←back to thread

Apple Passwords’ generated strong password format

(rmondello.com)
430 points tambourine_man | 6 comments | 18 Oct 24 11:12 UTC | HN request time: 0.609s | source | bottom
Show context
mr_mitm ◴[18 Oct 24 13:40 UTC] No.41879391[source]
I'm glad someone is thinking about UX and ergonomics when it comes to passwords. Most people I interact with have by now realized that generating passwords is a good idea. But if you are already generating the password, please do not include special characters. I regularly use different keyboard layouts (sometimes it is not even clear which layout is active, like in the vSphere web console), and the fact that passwords are often not shown on the screen when typing them makes for terrible UX and causes frustration.

The usual advice about character classes is only for casual users who don't know what makes a secure password. Entropy is the deciding factor: Ten random lower case letters is much more secure than "Summer2024!", which satisfies most password rules and has more characters.

Personally I stick to lower case letters for things like my Netflix password or Wifi key, because typing with a TV remote can be a huge pain. To keep a similar entropy, just increase the length by one or two characters.

replies(10): >>41879469 #>>41879535 #>>41879556 #>>41879734 #>>41879735 #>>41880345 #>>41880499 #>>41881423 #>>41881471 #>>41883418 #
1. davedx ◴[18 Oct 24 15:46 UTC] No.41880499[source]
I stumbled across a website (think it was a CRM or CMS, I’m evaluating a lot at the moment) that wouldn’t accept an Apple generated password the other day because it didn’t comply with their password strength rules. These days that’s the kind of thing that will make me choose a competitor product
replies(2): >>41880665 #>>41880866 #
2. echelon ◴[18 Oct 24 16:03 UTC] No.41880665[source]
Ordinarily I'd agree with small companies not being informed enough on security best practices and agree with your point. Small companies shouldn't invent security on their own.

But there's something bigger here that stood out and that kind of makes me angry: Apple, a multi-trillion dollar company, is influencing people to stop using products by small companies and small teams.

It's stuff like this, stuff like requirements to "sign in / pay with Apple", and stuff like the green text boxes that make you have to fit everything to Apple and give them their dues.

I really wish we'd regulate or break up the big tech companies. Innovation has barriers to entry because of them.

Apple shouldn't be making their own password standard. They should work in an industry consortium to agree across the board, and they should put in the extra effort to tell users when websites may not comply with their new rules. It's not the website's fault that they didn't get the new and unannounced memo.

Add a new HTML password form property to indicate compliance with the standard before you go generating uncompliant passwords. Do a graceful migration. Stop beating up the little players.

I'm starting to think that neither Google nor Apple should be allowed to have their own web browsers. They're only using them as a means to deepen their platform reach and hobble up more control.

Pretty soon Apple and Google won't generate passwords at all. They'll deprecate the password field and mark it dangerous. Then it'll be an Apple passkey where companies will have to negotiate payment rates and won't be privileged to know their own customer.

replies(2): >>41881113 #>>41885240 #
3. lathiat ◴[18 Oct 24 16:21 UTC] No.41880866[source]
They do have a big list of exceptions for password rules, you can find more details here. Seems they are collaborating with some other password tools, so maybe at some point switching products won’t help? Not sure. Bit Warden seems to make no attempt as this currently: https://rmondello.com/2024/09/29/new-quirks-who-dis/ https://github.com/apple/password-manager-resources/blob/mai...

But you can also fix it yourself if it fails. How is detailed here: https://support.apple.com/en-au/guide/iphone/iphf9219d8c9/io...

replies(1): >>41882035 #
4. comex ◴[18 Oct 24 16:43 UTC] No.41881113[source]
If Apple’s password manager required websites to indicate compliance before generating passwords for them, it would defeat the goal of a password manager to work with existing sites. It’s not like Apple invented the idea of a password manager.

Reasonable sites should already allow passwords of the sort Apple generates, because they tick the usual boxes (length, entropy, and the pointless at-least-one-uppercase/digit/punctuation requirement). Now, many websites are not reasonable and enforce even-more-pointless requirements. Apple tries to mitigate this with a hardcoded list of popular websites’ password policies [1], which is used to tailor password generation for those websites. To be fair, this approach doesn’t scale for smaller websites. But there’s not much more Apple could do. In any case, at this point websites have had many years to adapt to Apple’s password manager and its password style (which has not changed recently).

Accepting passkeys doesn’t cost money, and they’re based on a web standard. There are valid objections to passkeys but this ain’t it.

[1] https://github.com/apple/password-manager-resources/blob/mai...

5. realityking ◴[18 Oct 24 18:19 UTC] No.41882035[source]
There‘s also some work to be able to indicate these rules via an HTML attribute but the work is a bit stalled.

https://www.stefanjudis.com/today-i-learned/safari-allows-to...

https://github.com/whatwg/html/issues/3518

Another cool feature Apple spearheaded was the ability for websites to indicate the change password page in standard manner: https://w3c.github.io/webappsec-change-password-url/

6. scarface_74 ◴[19 Oct 24 02:42 UTC] No.41885240[source]
I don’t get this complaint. Apple’s password generation and quirks “database” is open source and anyone can use it and do a pull request

https://github.com/apple/password-manager-resources/tree/mai...