←back to thread

Apple Passwords’ generated strong password format

(rmondello.com)
430 points tambourine_man | 8 comments | 18 Oct 24 11:12 UTC | HN request time: 0.001s | source | bottom
Show context
mr_mitm ◴[18 Oct 24 13:40 UTC] No.41879391[source]
I'm glad someone is thinking about UX and ergonomics when it comes to passwords. Most people I interact with have by now realized that generating passwords is a good idea. But if you are already generating the password, please do not include special characters. I regularly use different keyboard layouts (sometimes it is not even clear which layout is active, like in the vSphere web console), and the fact that passwords are often not shown on the screen when typing them makes for terrible UX and causes frustration.

The usual advice about character classes is only for casual users who don't know what makes a secure password. Entropy is the deciding factor: Ten random lower case letters is much more secure than "Summer2024!", which satisfies most password rules and has more characters.

Personally I stick to lower case letters for things like my Netflix password or Wifi key, because typing with a TV remote can be a huge pain. To keep a similar entropy, just increase the length by one or two characters.

replies(10): >>41879469 #>>41879535 #>>41879556 #>>41879734 #>>41879735 #>>41880345 #>>41880499 #>>41881423 #>>41881471 #>>41883418 #
Terretta ◴[18 Oct 24 15:31 UTC] No.41880345[source]
> The usual advice about character classes is only for casual users who don't know what makes a secure password.

Arguably, it was to make early rainbow tables less feasible.

> if you are already generating the password, please do not include special characters.

This would make your generator useless on most sites. Since it's not the generator making up this rule, it's the web site's password "complexity" requirements.

I do agree password strength tests should just measure bits of entropy and allow whatever's typed that's high enough.

replies(5): >>41880400 #>>41880402 #>>41880520 #>>41881041 #>>41885295 #
aftbit ◴[18 Oct 24 15:37 UTC] No.41880400[source]
I like to subvert those sites by just adding A1! to the end of every otherwise totally lower-case password.

There is a special place in hell for anyone who creates a maximum password length limit, however. That prevents passphrases and gains nothing. If you're working with some weird legacy system that can't handle long password (worst way: just truncating them and matching the first 8 characters), then add Argon2 or heck even SHA where you otherwise add the password length check.

replies(10): >>41880465 #>>41880795 #>>41881107 #>>41881775 #>>41881909 #>>41881991 #>>41887626 #>>41888547 #>>41904414 #>>41911046 #
mingus88 ◴[18 Oct 24 15:43 UTC] No.41880465[source]
When I am forced to rotate an otherwise good password, I swap the suffix to the front of the password

If they have some perverse check to make sure I am not re-using one of my last X passwords I just rotate in another permutation like A2!

replies(2): >>41880661 #>>41882312 #
1. ziddoap ◴[18 Oct 24 16:02 UTC] No.41880661[source]
This is the exact reason why NIST, for the better part of a decade now, has strictly recommended against arbitrary password rotations. All it accomplishes is frustration for users with no tangible increase in security (because everyone just increments their password, or follows other simple patterns).

Some research suggests that arbitrary password rotations results in a real-world decrease in security, because as users get frustrated they make simpler and simpler passwords.

replies(3): >>41881060 #>>41882148 #>>41885930 #
2. Vegenoid ◴[18 Oct 24 16:39 UTC] No.41881060[source]
I worked in IT at a tech company that had mandatory 90-day password rotations. That place had the highest rate of “password on sticky note” that I’ve ever seen.
replies(3): >>41883755 #>>41884369 #>>41888035 #
3. stevekemp ◴[18 Oct 24 18:31 UTC] No.41882148[source]
My memory is that PCI regulations require password rotation every 90 days - also that the minimum password length should be seven characters, not the eight I always answer when quizzed.
replies(1): >>41887132 #
4. sebastiennight ◴[18 Oct 24 21:41 UTC] No.41883755[source]
On the tenth call to my bank in the same year to reset one of our user passwords, the account rep just volunteered to them the information that "there is an option you can check on an obscure settings page to NOT have the mandatory password rotation, you know".
5. alexwasserman ◴[18 Oct 24 23:22 UTC] No.41884369[source]
At a bank back in the Blackberry days they were handed out with Qwerty1 as the default password. Just incrementing the digit would get you into 80%+ devices in the firm.
6. davkan ◴[19 Oct 24 06:00 UTC] No.41885930[source]
If I remember correctly they only recommend against password rotation when MFA is in place, which is significantly more important anyway.
7. batch12 ◴[19 Oct 24 11:05 UTC] No.41887132[source]
PCI DSS 4.0[0] requirement 8.3.9 updates this to 12 characters and only requires rotation if the password is the only factor used for authentication.

[0] https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard...

8. InfamousRece ◴[19 Oct 24 14:42 UTC] No.41888035[source]
I worked for a financial company that had 29 day password rotation. One day I accidentally logged in as my colleague. Our user names differed by just one letter so I simply mistyped. It turned out we used the same password scheme to keep up with the rotation and stupid special character requirements.