This is a good overview of passkeys, but the biggest weakness is the TPM chips which end up exploitable, which I tend to think are purposeful as governments aligned with the tech megacorps have to have a way in for espionage, though I think it’s mainly for whistleblowers. Consequently, I use Bitwarden for unique and difficult passwords, and my most important accounts are secured with two-factor authentication, Yubikeys if supported, and/or Proton Authenticator… There is a better option with the Nitrokey, but pricier and I had problems completing my order with crypto, but perhaps they’ve addressed that deficiency (and beware additional tariff). And the next obvious thing is don’t get phished, or allow malware on your devices. Run your own DNS with malware blocklists or enable the DNS blocklists on your VPN service which will solve most issues for you and even your whole network. And make sure the software you install isn’t compromised, as some devs have had their credentials stolen and their repositories loaded with malware, so you have to follow exploit news for your OS or delay updates a bit so these can be caught and cleaned up. Given all this, I’m not adopting passkeys quite yet, as my passwords are working fine. And if you see a service compromised, change that password.
https://reclaimthenet.org/the-end-of-the-password-and-the-traps-on-the-way-out
Big Tech would love to hold your keys. Here is how to take the security without accepting the leash.

By Rick Findlay
Twenty-four billion login records sat on an open server this June, readable by anyone who found the address.
Security researchers at Cybernews spotted the trove on June 12, a publicly accessible Elasticsearch cluster, which is a group of connected search servers, holding more than 8.3 terabytes of stolen credentials pulled from 36 sources.
Whoever assembled it pulled the plug by June 15. The passwords did not go anywhere. They keep circulating in the same Telegram channels that fed the database in the first place and anyone watching that server before it went dark almost certainly copied everything.
Take a plain look at what that number means for you. With roughly 5.5 billion people online, a database of 24 billion records almost guarantees that anyone who has used the internet for more than a few years has at least one username and password sitting in a collection like this one.
The same week the server went offline, the breach-checking service Have I Been Pwned loaded 56.3 million email addresses and 124 million unique passwords harvested from malware logs into its searchable index. Your credentials are probably in there.
For two decades the advice never changed. Pick a longer password. Add a symbol. Rotate it every 90 days. Use a manager. None of that fixes the underlying problem, because the problem is the password itself, a shared secret that can be stolen, guessed, reused, phished, or simply read off a screen.
Passkeys replace that secret with something an attacker on the far side of the world cannot copy. Moving your important accounts over is one of the few security steps that actually removes a category of risk rather than shrinking it.
The migration is fiddly, the recovery traps can be an issue, and the companies offering to hold your keys have their own interests you need to be aware of. This is a walkthrough of how to approach passkeys, what to watch out for and how to do it and keep control of your own front door.
What actually leaked, and why passwords keep failing
The June database was not the usual pile of recycled breach dumps. Most of the 24 billion records were infostealer logs, the output files that a specific kind of malware generates automatically.
Infostealers run as a subscription business in the criminal economy, malware-as-a-service, where the developer rents the tooling to customers for somewhere between $130 and $750 a month.
The customer does not need much skill. They point the malware at victims through phishing emails, fake browser-update prompts, poisoned search ads, and cracked software, and it does the rest. Families like RedLine, Vidar, LummaC2, and StealC dominate this trade.
Once one of these programs lands on a machine, it works in seconds. It reads every password saved in the browser, grabs active session cookies and login tokens, records the device fingerprint, sometimes lifts cryptocurrency wallet files, ships the bundle to a server, and often deletes itself. The victim sees nothing.
Session cookies deserve a hard look, because they explain why the usual defenses buckle. A session cookie is the token your browser holds that keeps you logged in after you authenticate.
An attacker who steals a live cookie does not need your password or your second factor, because they are riding an already-open session. Malwarebytes researcher Pieter Arntz said this discovery “appears more heavily weighted toward fresh infostealer logs, rather than older, static breach data,” and fresh logs are the dangerous ones, because their session tokens may still work.
Then came the detail that separated this cluster from every mega-dump before it. Buried inside were roughly 9,500 documents holding CVE records, the standardized identifiers for known software vulnerabilities, each linked to live code repositories.
The operator was cross-referencing two things at once: which stolen credentials it held and which services those credentials unlocked were currently exploitable. That is a targeting pipeline, not an archive. Changing a reused password after the fact stops the attacker who is testing credentials at random. It does nothing against one who already knows your bank uses an unpatched system and already holds a login that works there.
