loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use

I use Bitwarden, yet not macOS/iOS. Whenever a passkey dialog from the wrong authenticator comes up, I choose option other to redirect to a device running Bitwarden: I see macOS & iOS offer similar controls. However, Bitwarden’s passkey dialog (section with links to configuring that) usually pops up, so that isn’t necessary.

But if that’s the case, how can I guarantee any other accounts I move over won’t fuck it up somewhere?

Save a recovery code in Bitwarden (add field type hidden named Recovery code to the login entry)? That’s standard practice for me, though I’ve never needed them.

I haven’t seen anyone get the concept of passwords wrong

I have control of the copy-paste function and can even type a password myself if needed

I’ve seen forms disable paste. Much can go wrong with passwords. Passwords require sharing & transmitting a secret (a symmetric key), which either party can fail to secure. Passkeys, however, never transmit secrets. Instead, they transmit challenges using asymmetric cryptography. The application can’t fail to secure a secret it never has. Far more secure, and less to go wrong.

The password field is a more manual, error prone user interface. With passkeys/WebAuthn, you instead supply a key that isn’t transmitted: easier than passwords when setup correctly, & nothing to do until it’s setup correctly.

Similar situation with ssh: though it can accept passwords, ssh key authentication is way nicer & more secure.

My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements.

Outdated security practices & cargo culture. Someone should roll up a copy of NIST SP 800-63 to smack them over the head until they read it:

The following requirements apply to passwords:

1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Maybe ask them their security qualifications & whether they follow the latest security research & industry standards.

Passkey is multifactor: something the user has (key), something the user is (biometric) or knows (password) to unlock the key. Yes, dead simple.

For some people it is that easy.

When it is saved to a cross-platform password manager, it is secured on all devices that password manager runs on including your computer on other operating systems. You can also choose other in the OS prompt & redirect to a device with your passkey or use a hardware security key (I don’t). If your preferred password manager isn’t the primary one on all your devices, then fix that or use the other option mentioned before.

How would a non-techie figure this shit out?

The same way they figure out passwords & multifactor. Their pain isn’t ours for those who’ve figured this out & have a smooth experience.

Bitches don’t know bout my awesome passkeys. It’s like ssh key authentication for web apps. Just save the passkeys to my password manager & presto: use same keys on all my devices.

It replaces opening a TOTP app to copy a token with a click to select the passkey in a prompt from my password manager.

it must be a bunch of dorks that pronounce it wrong just because, right?

Yep: I often see people try to “correct” learners at bootcamps pronouncing it Jason. The fact people pronounce it Jason until told otherwise tells us which is more natural. The “correction”, in contrast, is a myth that must be learned.

Acknowledging something happens doesn’t endorse it, and Crawford never endorsed your pronunciation as natural. As I suggested earlier, he said “I strictly don’t care”. Jason is a completely reasonable & natural pronunciation.

There’s the original pronunciation, the suggestive spelling, the common phenomenon of punning in programming, and the natural way people pronounce it as a familiar name when they first see it. Then there’s your camp with a mythical, dorky pronunciation they pull out of nowhere and reinforce because.

I think people are fine to call it Jason & drive you irrationally mad.

You seem in irrational need for validation of your pronunciation despite clear justification against it. Cool ad populum. Fly that insecurity flag high.

You & your buddies can keep pronouncing it jaysawn & sounding like complete dorks if it makes you feel better. However, it was clearly intended to be pronounced naturally as Jason like its inventor pronounces it.

Believing otherwise is almost as bad as the plebs who think the symbol ∅ is inspired by Greek letter φ instead of Scandinavian letter Ø.

No, it’s pronounced Jason. Douglas Crockford was just too laissez-faire to correct anyone on it probably because he didn’t give a fuck.

Elisp has a nice notation for maintainably composing regexes like any other programming expression. Only language I’ve seen offer that. So instead of "/\\*\\(?:[^*]\\|\\*[^/]\\)*\\*+/", the regular expression to match C block comments could be expressed (with inline comments)

(rx "/*"                          ; Initial /*
    (zero-or-more
     (or (not (any "*"))          ;  Either non-*,
         (seq "*"                 ;  or * followed by
              (not (any "/")))))  ;  non-/
    (one-or-more "*")             ; At least one star,
    "/")                          ; and the final /