←back to thread

Apple Passwords’ generated strong password format

(rmondello.com)
430 points tambourine_man | 10 comments | 18 Oct 24 11:12 UTC | HN request time: 0.001s | source | bottom
Show context
mr_mitm ◴[18 Oct 24 13:40 UTC] No.41879391[source]
I'm glad someone is thinking about UX and ergonomics when it comes to passwords. Most people I interact with have by now realized that generating passwords is a good idea. But if you are already generating the password, please do not include special characters. I regularly use different keyboard layouts (sometimes it is not even clear which layout is active, like in the vSphere web console), and the fact that passwords are often not shown on the screen when typing them makes for terrible UX and causes frustration.

The usual advice about character classes is only for casual users who don't know what makes a secure password. Entropy is the deciding factor: Ten random lower case letters is much more secure than "Summer2024!", which satisfies most password rules and has more characters.

Personally I stick to lower case letters for things like my Netflix password or Wifi key, because typing with a TV remote can be a huge pain. To keep a similar entropy, just increase the length by one or two characters.

replies(10): >>41879469 #>>41879535 #>>41879556 #>>41879734 #>>41879735 #>>41880345 #>>41880499 #>>41881423 #>>41881471 #>>41883418 #
Terretta ◴[18 Oct 24 15:31 UTC] No.41880345[source]
> The usual advice about character classes is only for casual users who don't know what makes a secure password.

Arguably, it was to make early rainbow tables less feasible.

> if you are already generating the password, please do not include special characters.

This would make your generator useless on most sites. Since it's not the generator making up this rule, it's the web site's password "complexity" requirements.

I do agree password strength tests should just measure bits of entropy and allow whatever's typed that's high enough.

replies(5): >>41880400 #>>41880402 #>>41880520 #>>41881041 #>>41885295 #
aftbit ◴[18 Oct 24 15:37 UTC] No.41880400[source]
I like to subvert those sites by just adding A1! to the end of every otherwise totally lower-case password.

There is a special place in hell for anyone who creates a maximum password length limit, however. That prevents passphrases and gains nothing. If you're working with some weird legacy system that can't handle long password (worst way: just truncating them and matching the first 8 characters), then add Argon2 or heck even SHA where you otherwise add the password length check.

replies(10): >>41880465 #>>41880795 #>>41881107 #>>41881775 #>>41881909 #>>41881991 #>>41887626 #>>41888547 #>>41904414 #>>41911046 #
1. bsimpson ◴[18 Oct 24 18:04 UTC] No.41881909[source]
I remember being shocked when I realized that Charles Schwab, a bank that manages untold illions of dollars, was ignoring everything after the 8th character in their passwords. This was still true until a few years ago.
replies(5): >>41882544 #>>41882605 #>>41883625 #>>41888902 #>>41890386 #
2. jp191919 ◴[18 Oct 24 19:16 UTC] No.41882544[source]
Transunion (credit reporting agency) does this, but after the 15th character.
3. happymellon ◴[18 Oct 24 19:22 UTC] No.41882605[source]
As did HSBC.
4. doubled112 ◴[18 Oct 24 21:24 UTC] No.41883625[source]
A bunch of the Canadian banks too. TD Canada Trust I can personally confirm.
replies(1): >>41884331 #
5. astrange ◴[18 Oct 24 23:12 UTC] No.41884331[source]
This is a sign they're storing it unhashed on a mainframe system. Airlines also do it.
replies(1): >>41885120 #
6. KMnO4 ◴[19 Oct 24 02:12 UTC] No.41885120{3}[source]
That’s not true. You can hash the truncated version
replies(1): >>41885385 #
7. computerfriend ◴[19 Oct 24 03:16 UTC] No.41885385{4}[source]
The desire to truncate comes from wanting to store smaller fields in the database.
8. myrandomcomment ◴[19 Oct 24 16:52 UTC] No.41888902[source]
I remember this. I had enough funds with them at the time (and I am also in tech so I insisted on a technical explanation) that I was able to speak with their security team about the reason for the limit and when it would be fixed. It has been fixed and they require 2FA now (however they require a very specific app for it). Overall my experience with them over the last 10 years has been good.

TLDR; limit on older mainframe system, however password were properly hashed & they plan to remove the limit in the next year, which they did.

9. dpkirchner ◴[19 Oct 24 20:08 UTC] No.41890386[source]
Wait til you see what Fidelity does.. https://www.fidelity.com/customer-service/faqs-managing-your...

> Usernames and passwords containing letters need to be translated to numbers to enter them in a Fidelity phone system (like FAST®, or if you call a representative). Use your telephone keypad to convert the letters to numbers. There is no case sensitivity. Substitute an asterisk (*) for all special characters. Here's an example:

> To enter a username, e.g., Smith123, press or say 7-6-4-8-4-1-2-3

> To enter a password, e.g., Lucky1$23, press or say 5-8-2-5-9-1-*-2-3

replies(1): >>41911082 #
10. brokenmachine ◴[22 Oct 24 04:02 UTC] No.41911082[source]
Lucky my password is very secure, "Èͧ¾÷øÏ¡þää£àèÀ¸Àþ¡ï×ÕÞ£¸«"