Also, I think some website still have a relatively low upper limit for password length.
Website length limits are a problem though, in the worst case there are websites that silently truncate your password so you don't even realize that the first 12 (or whatever) characters are the only part that matters. If your first 12 characters are two words with a dash in the middle, that could be a real vulnerability.
Another benefit of passkeys is that it limits the ability of websites to do that kind of stupid shit.
- the entity number (3)
- the kind of entity (Cats)
- the kind of part (Legs)
and that's not a huge number of combinations.
Yet they still need to be typed on cell phone keyboards, TVs, or communicated over phone (shared passwords are the best compromise if asymmetric cryptography is not an option), in which case you usually need to spell it out anyway.
curl https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/DNS/dns-Jhaddix.txt | grep "horse-battery-staple"
There's a well-known reason for that (and for GPs comment): https://xkcd.com/936/
Having to enter a password on a streaming device is rare event for me at least. Almost all of the apps on my Roku support using an off device web browser to authenticate.
Did you RTFA?
>> To make these passwords easier to type on suboptimal keyboard layouts like my colleague’s game controller, where the mode switching might be difficult, these new passwords are actually dominated by lowercase characters. And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables. That’s consonant, vowel, consonant patterns. With these considerations put together, in our experience, these passwords are actually a lot easier to type on a foreign, weird keyboard, in the rare instances where that might be needed for some of our users.
I maintain that a good secrets management system has a number of passwords which should be memorizable (and memorized) which is greater than zero. Possibly by only one element.