Credit: Unsplash/CC0 Public Domain
Passwords are the key to our digital lives. Think about how many times you log into websites and other systems. However, like any physical key, it can be lost, duplicated, or stolen.
Many alternatives have been proposed in recent years, including passkeys. These offer significant improvements in ease of use and the potential for widespread use.
But what exactly are they and how are they different from passwords?
password is weak
Simply put, a password is a secret word or phrase you use to prove who you are to a computer system or online. If you have an account with a website or a service provider, you may have many accounts.
There is no problem with the password itself. What makes them vulnerable is how they are implemented and used. For example, weak password habits are ubiquitous. A CyberNews report from earlier this year found that 94% of the 19 billion leaked passwords were reused. They also identified several similarities between the passwords, including strings of numbers such as “123456,” people’s names, cities, popular brands, and foul language.
Additionally, if a breach occurs, stolen passwords can spread rapidly. This results in account takeover, identity theft, and phishing attacks. In one experiment, hackers attempted to use the leaked credentials within an hour.
Passwords are also vulnerable to phishing. Phishing is when a scammer tricks you into entering your password (or other information) into a fake account login page. The number and impact of phishing emails continues to grow, with one report suggesting that over 3 billion phishing emails are sent every day worldwide.
A good password is unique (meaning it’s not reused) and complex (think a series of letters, numbers, and symbols, such as “e8bh!kXVhccACAP$48yb”). You can also create unique combinations of words to create phrases and memorable sequences.
This may be difficult to remember, but it may be helpful to create a story with the contents of your password. For example, let’s say your password was “CrocApplePurseBike”. You may be reminded of this by thinking of a crocodile stuffing an apple into its wallet before riding a bike.
What is a passkey and how does it work?
Passkeys first started appearing about four years ago. They use a mathematical process called public key cryptography to create a unique set of information that is split into two parts, or keys.
One key is public and can be shared with websites. The other is a private key that is stored securely on your device. To sign in to your account, a website sends a random challenge (such as a number), and your device uses a private key to “approve” your login request. This acknowledgment is typically referred to as “signing” the request and applies a mathematical process to the challenge.
The device doesn’t just do this automatically. Typically, you will need to approve the request. Many mobile devices require you to use your face or fingerprint to authorize sending a response.
Finally, the website checks the signature using the public key it already has. If the challenge is confirmed, your participation is complete.
Stronger by design
By design, passkeys are stronger than passwords. Public keys cannot be used alone, so even if they are stolen, there is no problem. The private key is kept safe by the device’s security, and most devices use face- or finger-based biometrics to unlock (it’s best not to rely on a PIN).
Each passkey is unique for each service you use. Even if your site’s key is stolen, it cannot be used anywhere else.
Another advantage is that passkeys are phishing-resistant. From a user’s perspective, there is no password to send in response to a phishing email. Requests to log in to the site must come from a registered device in conjunction with user approval.
Passkeys are more convenient than passwords. There’s no need to look for the password you used when registering. The passkey is already linked to your device and all you need is your finger and face to authenticate.
However, passkeys have some problems. First, while many browsers, operating systems, and websites employ passkeys, this is not universal. Also, some early implementations had issues with cross-device compatibility (for example, between Microsoft and Apple devices).
These issues should go away as users move to new devices and manufacturers improve integration.
clear winner
From a security perspective, passkeys are clearly better. They offer stronger protection, can withstand phishing, and are easier to use. But until passkeys become ubiquitous, passwords will still play a supporting role.
Implementing passkeys on your website requires effort from the companies involved. With so many sites requiring users to create accounts, the process of moving them all to passkeys will take decades. Many people will never adopt the habit unless forced by other factors.
At this time, it’s important to continue to focus on password hygiene by using strong, unique passwords and enabling multi-factor authentication whenever possible. If you do nothing after reading this article, at least change any passwords that are being reused.
Read more: Paul Haskell-Dowland et al., What’s the difference between a password and a passkey? It’s not just the protection they offer (2025). DOI: 10.64628/aa.7mjgtmnk5
Provided by The Conversation
This article is republished from The Conversation under a Creative Commons license. Read the original article.
Quote: What is the difference between a password and a passkey? It’s not just the protection they provide (October 26, 2025) Retrieved October 26, 2025 from https://techxplore.com/news/2025-10-difference-passwords-passkeys.html
This document is subject to copyright. No part may be reproduced without written permission, except in fair dealing for personal study or research purposes. Content is provided for informational purposes only.
