←back to thread

Apple Passwords’ generated strong password format

(rmondello.com)
430 points tambourine_man | 3 comments | 18 Oct 24 11:12 UTC | HN request time: 0s | source
Show context
eviks ◴[18 Oct 24 13:11 UTC] No.41879128[source]
Why not just use real words with longer password instead? That'd be easier to type than these shorter "word-like" syllables
replies(3): >>41879137 #>>41879148 #>>41879247 #
bombcar ◴[18 Oct 24 13:13 UTC] No.41879137[source]
Even if horse-battery-staple works mathematically people don't trust that it's "really random".

1password supports it as "memorable password".

replies(3): >>41879184 #>>41879233 #>>41879327 #
david422 ◴[18 Oct 24 13:24 UTC] No.41879233[source]
Here's a format I really like:

3CatsHave12Legs!

Easy to memorize, and pretty strong.

replies(4): >>41879283 #>>41879288 #>>41879303 #>>41879414 #
mangodrunk ◴[18 Oct 24 13:30 UTC] No.41879288[source]
Why mention memorizing passwords? Most people have dozens of passwords, and most people would have trouble memorizing even a simple word for dozens of passwords. I have a lot of trouble with those annoying security questions which one would assume would be constant and easy to answer.
replies(1): >>41882318 #
samatman ◴[18 Oct 24 18:48 UTC] No.41882318{3}[source]
Have you not memorized the password to your password manager?

How would that even work?

replies(1): >>41887328 #
1. gregjor ◴[19 Oct 24 11:59 UTC] No.41887328{4}[source]
FaceID or YubiKey
replies(1): >>41895663 #
2. samatman ◴[20 Oct 24 14:41 UTC] No.41895663[source]
Ok, but if there isn't a high-entropy sequence of "something you know" somewhere in the system, you've created some pretty bad failure modes. 1Password requires a master password periodically, but can otherwise be unlocked by AppleID (presumably also true for secure-element biometrics on other platforms).

I maintain that a good secrets management system has a number of passwords which should be memorizable (and memorized) which is greater than zero. Possibly by only one element.

replies(1): >>41900679 #
3. gregjor ◴[21 Oct 24 04:23 UTC] No.41900679[source]
Every password manager I know of, including Apple's, requires a strong password to unlock the vault. FaceID or YubiKey allow me to bypass typing that so often, but anyone trying to get into my accounts or password manager would have to know the strong password and get past the physical/biometric 2FA.