←back to thread

Apple Passwords’ generated strong password format

(rmondello.com)
430 points tambourine_man | 1 comments | 18 Oct 24 11:12 UTC | HN request time: 0s | source
Show context
mr_mitm ◴[18 Oct 24 13:40 UTC] No.41879391[source]
I'm glad someone is thinking about UX and ergonomics when it comes to passwords. Most people I interact with have by now realized that generating passwords is a good idea. But if you are already generating the password, please do not include special characters. I regularly use different keyboard layouts (sometimes it is not even clear which layout is active, like in the vSphere web console), and the fact that passwords are often not shown on the screen when typing them makes for terrible UX and causes frustration.

The usual advice about character classes is only for casual users who don't know what makes a secure password. Entropy is the deciding factor: Ten random lower case letters is much more secure than "Summer2024!", which satisfies most password rules and has more characters.

Personally I stick to lower case letters for things like my Netflix password or Wifi key, because typing with a TV remote can be a huge pain. To keep a similar entropy, just increase the length by one or two characters.

replies(10): >>41879469 #>>41879535 #>>41879556 #>>41879734 #>>41879735 #>>41880345 #>>41880499 #>>41881423 #>>41881471 #>>41883418 #
lhamil64 ◴[18 Oct 24 13:58 UTC] No.41879535[source]
How often do people actually end up typing these random passwords though? Personally, I almost always can copy/paste or autofill. For devices like TVs, it seems like many of them let you pair via a QR code or other mechanism. And sure, there are times where you need to manually type a password, and for those specific cases you can use a different scheme (like avoiding special characters or using something like Diceware https://diceware.dmuth.org/) but I wouldn't go so far as to never include special characters. IMO if you expect to always be able to autofill, use as many character classes as possible.
replies(7): >>41879546 #>>41879604 #>>41879627 #>>41880507 #>>41880948 #>>41885651 #>>41911174 #
mr_mitm ◴[18 Oct 24 14:06 UTC] No.41879604[source]
Well, I do it a lot. I do consulting in IT security and go through the onboarding process of a different company 15 times a year. My customers and co-workers are often security conscious and sometimes give me passwords like RC-A"c\EJe,0l@q. I prefer the US layout but live in Germany, so there is often a mismatch between my physical keyboard and the system I'm typing on, which causes me great frustration. Typing in the LUKS password of a VMware machine via vSphere web console does not allow copy/paste, neither does logging in to a physical device provided by the customer.

I realize I'm far from a typical use case, which is why I'm so glad when people consider password ergonomics. It makes life easier for me and does not make it harder for anyone else.

replies(4): >>41880414 #>>41880815 #>>41881198 #>>41881400 #
aftbit ◴[18 Oct 24 15:38 UTC] No.41880414[source]
I do something like this surprisingly often when dealing with iDRAC/IPMI/etc:

    sleep 3; xdotool type "abc123"
replies(2): >>41880479 #>>41880654 #
didsomeonesay ◴[18 Oct 24 16:02 UTC] No.41880654[source]
.. and now the password is stored unencrypted in your bash history.
replies(3): >>41880819 #>>41880861 #>>41889003 #
1. mmh0000 ◴[18 Oct 24 16:20 UTC] No.41880861{4}[source]
Use the `read` method the other poster said, or ensure HISTCONTROL is set and then prepend a space to commands that contain secrets.

  $ export HISTCONTROL=ignoreboth
  $  echo 'supersecret' | whatever