Most active commenters
  • mr_mitm(3)

←back to thread

Apple Passwords’ generated strong password format

(rmondello.com)
430 points tambourine_man | 28 comments | 18 Oct 24 11:12 UTC | HN request time: 1.332s | source | bottom
Show context
mr_mitm ◴[18 Oct 24 13:40 UTC] No.41879391[source]
I'm glad someone is thinking about UX and ergonomics when it comes to passwords. Most people I interact with have by now realized that generating passwords is a good idea. But if you are already generating the password, please do not include special characters. I regularly use different keyboard layouts (sometimes it is not even clear which layout is active, like in the vSphere web console), and the fact that passwords are often not shown on the screen when typing them makes for terrible UX and causes frustration.

The usual advice about character classes is only for casual users who don't know what makes a secure password. Entropy is the deciding factor: Ten random lower case letters is much more secure than "Summer2024!", which satisfies most password rules and has more characters.

Personally I stick to lower case letters for things like my Netflix password or Wifi key, because typing with a TV remote can be a huge pain. To keep a similar entropy, just increase the length by one or two characters.

replies(10): >>41879469 #>>41879535 #>>41879556 #>>41879734 #>>41879735 #>>41880345 #>>41880499 #>>41881423 #>>41881471 #>>41883418 #
1. lhamil64 ◴[18 Oct 24 13:58 UTC] No.41879535[source]
How often do people actually end up typing these random passwords though? Personally, I almost always can copy/paste or autofill. For devices like TVs, it seems like many of them let you pair via a QR code or other mechanism. And sure, there are times where you need to manually type a password, and for those specific cases you can use a different scheme (like avoiding special characters or using something like Diceware https://diceware.dmuth.org/) but I wouldn't go so far as to never include special characters. IMO if you expect to always be able to autofill, use as many character classes as possible.
replies(7): >>41879546 #>>41879604 #>>41879627 #>>41880507 #>>41880948 #>>41885651 #>>41911174 #
2. ezfe ◴[18 Oct 24 13:59 UTC] No.41879546[source]
Enough that it's worth thinking about. It's not frequent but it happens.
3. mr_mitm ◴[18 Oct 24 14:06 UTC] No.41879604[source]
Well, I do it a lot. I do consulting in IT security and go through the onboarding process of a different company 15 times a year. My customers and co-workers are often security conscious and sometimes give me passwords like RC-A"c\EJe,0l@q. I prefer the US layout but live in Germany, so there is often a mismatch between my physical keyboard and the system I'm typing on, which causes me great frustration. Typing in the LUKS password of a VMware machine via vSphere web console does not allow copy/paste, neither does logging in to a physical device provided by the customer.

I realize I'm far from a typical use case, which is why I'm so glad when people consider password ergonomics. It makes life easier for me and does not make it harder for anyone else.

replies(4): >>41880414 #>>41880815 #>>41881198 #>>41881400 #
4. browningstreet ◴[18 Oct 24 14:09 UTC] No.41879627[source]
One notable exception is the 1Password secret key. It’s long and random. I spent this summer reinstalling Linux on a laptop over and over and having to re-type this one long string was my least favorite part of it. Especially since I use multiple profiles in Chrome, and each needs to be authenticated for 1Password.
replies(2): >>41881404 #>>41882064 #
5. aftbit ◴[18 Oct 24 15:38 UTC] No.41880414[source]
I do something like this surprisingly often when dealing with iDRAC/IPMI/etc:

    sleep 3; xdotool type "abc123"
replies(2): >>41880479 #>>41880654 #
6. rkeene2 ◴[18 Oct 24 15:44 UTC] No.41880479{3}[source]
When I was doing that a lot I just patched my VNC client to send the keys for the data in the clipboard on "paste" so I could use its native "paste" command
7. hoherd ◴[18 Oct 24 15:47 UTC] No.41880507[source]
> I almost always can copy/paste or autofill.

Have you tried entering a random password using the buttons and dials on the back of a Sony camera? After three tries, I just gave up.

8. didsomeonesay ◴[18 Oct 24 16:02 UTC] No.41880654{3}[source]
.. and now the password is stored unencrypted in your bash history.
replies(3): >>41880819 #>>41880861 #>>41889003 #
9. mmh0000 ◴[18 Oct 24 16:17 UTC] No.41880815[source]
This is an easily solved problem through both software and hardware. If you are frequently typing complex passwords, consider some alternatives:

Software typing of password:

Linux - ydotool / xdotool. Win/Mac have similar tools:

  $ sleep 5 ; xdotool type 'RC-A"c\EJe,0l@q'
>> physical device provided by the customer.

Hardware : Rubber Ducky - https://shop.hak5.org/products/usb-rubber-ducky

10. aftbit ◴[18 Oct 24 16:17 UTC] No.41880819{4}[source]
That's a feature, not a bug. :P

Alright if you prefer:

    read PW; sleep 3; xdotool type "$PW"
Or if it's already on your clipboard:

    sleep 3; xdotool type "$(xclip -o)"
11. mmh0000 ◴[18 Oct 24 16:20 UTC] No.41880861{4}[source]
Use the `read` method the other poster said, or ensure HISTCONTROL is set and then prepend a space to commands that contain secrets.

