I'm not knowledgeable enough to determine if this is more secure or not, but I trust the opinions of others who seem to be in the know so I have created a passkey here and it went extremely well.
My question is, if the username and password I previously used still exists, do they not remain a vulnerability? Once passkey is used should the old credentials not be deleted?
Just change the password to a random long password, and have it saved in a password manager. You don't need to remember it.
https://1password.com/password-generator
I used to run an IT shop and was involved in security decades ago, in the world of large network routers (think telcos) and linux, openbsd, sun microsystems (RIP), etc. The safest network is the one NOT connected to the outside world. It's that simple. In our case here, this is not practical.
A long time ago, before the Internet, people just had a user name like 'bob', with a password like 'sunshine'. It was fine. It wasn't connected to millions of other nodes/networks, so we just left it alone. Security never got you more sales. Features and ease of use did.
Then we got encryption, and storing passwords. Even then, everyone knew there were vulnerabilities. As the Internet came online, everybody tried to invent their own authentication software. Many did it poorly. In addition, people hated remembering passwords, so they just used the same one everywhere.
As everything went online and people had hundreds of passwords, password managers started up. Then you can create unique passwords for every site, and have a master password for your own passwords. Most people still haven't caught up and are reusing passwords.
It is always assumed that a website will get hacked. Always. So that means all you can do is mitigate the risk by making sure that if someone steals your "AudioScienceReview' password, that's the only site they can abuse, and not your online bank, credit card, govt, etc. In an enterprise setting, depending on how secure it is, the IT shop can be aggressive in making people change passwords often (which ironically can lead to easy to guess passwords if no password manager is allowed) and have 2 factor authentication as well as VPN logins with hardware tokens. Essentially, multiple layers of authentication that are not dependent on each other. Most places do not do this.
All you can do is get a password manager, change all your website passwords to random passwords that get autofilled, enable 2 factor authentication (2FA), and protect your master password. Even then you can get hacked if your computer is compromised and they go after your master password, but that 2FA should help you. If you ever get a login notification that you didn't initiate, change your password immediately. You don't need to remember your password, because you can always just reset your password whenever you get logged out. It's not a big deal. The key being is that you are reducing your failure, not eliminating it.
Your email and phone number should be protected the most. Even though you can technically spoof phone numbers. Like I said, anything can be hacked given enough time. Layering security with multiple forms of security on top of passwords, like 2FA, passkeys, biometrics, hardware tokens, geographic limitations (if you live in country X, someone in country Y should not be able to log in) etc. is basically what we have to do.
