←back to thread

Apple Passwords’ generated strong password format

(rmondello.com)
430 points tambourine_man | 6 comments | 18 Oct 24 11:12 UTC | HN request time: 0.513s | source | bottom
Show context
mr_mitm ◴[18 Oct 24 13:40 UTC] No.41879391[source]
I'm glad someone is thinking about UX and ergonomics when it comes to passwords. Most people I interact with have by now realized that generating passwords is a good idea. But if you are already generating the password, please do not include special characters. I regularly use different keyboard layouts (sometimes it is not even clear which layout is active, like in the vSphere web console), and the fact that passwords are often not shown on the screen when typing them makes for terrible UX and causes frustration.

The usual advice about character classes is only for casual users who don't know what makes a secure password. Entropy is the deciding factor: Ten random lower case letters is much more secure than "Summer2024!", which satisfies most password rules and has more characters.

Personally I stick to lower case letters for things like my Netflix password or Wifi key, because typing with a TV remote can be a huge pain. To keep a similar entropy, just increase the length by one or two characters.

replies(10): >>41879469 #>>41879535 #>>41879556 #>>41879734 #>>41879735 #>>41880345 #>>41880499 #>>41881423 #>>41881471 #>>41883418 #
1. nothercastle ◴[18 Oct 24 13:50 UTC] No.41879469[source]
How much more entropy do you really get for 1 additional capital letter. Probably only a few bits worth 8-12.
replies(4): >>41879529 #>>41879531 #>>41879559 #>>41879832 #
2. candiddevmike ◴[18 Oct 24 13:57 UTC] No.41879529[source]
A 10 character password with all lowercase is 47 bits, if you do half upper/half lower it goes to 57 (using Shannon entropy).
replies(1): >>41882121 #
3. zeta0134 ◴[18 Oct 24 13:58 UTC] No.41879531[source]
You multiply the entropy of the previous word by the added entropy of the new symbol. This grows exponentially!

Extra character classes can help if you're stuck needing to make a really short password for some reason, but if you're randomly generating each symbol anyway, just tossing a few more on the end is *far* more effective. You massively increase the brute force search space with each additional symbol.

4. plopilop ◴[18 Oct 24 14:01 UTC] No.41879559[source]
Switching one uppercase letter in an otherwise lowercase password adds exactly 1 bit of entropy (per switched letter).

On the other hand, any extra lowercase letter will increase the entropy by 4.7 bits (assuming a password on [a-z]).

Given that most passwords have at best 2 uppercase letters, I would argue it is safer to force longer passwords than passwords with at least one uppercase letter.

5. bryanlarsen ◴[18 Oct 24 14:33 UTC] No.41879832[source]
I imagine the main reason for the single capital letters is to make the password acceptable on those annoying websites with annoying requirements, not necessarily to add entropy.

If you already know it's in apple password format, then you know 1/17 of the letters are capital, but not which one so the number of combinations you have to try is multiplied by 17, for just over 4 additional bits of entropy.

6. tzs ◴[18 Oct 24 18:28 UTC] No.41882121[source]
Wouldn't that be 54.98 bits? 57 bits would be if you allowed mixed case with no constraint on how many are upper and how many are lower.

With the constraint that it has to be half upper/half lower you only get 252 times as many passwords instead of 1024 times as many.