  $ export HISTCONTROL=ignoreboth
  $  echo 'supersecret' | whatever
12. tzs ◴[18 Oct 24 16:28 UTC] No.41880948[source]
As you note many devices now have mechanisms that let you enter the password from a phone or computer where it should be possible to copy/paste from a password manager.

But that usually requires some sort of two way communication between your computer or phone and the device you are setting up or requires that the device has a network connection to a server that your phone or computer can also connect to.

You may still need to manually enter the password for that network connection.

Many WiFi streaming TV boxes are like that if I recall correctly. Manual setup to give them network access, but then later when setting up apps on them for Disney+, Netflix, and the like the apps can use an authentication protocol that doesn't need manual password entry.

I make my WiFi password easy to type for that reason.

13. umanwizard ◴[18 Oct 24 16:51 UTC] No.41881198[source]
I would simply save that into 1password and never have to type it or remember it ever again.

In your obscure set of requirements (no paste?), yes you might have to copy it again, but at least you don't have to remember it.

14. butlike ◴[18 Oct 24 17:11 UTC] No.41881400[source]
1?Z-2>@.#x3O0_l^,fNO%0o

Your comment was interesting to me, so I was trying to come up with the most "ergonomically unsound" password. How did I do?

replies(2): >>41881787 #>>41881806 #
15. tzs ◴[18 Oct 24 17:11 UTC] No.41881404[source]
If you ever have to do that again it might be worth considering some hardware assistance. An ESP32 S2 or S3, from what I've read, can act as a USB HID and emulate a keyboard from the computer's point of view. The necessary code is included in the ESP32 libraries for Arduino, with examples [1], so for software all you'd need is the Arduino IDE or command line tools, which run fine on Linux.

With that it would be easy to build a temporary "type my secret key" dongle.

An ESP32 S2 or S3 dev kit board from a reputable source along with the other necessary hardware would probably be under $20.

There are also some models of Arduino that have the necessary USB support such as the Arduino Leonardo [2], but the Leonardo is more than an EPS32 at the non-sketchy sellers I've seen.

Even if you've never played around with microcontrollers this would be a beginner level project.

[1] https://github.com/espressif/arduino-esp32/tree/master/libra...

[2] https://docs.arduino.cc/hardware/leonardo/

16. ziddoap ◴[18 Oct 24 17:50 UTC] No.41881787{3}[source]
Add a double space somewhere, and append single space to the end just to be safe.
replies(1): >>41882671 #
17. encom ◴[18 Oct 24 17:52 UTC] No.41881806{3}[source]
Just have Keepass pick from the extended ASCII set

    Å`÷½¸Å^çÏ+Í?«~Ðñø'`¾
replies(2): >>41882879 #>>41885658 #
18. Novosell ◴[18 Oct 24 18:22 UTC] No.41882064[source]
I add some of my more common passwords as macros on my keyboard. No companion software, just firmware. Saves a lot of time and now the passwords can be typed anywhere by just plugging yhe keyboard in! I've also added my email :)
replies(1): >>41909458 #
19. mr_mitm ◴[18 Oct 24 19:30 UTC] No.41882671{4}[source]
Maybe there is a single space at the end. No way to know. Well done, GP.
20. svieira ◴[18 Oct 24 19:53 UTC] No.41882879{4}[source]
I see you, and I raise you

    ĮǶľƶₔâ¾ijĤĬď©‘¦ı‰ęž‰śij²ÔķՎĜ́北¹«ƶ’–­ħ›ĸ«
replies(1): >>41884010 #
21. ◴[18 Oct 24 22:19 UTC] No.41884010{5}[source]
22. EasyMark ◴[19 Oct 24 04:32 UTC] No.41885651[source]
this is the way, completely random letters, numbers, symbols as many as it will let you use; let the computer do the work for you
23. EasyMark ◴[19 Oct 24 04:33 UTC] No.41885658{4}[source]
well I want to have some chance at typing it in if I absolutely must...
24. bombela ◴[19 Oct 24 17:06 UTC] No.41889003{4}[source]
Prefix any command with a space and bash won't append to the history.
replies(1): >>41903285 #
25. gruturo ◴[21 Oct 24 12:11 UTC] No.41903285{5}[source]
Careful that's only true if you set HISTCONTROL to "ignorespace" or "ignoreboth".
replies(1): >>41906913 #
26. bombela ◴[21 Oct 24 18:26 UTC] No.41906913{6}[source]
Which seems the default in my anecdotal experience on debian/Ubuntu.

It is also the default on fish shell in the same anecdotal experience.

27. browningstreet ◴[21 Oct 24 23:01 UTC] No.41909458{3}[source]
This is an interesting suggestion but I’m running Ubuntu on a MacBook Air while traveling. When I set up the new home office though, I will try this tactic. Thanks for the idea.
28. brokenmachine ◴[22 Oct 24 04:23 UTC] No.41911174[source]
>if you expect to always be able to autofill, use as many character classes as possible

I use a password manager but generally set it to only upper, lower and numbers and 24 characters, because so many sites seem to be broken for symbols.

But I do live in fear of the sites that are broken for long passwords (or even worse, silently broken).