your actual password.
Granted this was 1999 but I wish I could unsee the shit I saw one day when I did a SELECT password FROM user
No. When you log into a website your password is sent to the server. A passkey is not.
That depends entirely on the service.
Nothing prevents the password from being hashed client-side, only ever sending the hash to the service.
Then that hash is effectively your password
True, but with passkeys they're never sent, by design.
There's a few differences. One is the length. Another is the randomness. The biggest, though, is that in a passkey, the server is verified as well. That means phishing is nearly impossible.
Yes, kind of. You’re still giving them your password every time you log in. And it’s on them whether they store it hashed or in plain text. With a passkey, you know that even if they’re hacked, they’ll never get your actual private key.
But, if they’re hacked, your key is probably the least of your concerns.