Password Managers and Passkeys

Lesson 3 · taught by Pip

In the last lesson we agreed that every account deserves its own long, unique password. That is wonderful advice and completely impossible to do in your head. Nobody remembers a hundred different passwords. So let's give that job to a tool built for it.

A password manager is a locked vault that holds all your passwords. You remember exactly one master password to open the vault, and it remembers the rest. When you visit a site, it fills in the right password for you.

Think of it like a key ring with a single master key. You don't carry a hundred loose keys and try to recall which goes where. You unlock the ring once, and the correct key is already waiting.

What a password manager actually does

When you sign up somewhere new, the manager offers to invent a long, random password and save it. You never have to read it, type it, or recall it. It just sits in the vault, ready.

It also fills passwords only on the real website. If a fake page is pretending to be your bank, the manager looks at the true web address, sees it doesn't match, and quietly declines to fill anything. That hesitation is a gift. It catches fakes that fool human eyes.

Most managers sync across your phone, tablet, and computer, so the same vault follows you everywhere. The vault itself is scrambled, so even the company storing it cannot read your passwords. Only your master password unlocks it, which is why that one password should be long and known to no one but you. 🔦

Passkeys: signing in with no password at all

A passkey goes one step further. Instead of a password you type, your device holds a secret key, and you prove it's really you with your face, your fingerprint, or your screen lock. Nothing gets typed.

Picture a hotel key card. You don't shout a room number across the lobby for anyone to overhear. You tap the card, the door checks it, and you're in. A passkey is that tap. The secret never leaves your device, so there's nothing for a thief to copy, guess, or steal in a leak.

Because nothing is typed or sent, passkeys can't be phished. Even a convincing fake page has nothing to capture. More and more sites now offer them, often labeled "set up a passkey" in your account settings.

Your turn

Pick one important account today. Open a free, well-reviewed password manager (your phone or browser likely has one built in), set a strong master password you'll remember, and save that account's login into it. Then check that account's security settings for the words "passkey" or "sign in with your device." If it's offered, turn it on.

Next we'll add a second lock on top, in "Two-Factor: The Second Lock." 🐙