WillMartian.com

theMachinesWillNotUseSpaces

Will Martin — Tue, 17 Feb 2026 00:00:00 +0000

theMachinesWillNotUseSpaces
onlyAnEmDash—orTwo—
whenAMeteredRequest
meetsAStreamedResponse
betweenReaders
andWriters
unlike
you

Passwords & Password Managers & Passkeys, oh my!

Will Martin — Mon, 24 Mar 2025 00:00:00 +0000

Passwords are a flawed technology. There are just too many scenarios where user error can sneak in:

You forget the password (memory is fickle).
You use a password that is easily guessed or cracked (brute forcing).
You enter a password on a fake banking site and it stole your information (phishing).
You reuse the same password across many different accounts; one of those sites was not up-to-snuff in their security practices, was hacked, and now the hacker can log into all of your other accounts (credential stuffing).

Password managers are a type of software that solve many of these problems.

You create a single "master password" that unlocks a digital vault which holds all of your other passwords. You ever only have to remember that single password.
All passwords inside the vault can be long, unique, and randomly generated since you don't have to remember them, making them effectively uncrackable, e.g. #vPLx2$ymK@i3w (prevents brute forcing & credential stuffing).
You don't have to manually type passwords in when logging in. Most password managers can automatically fill passwords into login fields when visiting known sites (prevents phishing).

Password managers, however, are not a silver bullet. They are more of a band-aid solution that try and work around passwords. PMs still rely on motivated users to change their behavior. Nothing is stopping you from being lazy and storing weak or reused passwords within a password manager. It would be great if we could instead fix the underlying problem at the app level...

Passkeys are the new kid on the block. As their name implies, they work more like a physical key. Passkeys are just digital keys that are stored on a device.

You don't know a key, you have one. (I, for one, do not memorize the grooves to my house key.)
When you want to login, the app asks your device for a matching passkey. Fake websites can't ask for passkeys that don't belong to them, and you can't manually give a passkey to an arbitrary site (prevents phishing).
Each passkey is unique (prevents brute forcing & credential stuffing).

I guess we don't need password managers any more? Well, not so fast. Passkeys have one glaring issue: they are stored where they are created. Created a passkey on your desktop? Good luck logging in from your phone. Password managers that support passkeys alleviate this by creating and storing them in the cloud, so you can access them from anywhere.

Looking for a password manager that supports passkeys? Try Bitwarden. It is cool, open source, has a generous free tier, and I work there. :^)

Mastodon is like email

Will Martin — Fri, 04 Nov 2022 00:00:00 +0000

Imagine if Gmail were the only email provider anyone used, and that you could only email people with Gmail addresses. If Gmail were to one day drastically change, go out of business, or disappear… Well, you would be out of luck.

Thankfully, email doesn’t actually work like this. One can create an email account with Hotmail and send and receive mail to others on Gmail, Protonmail, etc. You can even set up your own email server and host it yourself, if you are into that.

Mastodon is social network software that works like email. Instead of everyone using one or two social network providers and being locked in (like they are with Twitter and Facebook), they can create a Mastodon account wherever they want to without losing the ability to connect with their friends on other sites.

You can browse some different Mastodon sites (also known as instances) here. There are general purpose sites (such as mastodon.social and mas.to) and sites that cater to specific topics or geographic areas. At the time of writing, I have an account on fosstodon.org, an instance focused on computers and software.