Plaintext with Rich
Cybersecurity is an everyone problem. So why does it always sound like it’s only for IT people?
Each week, Rich takes one topic, from phishing to ransomware to how your phone actually tracks you, and explains it in plain language in under ten minutes or less. No buzzwords. No condescension. Just the stuff you need to know to stay safer online, explained like you’re a smart person who never had anyone break it down properly. Because you are!
Plaintext with Rich
From Shared Secrets To Secure Proof: Why Passkeys Win
Your name or username doesn’t unlock an account—reused secrets do. We dig into why the internet’s copy‑and‑paste approach to passwords keeps failing and show how passkeys flip the model from disclosure to proof. With a device‑bound private key and simple gestures like a tap or a glance, sign‑ins get faster while phishing and credential stuffing lose their fuel. No more shared secrets to steal, replay, or resell.
We walk through what passwordless really means, not the hype: identity proven with something you have and something you are, anchored by public‑key cryptography. You’ll hear why phishing resistance comes from origin binding, how passkeys eliminate reuse, and where support tickets drop when resets vanish. Then we slow down on the trade‑offs. Device loss and account recovery are the new attack surface, so we break down the real risks—weak backups, stale phone numbers, and social engineering at support—and how to close those gaps without adding friction.
To get you moving, we share a practical plan: protect core accounts starting with email, then Apple, Google, or Microsoft, your password manager, and financial logins. Turn on passkeys where offered, keep strong MFA where they aren’t, prefer apps or hardware keys over SMS, and lock down recovery with verified contacts, backup codes, and at least one additional trusted device. Along the way, we debunk common myths—no, sites don’t keep your biometrics; no, passwordless isn’t a magic shield; yes, daily use is simpler than passwords while planning shifts to recovery.
Ready to trade memorized secrets for proof and speed? Subscribe, share this episode with someone who needs a safer login, and leave a review to tell us which account you’ll upgrade first.
Is there a topic/term you want me to discuss next? Text me!!
You don't lose access to an account simply because someone knows your name or your username. You lose access because they reuse something you were told to keep secret. For years, the internet has worked on copying secrets and then acting surprised when copies escape. Welcome to plain text with Rich. Today we're talking about passwordless authentication and pass keys. Let's start with a simple question. Why do passwords keep failing? Well, not occasionally, not in edge cases, constantly. Passwords fail because they depend on human behavior staying perfect in a system designed for scale. When we have this, people reuse them. They simplify them. They get tricked into typing them where they shouldn't. Companies store them badly, databases get copied, attackers automate everything. And once a password exists, it can be reused forever unless we get rid of it. That's the core problem. And when stolen passwords get tried across dozens of sites automatically, that pattern has a name, credential stuffing. Now, the easy way to explain credential stuffing really is someone steals a list of email and password pairs and then simply checks where else those combination works. Often it does work more than once. So when you hear the industry talk about passwordless, this isn't innovation hype, it's an admission. Typing a shared secret into a website has become a liability. So what does passwordless actually mean? It does not mean no security, it does not mean trust vibes, and it does not mean everything suddenly becomes simple forever. Passwordless means you're no longer proving who you are by sharing something memorized or reusable. Instead, you prove identity using a device and cryptography. Usually that looks like a combination of something you have, like a phone or a security key, and something you are like a fingerprint or a face scan. The password stops being the center of gravity, and the most common version of this today is called a pass key. So, what is a pass key? Again, in plain text, a pass key is a login method that uses cryptographic keys instead of a typed password. Now here's the important part. Your device creates a private key. That key never leaves your device. You may be familiar with the private public key pairs we discussed in a previous episode. The website stores a matching public key. That public key is useless by itself. When you attempt to sign in, your device proves it has the private key without ever revealing it. No shared secret, nothing reusable, nothing for a fake website to steal. That's the shift. If you were to land on a phishing page, your device won't authenticate because the cryptographic match fails. The system checks where it's talking, not just what you typed. That's why pass keys are often considered phishing resistant. Not because they're magical, but because they remove the thing phishing relies on. So why should we care? Because pass keys quietly fix multiple problems at once. First, phishing drops dramatically. If there's nothing to type, there's nothing to steal. Second, password reuse disappears. You never create a password in the first place. Third, our logins get faster. Usually it's a tap, a glance, and you're in. And fourth, support issues shrink. Fewer resets, fewer lockouts, fewer hijacked accounts. This matters because security that adds friction, it doesn't scale well, right? Security that removes friction does. That's why pass keys are spreading faster than most security upgrades ever have. Now let's slow down and be honest. While passwordless is better, it is not perfect. There are trade-offs. The biggest one, honestly, is device dependency. If you lose your phone or replace a device, recovery matters. Which leads to the real attack surface here, which is account recovery. When attackers can't guess a password, they aim for resets, support calls, backup emails, weak recovery questions. Passwordless doesn't remove that risk, it concentrates it. So recovery paths need just as much attention as login paths. Another reality is going to be coverage. Not every service supports pass keys yet. We're in a transition period, if you will. Some accounts will be passwordless, some will still use passwords plus, say, multi-factor authentication. This is a hybrid world, and that is perfectly normal. So, as always, let's make this just a little bit practical, right? I try to keep it to four things. Step one, protect your core accounts. As always, email is going to come first. Then think about it: Apple, Google, Microsoft account, password managers, financial accounts, all of those things. Email is the reset button again for your digital life. If someone controls it, they potentially control everything else. Step two, enable pass keys where they're offered. If you see the option create a pass key or sign in with a pass key, use it. Don't be scared of it. Embrace it. You can usually keep a password as backup during the transition. That's fine. Step three, keep strong multi-factor authentication where pass keys aren't available. Prefer authenticator apps or hardware keys. Avoid SMS when you can, but if it's your only option, I still recommend doing it. Again, this is about layering, not purity. Step four, lock down account recovery. Check your recovery emails, your phone numbers, your backup codes, your trusted devices. Make sure recovery points back to you and you actually have access to those accounts, especially if they're older accounts that maybe you don't remember how you enabled the recovery setup. Passwordless fails if recovery is still wide open. We do have another two steps. First stability, right? Step five, keep using a password manager for non-pass key sites. Some password managers allow you to use and store pass keys, right? They won't auto-fill on fake pages, which again, it adds phishing resistance today. And step six, plan for some type of device loss. Have more than one trusted device if possible. Store recovery code securely, probably not on said device, right? Not in your inbox, not on a sticky note. As always, preparedness beats panic every single time. A few myths that might exist. Myth one, passwordless means nobody can break in. The reality is it removes entire classes of attacks, especially phishing and reuse. It doesn't mean it can never happen. Myth two, websites store your biometrics. The reality here is biometrics typically stay on your device. Sites get cryptographic proof, not really your fingerprint itself. Myth number three, this is too complicated. The reality here is daily use is simpler than passwords. The complexity, honestly, is the planning recovery. That becomes the complex portion. If we were to look at this as a plain text recap, passwords fail because they're shared secrets. Pass keys replace that model with proof instead of disclosure. You don't hand over a key, you prove you have one. If you take one action this week, make it this. Enable pass keys on your email and core accounts and harden the recovery. That single change, or really two changes, removes more risk than memorizing another strong password. Ever will. Now, if there's a security topic you want broken down in plain text, please send it my way. Email, DM, drop in the comments, carrier pigeon. However, you choose to reach out to me, I will read it and I will respond. If this episode helped at all, please share it with someone who'd actually benefit. This has been Plain Text with Rich. 10 minutes or less, one topic, no panic. I'll see you next time.