Most active commenters

    ←back to thread

    Apple Passwords’ generated strong password format

    (rmondello.com)
    430 points tambourine_man | 37 comments | 18 Oct 24 11:12 UTC | HN request time: 0.001s | source | bottom
    Show context
    mr_mitm ◴[18 Oct 24 13:40 UTC] No.41879391[source]
    I'm glad someone is thinking about UX and ergonomics when it comes to passwords. Most people I interact with have by now realized that generating passwords is a good idea. But if you are already generating the password, please do not include special characters. I regularly use different keyboard layouts (sometimes it is not even clear which layout is active, like in the vSphere web console), and the fact that passwords are often not shown on the screen when typing them makes for terrible UX and causes frustration.

    The usual advice about character classes is only for casual users who don't know what makes a secure password. Entropy is the deciding factor: Ten random lower case letters is much more secure than "Summer2024!", which satisfies most password rules and has more characters.

    Personally I stick to lower case letters for things like my Netflix password or Wifi key, because typing with a TV remote can be a huge pain. To keep a similar entropy, just increase the length by one or two characters.

    replies(10): >>41879469 #>>41879535 #>>41879556 #>>41879734 #>>41879735 #>>41880345 #>>41880499 #>>41881423 #>>41881471 #>>41883418 #
    Terretta ◴[18 Oct 24 15:31 UTC] No.41880345[source]
    > The usual advice about character classes is only for casual users who don't know what makes a secure password.

    Arguably, it was to make early rainbow tables less feasible.

    > if you are already generating the password, please do not include special characters.

    This would make your generator useless on most sites. Since it's not the generator making up this rule, it's the web site's password "complexity" requirements.

    I do agree password strength tests should just measure bits of entropy and allow whatever's typed that's high enough.

    replies(5): >>41880400 #>>41880402 #>>41880520 #>>41881041 #>>41885295 #
    1. aftbit ◴[18 Oct 24 15:37 UTC] No.41880400[source]
    I like to subvert those sites by just adding A1! to the end of every otherwise totally lower-case password.

    There is a special place in hell for anyone who creates a maximum password length limit, however. That prevents passphrases and gains nothing. If you're working with some weird legacy system that can't handle long password (worst way: just truncating them and matching the first 8 characters), then add Argon2 or heck even SHA where you otherwise add the password length check.

    replies(10): >>41880465 #>>41880795 #>>41881107 #>>41881775 #>>41881909 #>>41881991 #>>41887626 #>>41888547 #>>41904414 #>>41911046 #
    2. mingus88 ◴[18 Oct 24 15:43 UTC] No.41880465[source]
    When I am forced to rotate an otherwise good password, I swap the suffix to the front of the password

    If they have some perverse check to make sure I am not re-using one of my last X passwords I just rotate in another permutation like A2!

    replies(2): >>41880661 #>>41882312 #
    3. ziddoap ◴[18 Oct 24 16:02 UTC] No.41880661[source]
    This is the exact reason why NIST, for the better part of a decade now, has strictly recommended against arbitrary password rotations. All it accomplishes is frustration for users with no tangible increase in security (because everyone just increments their password, or follows other simple patterns).

    Some research suggests that arbitrary password rotations results in a real-world decrease in security, because as users get frustrated they make simpler and simpler passwords.

    replies(3): >>41881060 #>>41882148 #>>41885930 #
    4. bobthepanda ◴[18 Oct 24 16:15 UTC] No.41880795[source]
    also, excessive minimums. I once encountered a website with 20 minimum characters, which I think is longer than some sites' max length.
    replies(1): >>41881081 #
    5. Vegenoid ◴[18 Oct 24 16:39 UTC] No.41881060{3}[source]
    I worked in IT at a tech company that had mandatory 90-day password rotations. That place had the highest rate of “password on sticky note” that I’ve ever seen.
    replies(3): >>41883755 #>>41884369 #>>41888035 #
    6. beretguy ◴[18 Oct 24 16:40 UTC] No.41881081[source]
    I think 15 is a good secure minimum.
    7. xahrepap ◴[18 Oct 24 16:43 UTC] No.41881107[source]
    even worse when they don't properly enforce it and instead silently truncate it.

    There was a PayPal bug just a couple years ago where the reset-password page didn't enforce length like other pages did. So it allowed you to create an otherwise illegal password and then your account is completely locked out (I guess, unless you realized the truncation was happening...)

