Apple Passwords’ generated strong password format

Why not just use real words with longer password instead? That'd be easier to type than these shorter "word-like" syllables

Even if horse-battery-staple works mathematically people don't trust that it's "really random".

1password supports it as "memorable password".

In theory* having to type it is supposed to be a rare edge case.

We know from user generated passwords that people trust even less random stuff just fine

But you could always have an option for a different, more random-looking, style

Here's a format I really like:

3CatsHave12Legs!

Easy to memorize, and pretty strong.

When typing through a TV remote or console controller, shorter passwords might be preferred, especially if parts are still easily memorizable.

Also, I think some website still have a relatively low upper limit for password length.

Apple TV lets you use your phone to input passwords, so in Apple's ecosystem they wouldn't care about that. And being Apple, they wouldn't care about people needing to use anyone else's devices.

Website length limits are a problem though, in the worst case there are websites that silently truncate your password so you don't even realize that the first 12 (or whatever) characters are the only part that matters. If your first 12 characters are two words with a dash in the middle, that could be a real vulnerability.

Another benefit of passkeys is that it limits the ability of websites to do that kind of stupid shit.

How many more passwords of this format can you construct? `have` is fixed, the `!` at the end is a classic, and the 12 number is pre-determined by true cats and the 3. So the only degrees of freedom you have are:

- the entity number (3)

- the kind of entity (Cats)

- the kind of part (Legs)

and that's not a huge number of combinations.

Why mention memorizing passwords? Most people have dozens of passwords, and most people would have trouble memorizing even a simple word for dozens of passwords. I have a lot of trouble with those annoying security questions which one would assume would be constant and easy to answer.

The vast majority of passwords does not need to be easy to memorize because they should be stored in a password manager. In fact, I'd argue that the harder it is to memorize, the stronger the password.

Yet they still need to be typed on cell phone keyboards, TVs, or communicated over phone (shared passwords are the best compromise if asymmetric cryptography is not an option), in which case you usually need to spell it out anyway.

Seclist actually has a similar password "correct-horse-battery-staple" in one of their dictionary.

    curl https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/DNS/dns-Jhaddix.txt | grep "horse-battery-staple"

"My4BikesHave9WheelsBecause1IsATricycle?" is a valid one for example?

Cell phone keyboards should have a "QR code input" and then you could just use a QR code generated by your password manager dynamically.

Just use the dictionary on your local machine.

    sort -R /usr/share/dict/words | head -n 4| sed 's/.\*/&/;$!s/$// ' |tr '\n' '-' |sed 's/-$/\n/'

    unsterilized-compoundedness-betrayer-pentathlon

> Seclist actually has a similar password "correct-horse-battery-staple" in one of their dictionary.

There's a well-known reason for that (and for GPs comment): https://xkcd.com/936/

Roku, who has about 50% of the streaming device market in the US, supports entering passwords via their mobile apps.

Having to enter a password on a streaming device is rare event for me at least. Almost all of the apps on my Roku support using an off device web browser to authenticate.

You have to type that all in without error and the archaic app needs to actually support that many characters

I write longer passwords than that periodically. Archaic applications will get shorter variants. No two app will share the same password.

All are no problems for me. With or without a password manager.

> And being Apple, they wouldn't care about people needing to use anyone else's devices.

Did you RTFA?

>> To make these passwords easier to type on suboptimal keyboard layouts like my colleague’s game controller, where the mode switching might be difficult, these new passwords are actually dominated by lowercase characters. And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables. That’s consonant, vowel, consonant patterns. With these considerations put together, in our experience, these passwords are actually a lot easier to type on a foreign, weird keyboard, in the rare instances where that might be needed for some of our users.

The question mark makes this look like it's the title of a new hit light novel

Typing that all in without error is considerably easier than typing TMJ0ltu*zif52Cb& in without error.

> Roku, who has about 50% of the streaming device market in the US

Wow, really? That's surprising to me, do you have a link so I can see the rest of the stats?

Have you not memorized the password to your password manager?

How would that even work?

FaceID or YubiKey

How about during initial setup of the Roku itself? Can you use the mobile app to give the Roku your WiFi password?

I don't believe that was an option when I set mine up but that was a few years ago. Also there is a wide range of Roku devices and TVs with differing capabilities so even ig mine didn't it might be that some do support this. I honestly don't know.

Ok, but if there isn't a high-entropy sequence of "something you know" somewhere in the system, you've created some pretty bad failure modes. 1Password requires a master password periodically, but can otherwise be unlocked by AppleID (presumably also true for secure-element biometrics on other platforms).

I maintain that a good secrets management system has a number of passwords which should be memorizable (and memorized) which is greater than zero. Possibly by only one element.

Every password manager I know of, including Apple's, requires a strong password to unlock the vault. FaceID or YubiKey allow me to bypass typing that so often, but anyone trying to get into my accounts or password manager would have to know the strong password and get past the physical/biometric 2FA.