The downstream damage runs through credential stuffing, the automated firing of stolen username-and-password pairs at login forms across hundreds of sites at once. Attackers crack nothing. They already have valid credentials, and they let software find the doors those credentials open.
Password reuse is the fuel. Survey work cited in the research puts reuse at 81 percent of users across at least two sites, and Verizon’s 2025 Data Breach Investigations Report found stolen credentials drove 22 percent of confirmed breaches that year. The human cost is concrete.
In March 2025, attackers hit five large Australian retirement funds in a single coordinated run using credential lists from earlier breaches, and four AustralianSuper members lost a combined 500,000 Australian dollars. The funds offered multi-factor authentication. They had not forced it on at login.
How a passkey removes the secret
A passkey throws out the shared secret and swaps in public-key cryptography, the same math that secures web traffic. When you create a passkey for a site, your device generates two mathematically linked keys.
The private key stays locked inside secure hardware on your device, a Secure Enclave on an iPhone or a TPM chip on a laptop, and it never leaves.
The site keeps only the public key, which is useless to a thief on its own.
There is no secret stored on the server for anyone to steal, and no secret for you to type into the wrong box.
Signing in works as a challenge and response. The site sends your device a random puzzle. Your device solves it with the private key and sends back a signature. The site checks that signature against the public key it already holds, and if the math lines up, you are in.
You approve the whole exchange with a fingerprint, a face scan, or a device PIN, which unlocks the local key without ever transmitting your biometric anywhere.
This is what makes passkeys phishing-resistant, and the word is precise. The signature your device produces is bound to the exact web address of the real site, the origin.
Land on a lookalike page and your device will not produce a valid signature, because the domain does not match the one the passkey was built for. The standards behind this, WebAuthn and FIDO2 from the FIDO Alliance (Fast Identity Online), turn the con at the heart of phishing into a dead end. There is no password to hand over, and a stolen public key opens nothing.
Do this across your accounts and the 24 billion records lose their power over you, because the thing they contain no longer exists on the services you have moved.
The migration, in the order that protects you
Start with email, because email is the master key to everything else. Whoever controls your inbox can reset the password on almost every other account you own, which is exactly why attackers prize it and why you should harden it first.
Many of the major platforms all support passkeys today. Add a passkey, confirm it works by signing out and back in, and only then consider turning off weaker sign-in methods.
Move to money next. Banking, brokerage, and payment apps are catching up unevenly, and many now offer passkeys in their security settings even when they bury the option. Then cloud storage and the accounts that hold your documents, photos, and backups. Work through them in order of blast radius, the accounts that would hurt most if seized, and add a passkey to each before you touch anything else.
Here you hit the first real fork, and it decides everything about recovery. There are two kinds of passkeys. A synced passkey is created on your device and then encrypted and copied to your provider’s cloud, so it rides along to your other devices signed in to the same account.
Apple’s iCloud Keychain, Google Password Manager, Microsoft, and independent managers like 1Password and Bitwarden all sync passkeys this way.
Lose your phone and the passkey survives on your other devices. A device-bound passkey never leaves the single piece of hardware that made it, most often a physical security key like a YubiKey. It is the stronger of the two against a sophisticated attacker, because there is no cloud copy to compromise, and the less forgiving of the two if you lose the hardware.
Nearly half of enterprise deployments now mix both, and that instinct is the right one for individuals as well.
The recovery trap, and how not to lock yourself out
The question most guides skip is the one that will actually hurt you. What happens when the device holding your passkeys is lost, stolen, wiped, or drowned. In a passkey-first account with no backup, the answer can be a permanent lockout, because the cryptographic link between you and the account is severed and there is no password to fall back on.
Avoid the island. Never let a single device be the only thing standing between you and an account. Register at least two passkeys on any account you care about, one on your everyday phone and one on a separate anchor, ideally a physical security key you store somewhere safe.
If you rely on a synced provider, that sync is your backup, so protect the account behind it with its own strong authentication, because it is now the master lock on your entire set of keys.
Two mistakes cause most lockouts. The first is trusting one device for everything. The second is storing your recovery codes inside the very password manager account those codes are supposed to rescue, which is a circle that closes on you at the worst possible moment. Write recovery codes down and keep them offline.
Some services, including Apple and Facebook, let you name a recovery contact, a trusted person who can help you back in, and you should set one up before you need it.
