←back to thread

Apple Passwords’ generated strong password format

(rmondello.com)
430 points tambourine_man | 1 comments | 18 Oct 24 11:12 UTC | HN request time: 0s | source
Show context
calgoo ◴[18 Oct 24 13:17 UTC] No.41879171[source]
I always liked the 1Password word passwords… you select the number of words and it generates each word in upper OR lowercase, and connect them with symbols or numbers. Easy to memorize, and better then keepass or others that use more fixed formats: same characters between words and words are just in title format where the first letter is upper case and rest is lowercase.
replies(5): >>41879306 #>>41879343 #>>41879408 #>>41879433 #>>41879512 #
jorvi ◴[18 Oct 24 13:42 UTC] No.41879408[source]
The problem is that many sites still use archaic password rules.

1Password should by default just always capitalize one word, and add “1” at the end of the memorable password. Since the words are separated by “-“ or “.”, you already hit the “at least one symbol” rule.

replies(3): >>41879566 #>>41880012 #>>41883980 #
dark-star ◴[18 Oct 24 14:01 UTC] No.41879566[source]
I especially like sites that disallow pasting into password fields.... Yes, that is apparently a thing, especially for banking or finance related sites (from my experience)
replies(7): >>41879659 #>>41879830 #>>41880113 #>>41880189 #>>41880542 #>>41881749 #>>41881852 #
1. cameronh90 ◴[18 Oct 24 15:07 UTC] No.41880113{3}[source]
I've been working in finance for 15 years, and the amount of security theatre we're forced to do by various parties is monotonically increasing year by year.

The way it works is you have a hundred government regulators around the world, full of underpaid bureaucrats straight out of school, who introduce vague, poorly thought out requirements. The consequences of non-compliance often being existential for the business: you can lose your license, your clients, and in some cases, your freedom.

Next a bunch of lawyer/compliance-y types take those requirements from around the world and try to distil them down to a specific (but onerous) set of controls by interpreting the guidelines cautiously. Obviously all they care about is making sure that if you do get popped, you can claim you did everything in compliance with the regulations and you get to continue trading.

Often these rules are transitive too, so you need to have some level of certainty that the other parties in your supply chain are also compliant, so independent auditors spring up to provide some third party accreditation. Your CFO sees this purely as a cost and doesn't want to pay much for it, so the pressure is to make this auditing as simple as possible, so their checklists become oriented around things they can easily check to demonstrate compliance with a particular control.

So some original requirement like "it should not be possible to share passwords between multiple users" ends up being bastardised down the chain until the item on the checklist is "don't allow pasting into the password field". Obviously by this point, everyone's actually forgotten why that checklist item was created, so even if the original requirement disappears, the checklist item lives on, often, forever.

It's only in rare, high profile circumstances where a previous requirement is explicitly and noisily repudiated that old items tend to disappear. Even then it can take years. I'm still having to fight back auditors asking for mandatory monthly password changes, for example, in a system that uses passkeys...