Passwords are a shared secret. You know it, and the website you are logging into knows it. If the website leaks it, someone else can log in as you.
Passkeys are a private key/public key pair. You give the public key to a website, but you don't share the private key with anyone. To log into the website, you encrypt a short message with the private key, and they can use the public key to decrypt it. If they leak the public key, it doesn't matter. Nobody can use it to log into the website. Only the private key can do that.
Also, there is a standard way of logging into a website with a passkey. The password manager can easily do it on every website. With passwords, every website is a little different. Your password manager can log in easily on some websites, and on others it can't and you need to copy and paste your password from the password manager to the website.
Besides being inconvenient, people have been able to write code that tricks password managers into thinking they are sending your password to the correct website when they are actually sending it to bad guys. Similarly, humans can be tricked into copying and pasting the password to the wrong place, giving it to bad guys. That leaks the important shared secret!
If someone tricks your password manager in a similar manner with passkeys (which is much more difficult because of the standard way password managers and websites communicate), all they get is a message encrypted with your private key. Maybe this could be used to log onto a website one time if they are very clever, but they do not get your private key which could be used to impersonate you many many times like a leaked password would.
Passkeys are a private key/public key pair. You give the public key to a website, but you don't share the private key with anyone. To log into the website, you encrypt a short message with the private key, and they can use the public key to decrypt it. If they leak the public key, it doesn't matter. Nobody can use it to log into the website. Only the private key can do that.
Also, there is a standard way of logging into a website with a passkey. The password manager can easily do it on every website. With passwords, every website is a little different. Your password manager can log in easily on some websites, and on others it can't and you need to copy and paste your password from the password manager to the website.
Besides being inconvenient, people have been able to write code that tricks password managers into thinking they are sending your password to the correct website when they are actually sending it to bad guys. Similarly, humans can be tricked into copying and pasting the password to the wrong place, giving it to bad guys. That leaks the important shared secret!
If someone tricks your password manager in a similar manner with passkeys (which is much more difficult because of the standard way password managers and websites communicate), all they get is a message encrypted with your private key. Maybe this could be used to log onto a website one time if they are very clever, but they do not get your private key which could be used to impersonate you many many times like a leaked password would.