    And so I would reset my password, generate a new one... and it would happen again. Took me a while to realize it was the length and not a special character I added messing up with bad encoding logic or something.

    replies(2): >>41881630 #>>41882493 #
    8. Terretta ◴[18 Oct 24 17:31 UTC] No.41881630[source]
    > even worse when they don't properly enforce it and instead silently truncate it

    JetBlue truncated to 10, e.g.:

        fly0nJetBlue -> fly0nJetBl
    So I can tell you it's even worse when they silently truncate it on save, and on some logins, but not on all logins!
    replies(1): >>41883545 #
    9. HPsquared ◴[18 Oct 24 17:48 UTC] No.41881775[source]
    Symbols should be restricted to the set that are mostly insensitive to keyboard layout.

    '!' is a good one. Quotation marks are not. Currency signs are not.

    replies(1): >>41883177 #
    10. bsimpson ◴[18 Oct 24 18:04 UTC] No.41881909[source]
    I remember being shocked when I realized that Charles Schwab, a bank that manages untold illions of dollars, was ignoring everything after the 8th character in their passwords. This was still true until a few years ago.
    replies(5): >>41882544 #>>41882605 #>>41883625 #>>41888902 #>>41890386 #
    11. riquito ◴[18 Oct 24 18:13 UTC] No.41881991[source]
    > There is a special place in hell for anyone who creates a maximum password length limit

    People abuse everything, you can be dossed trying to compute <pick your hashing algorithm-of-choice> of a password as big as the maximum body size your webserver accept (which is a limit btw, so remember to dress light :-p )

    replies(2): >>41882186 #>>41888470 #
    12. stevekemp ◴[18 Oct 24 18:31 UTC] No.41882148{3}[source]
    My memory is that PCI regulations require password rotation every 90 days - also that the minimum password length should be seven characters, not the eight I always answer when quizzed.
    replies(1): >>41887132 #
    13. mrbabbage ◴[18 Oct 24 18:35 UTC] No.41882186[source]
    bcrypt has a built-in 72 byte limit, which helps with the DOS issue
    14. mrWiz ◴[18 Oct 24 18:47 UTC] No.41882312[source]
    Unless there's a rate limit for changing passwords I just rapidly change them X+1 times and arrive back at my original. This only applies to work stuff, which I don't keep in my password manager.
    replies(1): >>41883031 #
    15. mm_00 ◴[18 Oct 24 19:09 UTC] No.41882493[source]
    Thank you for confirming I'm not crazy. I remember having the same problem a few years back and looking up online if anyone had the same problem as me, but found nothing at the time.
    16. jp191919 ◴[18 Oct 24 19:16 UTC] No.41882544[source]
    Transunion (credit reporting agency) does this, but after the 15th character.
    17. happymellon ◴[18 Oct 24 19:22 UTC] No.41882605[source]
    As did HSBC.
    18. umpalumpaaa ◴[18 Oct 24 20:12 UTC] No.41883031{3}[source]
    In my experience, changing the password at big corps usually locks you out and requires a call to IT. I had a success rate of about 50% when I had to change passwords. It was the most frustrating thing...

    "Oh yeah your password change properly is not synced to all servers yet. Just wait and try again later"

    "Oh you tried the new password too many times while it was not synced yet. Your account is now locked. You need a manager approval to unlock your account."

    19. icedchai ◴[18 Oct 24 20:29 UTC] No.41883177[source]
    I usually just throw a period in there.
    20. username135 ◴[18 Oct 24 21:14 UTC] No.41883545{3}[source]
    I went through this hell just last week with their terrible website. Jetblue has fallen a gew notches over the years.
    21. doubled112 ◴[18 Oct 24 21:24 UTC] No.41883625[source]
    A bunch of the Canadian banks too. TD Canada Trust I can personally confirm.
    replies(1): >>41884331 #
    22. sebastiennight ◴[18 Oct 24 21:41 UTC] No.41883755{4}[source]
    On the tenth call to my bank in the same year to reset one of our user passwords, the account rep just volunteered to them the information that "there is an option you can check on an obscure settings page to NOT have the mandatory password rotation, you know".
    23. astrange ◴[18 Oct 24 23:12 UTC] No.41884331{3}[source]
    This is a sign they're storing it unhashed on a mainframe system. Airlines also do it.
    replies(1): >>41885120 #
    24. alexwasserman ◴[18 Oct 24 23:22 UTC] No.41884369{4}[source]
    At a bank back in the Blackberry days they were handed out with Qwerty1 as the default password. Just incrementing the digit would get you into 80%+ devices in the firm.
    25. KMnO4 ◴[19 Oct 24 02:12 UTC] No.41885120{4}[source]
    That’s not true. You can hash the truncated version
    replies(1): >>41885385 #
    26. computerfriend ◴[19 Oct 24 03:16 UTC] No.41885385{5}[source]
    The desire to truncate comes from wanting to store smaller fields in the database.
    27. davkan ◴[19 Oct 24 06:00 UTC] No.41885930{3}[source]
    If I remember correctly they only recommend against password rotation when MFA is in place, which is significantly more important anyway.
    28. batch12 ◴[19 Oct 24 11:05 UTC] No.41887132{4}[source]
    PCI DSS 4.0[0] requirement 8.3.9 updates this to 12 characters and only requires rotation if the password is the only factor used for authentication.

