←back to thread

Apple Passwords’ generated strong password format

(rmondello.com)
430 points tambourine_man | 3 comments | 18 Oct 24 11:12 UTC | HN request time: 0.592s | source
Show context
calgoo ◴[18 Oct 24 13:17 UTC] No.41879171[source]
I always liked the 1Password word passwords… you select the number of words and it generates each word in upper OR lowercase, and connect them with symbols or numbers. Easy to memorize, and better then keepass or others that use more fixed formats: same characters between words and words are just in title format where the first letter is upper case and rest is lowercase.
replies(5): >>41879306 #>>41879343 #>>41879408 #>>41879433 #>>41879512 #
jorvi ◴[18 Oct 24 13:42 UTC] No.41879408[source]
The problem is that many sites still use archaic password rules.

1Password should by default just always capitalize one word, and add “1” at the end of the memorable password. Since the words are separated by “-“ or “.”, you already hit the “at least one symbol” rule.

replies(3): >>41879566 #>>41880012 #>>41883980 #
dark-star ◴[18 Oct 24 14:01 UTC] No.41879566[source]
I especially like sites that disallow pasting into password fields.... Yes, that is apparently a thing, especially for banking or finance related sites (from my experience)
replies(7): >>41879659 #>>41879830 #>>41880113 #>>41880189 #>>41880542 #>>41881749 #>>41881852 #
yojo ◴[18 Oct 24 14:13 UTC] No.41879659[source]
For a while, the login for TreasuryDirect (the gov site for buying US bonds) disabled paste and typing! It required you to click out your password on an onscreen keyboard.

I pity the folks who don’t know how to use dev tools.

replies(2): >>41879902 #>>41880725 #
1. nytesky ◴[18 Oct 24 16:09 UTC] No.41880725[source]
You buried the lead there:

A required on-screen keyboard with RANDOM GENERATED LAYOUT.

replies(2): >>41902283 #>>41911277 #
2. jakub_g ◴[21 Oct 24 09:35 UTC] No.41902283[source]
For whomever is interested, IIRC, this requirement of random layout came up in late 2000/early 2010 due to:

- keyloggers (safer to click instead of type instead -> on-screen keyboard then)

- but then it turned out Internet Explorer had a bug which allowed attackers to read the mouse click events' X/Y coordinates in other windows which then could be mapped to the on-screen keyboard digits if the layout is predictable

3. brokenmachine ◴[22 Oct 24 04:46 UTC] No.41911277[source]
ING Bank Australia still does that.

And it also makes my laptop's fan spin up for about 5 seconds on the page load or reload. No idea WTF they're doing - cryptomining?

https://www.ing.com.au/securebanking/

My password manager appears to type the access code successfully but you can't click on login until you click on the stupid keypad.