loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use

I use Bitwarden, yet not macOS/iOS. Whenever a passkey dialog from the wrong authenticator comes up, I choose option other to redirect to a device running Bitwarden: I see macOS & iOS offer similar controls. However, Bitwarden’s passkey dialog (section with links to configuring that) usually pops up, so that isn’t necessary.

But if that’s the case, how can I guarantee any other accounts I move over won’t fuck it up somewhere?

Save a recovery code in Bitwarden (add field type hidden named Recovery code to the login entry)? That’s standard practice for me, though I’ve never needed them.

I haven’t seen anyone get the concept of passwords wrong

I have control of the copy-paste function and can even type a password myself if needed

I’ve seen forms disable paste. Much can go wrong with passwords. Passwords require sharing & transmitting a secret (a symmetric key), which either party can fail to secure. Passkeys, however, never transmit secrets. Instead, they transmit challenges using asymmetric cryptography. The application can’t fail to secure a secret it never has. Far more secure, and less to go wrong.

The password field is a more manual, error prone user interface. With passkeys/WebAuthn, you instead supply a key that isn’t transmitted: easier than passwords when setup correctly, & nothing to do until it’s setup correctly.

Similar situation with ssh: though it can accept passwords, ssh key authentication is way nicer & more secure.

My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements.

Outdated security practices & cargo culture. Someone should roll up a copy of NIST SP 800-63 to smack them over the head until they read it:

The following requirements apply to passwords:

1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Maybe ask them their security qualifications & whether they follow the latest security research & industry standards.

Passkey is multifactor: something the user has (key), something the user is (biometric) or knows (password) to unlock the key. Yes, dead simple.

For some people it is that easy.

When it is saved to a cross-platform password manager, it is secured on all devices that password manager runs on including your computer on other operating systems. You can also choose other in the OS prompt & redirect to a device with your passkey or use a hardware security key (I don’t). If your preferred password manager isn’t the primary one on all your devices, then fix that or use the other option mentioned before.

How would a non-techie figure this shit out?

The same way they figure out passwords & multifactor. Their pain isn’t ours for those who’ve figured this out & have a smooth experience.

Bitches don’t know bout my awesome passkeys. It’s like ssh key authentication for web apps. Just save the passkeys to my password manager & presto: use same keys on all my devices.

It replaces opening a TOTP app to copy a token with a click to select the passkey in a prompt from my password manager.

What other wonders can we blame on shit-posting?

Definitely, especially when the “damage” is meaningless, imaginary, clearly not even directed at them, and well within someone’s capacity to disregard & not take personally.

They really need to bring back the “Sticks and Stones” nursery rhyme: cultivating all this fragility & learned helplessness ain’t serving humanity.

The Mesopotamians had some cool myths extolling humanity’s ability to endure the gods’ multiple attempts to exterminate them with disease, pestilence, drought, great floods. I think people have some capacity to get over themselves & endure some ridicule not directed at them. Imagine if the Mesopotamians instead wrote legends of the gods exterminating or curtailing humanity with the slightest hint of ridicule directed elsewhere.

Enki, however, as always never at a loss for creative ideas, devised a way that he hoped would finally solve the problem caused by the quarrelling gods themselves. He decreed that from now on the humans’ lifespans would be severely limited from the outset (in biblical terms to 120 years) by the indirect ridicule of their peers.

Beyond pathetic.

That’s…such a non-issue. If that totally devastates someone, maybe they should work on their resilience or fortitude? Do we really need to pull out the world’s tiniest violin for every contingency?

Glad you understand it, though.

Where’s the innocent person?

While I get what you’re saying

You do? I don’t, because why should anyone give a fuck?