    [0] https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard...

    29. lobochrome ◴[19 Oct 24 13:23 UTC] No.41887626[source]
    70% of all passwords in Japan. 8-10 characters max length is the most common.

    I understand where it comes from (having computer systems designed by people who never spend a second thinking about your language) but still.

    It’s 2024!

    30. InfamousRece ◴[19 Oct 24 14:42 UTC] No.41888035{4}[source]
    I worked for a financial company that had 29 day password rotation. One day I accidentally logged in as my colleague. Our user names differed by just one letter so I simply mistyped. It turned out we used the same password scheme to keep up with the rotation and stupid special character requirements.
    31. infogulch ◴[19 Oct 24 15:46 UTC] No.41888470[source]
    Don't tell me that if you allow long passwords you'll run into the body size limit of the http server when you set the maximum password length to a measly 16 bytes because your choice of password hash scales like O(length(password)*iterations) which opens you up to a denial of service if you allow longer passwords. 50, 100, even 200 byte passphrases are reasonable and make no discernible performance difference to sanely designed auth servers.

    There's no reason* why the time a hashing algorithm takes to do security rounds should vary with the length of the user's password. If you want to prevent DoS as GP mentioned then run all passwords through one round of a (fast) secure hash algorithm, then do security rounds with the output. This is what Argon2 does by default https://en.wikipedia.org/wiki/Argon2

    32. tveyben ◴[19 Oct 24 15:57 UTC] No.41888547[source]
    Haha - i have the same kind of Logic. Would be great if Bitwarden would add this appendix as an option as it is required on quite a number of websites…!
    33. myrandomcomment ◴[19 Oct 24 16:52 UTC] No.41888902[source]
    I remember this. I had enough funds with them at the time (and I am also in tech so I insisted on a technical explanation) that I was able to speak with their security team about the reason for the limit and when it would be fixed. It has been fixed and they require 2FA now (however they require a very specific app for it). Overall my experience with them over the last 10 years has been good.

    TLDR; limit on older mainframe system, however password were properly hashed & they plan to remove the limit in the next year, which they did.

    34. dpkirchner ◴[19 Oct 24 20:08 UTC] No.41890386[source]
    Wait til you see what Fidelity does.. https://www.fidelity.com/customer-service/faqs-managing-your...

    > Usernames and passwords containing letters need to be translated to numbers to enter them in a Fidelity phone system (like FAST®, or if you call a representative). Use your telephone keypad to convert the letters to numbers. There is no case sensitivity. Substitute an asterisk (*) for all special characters. Here's an example:

    > To enter a username, e.g., Smith123, press or say 7-6-4-8-4-1-2-3

    > To enter a password, e.g., Lucky1$23, press or say 5-8-2-5-9-1-*-2-3

    replies(1): >>41911082 #
    35. 2close4comfort ◴[21 Oct 24 14:14 UTC] No.41904414[source]
    Agreed just because a company thinks my threat model doesn't require anything but letters and should be short enough to memorize, sure does not mean they are correct. Apple is collectively dumbing down complexity for selfish reasons and then not allowing you the user to change default complexity and length. Looks like the only problem they were trying to solve was reuse which might be a plus one for the Apple device population but I am not sure the trade off is really worth it. But hey it's free!
    36. brokenmachine ◴[22 Oct 24 03:56 UTC] No.41911046[source]
    I use a password manager but usually leave it set to lowercase, uppercase and numbers.

    Then you get my personal favorite, which is sites that force you to use symbols, but when you do, they say you've used illegal symbols, but don't even tell you what symbols they accept, or which of the ones you've used were illegal.

    37. brokenmachine ◴[22 Oct 24 04:02 UTC] No.41911082{3}[source]
    Lucky my password is very secure, "Èͧ¾÷øÏ¡þää£àèÀ¸Àþ¡ï×ÕÞ£¸«"