Apple Passwords’ generated strong password format

(rmondello.com)

430 points tambourine_man | 1 comments | 18 Oct 24 11:12 UTC | HN request time: 0s | source

Show context

mr_mitm ◴[18 Oct 24 13:40 UTC] No.41879391[source]▶

I'm glad someone is thinking about UX and ergonomics when it comes to passwords. Most people I interact with have by now realized that generating passwords is a good idea. But if you are already generating the password, please do not include special characters. I regularly use different keyboard layouts (sometimes it is not even clear which layout is active, like in the vSphere web console), and the fact that passwords are often not shown on the screen when typing them makes for terrible UX and causes frustration.

The usual advice about character classes is only for casual users who don't know what makes a secure password. Entropy is the deciding factor: Ten random lower case letters is much more secure than "Summer2024!", which satisfies most password rules and has more characters.

Personally I stick to lower case letters for things like my Netflix password or Wifi key, because typing with a TV remote can be a huge pain. To keep a similar entropy, just increase the length by one or two characters.

replies(10): >>41879469 #>>41879535 #>>41879556 #>>41879734 #>>41879735 #>>41880345 #>>41880499 #>>41881423 #>>41881471 #>>41883418 #

vbezhenar ◴[18 Oct 24 14:20 UTC] No.41879734[source]▶

>>41879391 #

I, personally, use my own password generator to generate passwords using 10 lowercase ASCII characters excluding ilo. That's 45 bits of entropy or one year of brute forcing trying 1 million attempts per second. I consider that a reasonable strength for all but the most important websites.

The password generators that generate me 20 characters of different character classes are crazy.

replies(4): >>41879870 #>>41880224 #>>41880527 #>>41881418 #

aniviacat ◴[18 Oct 24 14:40 UTC] No.41879870[source]▶

>>41879734 #

KeepassXC allows you to customize its password generator according to your preferences.

replies(2): >>41880022 #>>41880097 #

seanw444 ◴[18 Oct 24 15:06 UTC] No.41880097[source]▶

>>41879870 #

Love KeepassXC. Even if you don't want to go full offline, I think Bitwarden does the same.

replies(1): >>41881541 #

1. fencepost ◴[18 Oct 24 17:24 UTC] No.41881541{3}[source]▶

>>41880097 #

Bitwarden's password generation is actually a little weak - it's great at generating random gibberish passwords, but it seems to be randomized at the character level so you'll get things like "Cq$ypWocG6Byp#" - hard to remember, hard to type. It lets you specify length, upper, lower, digits, (limited) special, minimum # of digits, minimum # of special, and "avoid ambiguous characters" but that's the extent of it. Even the ability to have it group character types would be helpful if you're ever going to be typing on mobile devices.

It also offers Passphrase generation using dictionary words plus digits and specials (as word separators). You can change the special character used, but it's not randomly chosen each time.

I'd love it if it had an option for pronounceable or syllable-based generation as described in the article.

↑