One more piece of discipline. Do not delete your old sign-in methods the moment a passkey works. During the transition, a password is a useful fallback, and you should only remove it after you have tested at least two independent ways back into the account. Migrating too aggressively is how careful people lock themselves out.
The law has not caught up
Passkeys change the legal picture around your accounts in ways the courts are still fighting over. A password lives in your head, and forcing you to reveal what is in your head runs into the Fifth Amendment protection against self-incrimination. A fingerprint or a face lives on your body, and law enforcement has long argued that compelling you to press a finger or look at a camera is no different from taking your photograph, a physical act with no constitutional protection.
The courts are split, and the split is widening.
A federal appeals court for the D.C. Circuit ruled in early 2025, in United States v. Brown, that compelling a suspect to unlock a phone was testimonial and protected, because the act revealed the contents of the person’s mind.
The Ninth Circuit has gone the other way on biometric unlocks, treating a compelled fingerprint as a physical act outside Fifth Amendment protection. These specific holdings should be confirmed against primary sources before anyone relies on them, and the practical takeaway is unsettled law.
Securing an account with your face may leave you more exposed to a compelled unlock than a passphrase would, depending entirely on which courtroom you end up in. Anyone whose threat model includes border stops, protest arrests, or seizure of devices should weigh a PIN alongside biometrics, since a number you know keeps more of its constitutional shelter than a face you cannot change.
There is a data-protection angle too, and it cuts in favor of passkeys. Under laws like the GDPR, the safest data is the data you never collected. A service that stores only your public key holds nothing an attacker can turn into a login, which shrinks the target on every server and narrows what a future breach can spill. The 24 billion records leaked because they existed in a stealable form. Public keys do not.
Who holds your keys
Here is the tension at the center of the passkey pitch, and it is where a healthy suspicion earns its keep.
The three companies pushing passkeys hardest, Apple, Google, and Microsoft, are the same three that would like to be the place your keys live. Sync is convenient because it hands your entire set of credentials to one provider’s cloud, and convenience is how lock-in gets built. An account holds your ability to log in, to be reached, to speak, and to prove you are you. Concentrate the keys to all of it inside a single company and you have handed that company a chokepoint over your digital life, one it can suspend, close, or lose without owing you a hearing.
The escape route exists, though it is young. The FIDO Alliance has a draft Credential Exchange Protocol, built by Apple, Google, Microsoft, 1Password, Bitwarden, and Dashlane, meant to let you move passkeys between providers through an encrypted transfer rather than being stranded inside whichever provider you started with.
A public review draft is expected during 2026. Until it ships and providers actually turn it on, portability remains a promise you cannot yet use, and the safest hedge is to keep at least one device-bound key that no cloud controls. Owning a physical security key means no single company can lock you out of your own front door, whatever happens to your relationship with them.
Open source password managers provide an added layer of trust because their code is publicly available for independent review, allowing security researchers to verify how passkeys and encryption are implemented. This transparency helps ensure there are no hidden vulnerabilities or proprietary black boxes protecting your most valuable credentials.
Several open source password managers now offer robust passkey support, making it easy to create, store, sync, and autofill passkeys across your devices. Bitwarden is one of the most popular choices, combining full passkey support with cross-platform compatibility and the option to self-host your vault. KeePassXC is an excellent option for users who prefer to keep their credentials stored locally while still benefiting from passkey support on desktop systems.
Proton Pass also supports passkeys with end-to-end encrypted synchronization, while maintaining open source clients and a strong privacy-first approach. By choosing one of these open source solutions, you can embrace the passwordless future while retaining transparency, security, and control over your digital identity.
See our recommended password managers for more information about that here.
Passkeys are not finished, and pretending otherwise sells people short. Coverage is patchy, so you will run a hybrid setup for years, passkeys where you can and passwords where you must.
Recovery on many services still collapses back to a help-desk call and a few guessable security questions, which is the weakest point in the whole design. Sharing a passkey with a partner or family member remains clumsy.
None of this is a reason to stay on passwords. It is a reason to migrate with your eyes open, to keep a fallback, and to refuse the version of this future where three companies hold every key and you hold none.
Move your email first. Add a second passkey before you trust the first. Keep one key on hardware you can hold in your hand, and keep your recovery codes on paper in a drawer. Do that, and the next time 24 billion records spill onto an open server, your accounts will not be in the part that still works.