Apple Launches Open Source Project to Let Password Management Apps Create Strong Passwords

[MacRumors]

Apple today informed developers that it has launched a new open source project that's designed to let those who develop password management apps create strong passwords compatible with popular websites.

The new Password Manager Resources open source project allows password management apps to integrate website-specific requirements used by the iCloud Keychain password manager to generate strong, unique passwords.

Many password managers generate strong, unique passwords for people, so that they aren't tempted to create their own passwords by hand, which leads to easily guessed and reused passwords. Every time a password manager generates a password that isn't actually compatible with a website, a person not only has a bad experience, but a reason to be tempted to create their own password. Compiling password rule quirks helps fewer people run into issues like these while also documenting that a service's password policy is too restrictive for people using password managers, which may incentivize the services to change.

The project also features a collection of websites known to share a sign-in system, links to website pages where users can change passwords, and more, with full details available on GitHub.

Apple says that having password managers collaborate on resources like password rules and change password URLs allows all password management apps to improve their quality with less work, plus it encourages websites to use standards or emerging standards to improve their compatibility with password managers.

Article Link: Apple Launches Open Source Project to Let Password Management Apps Create Strong Passwords

 

[cmaier]

Good on them

 

[kop48]

Any reason why the article shows the password generator from 1Password without references?

 

[NightFox]

Any reason why the article shows the password generator from 1Password without references?

I'd guess that if they did reference it, people on here would be asking why they'd singled out 1Password to feature over other PWMs

 

[mnsportsgeek]

The thing I’d really like to see is password generation in safari for 3rd party apps.

It’s a bit of a pain to create new accounts in 1Password with the proper url. You have to go back and forth between the app and 1Password a time or two. It’d be nice if it was more streamlined for 3rd party apps kind of like it is for keychain.

 

[isepic]

I'd guess that if they did reference it, people on here would be asking why they'd singled out 1Password to feature over other PWMs

Then they should have not used any. I'd imagine they'd not like their property used without a reference? Probably a mistake, we'll see if they fix it.

 

[now i see it]

there's still going to be (and are) plenty of websites that create their own stupid password rules that no password manager that generates strong passwords will be able to comply. People are still going to have to roll their own- kinda taking away the spark of this project. - But at least it's a step in the right direction.

 

[cmaier]

there's still going to be (and are) plenty of websites that create their own stupid password rules that no password manager that generates strong passwords will be able to comply. People are still going to have to roll their own- kinda taking away the spark of this project. - But at least it's a step in the right direction.

Why?

as soon as someone identifies a site with weird rules, someone can build that into the open source project.

 

[TriBruin]

there's still going to be (and are) plenty of websites that create their own stupid password rules that no password manager that generates strong passwords will be able to comply. People are still going to have to roll their own- kinda taking away the spark of this project. - But at least it's a step in the right direction.

From the way I read it, that is the goal of this project. Once enough password managers add this feature, it should not matter (from a password generation POV), what the requirements are. The password manager will know BEFORE it generates a password.

Take an example from one of the existing websites in the password-rules.json:

According to the JSON, bhphotovideo.com has a requirement of a password max length of 15 characters. Pretend you go to that website and attempt to create an account. You use the Password Generator in Safari (or any password manager), BEFORE the password generator attempts to create a complex password, it reads the JSON and finds the bhphotovideo.com URL. It then reads the requirements (Max length 15). It immediate creates a password that fits that requirement, regardless of what your defaults are. No action needed on your part to manually change the requirements (which may not be obvious on the webpage.)

The key is (a) the list of password requirements is kept up to date. Since this is published on GitHub, anyone can make a PULL request to update. I wonder what Apple's merge requirements are going to be.

(b) Password managers integrate this in to there workflow.

 

[zeroID]

there's still going to be (and are) plenty of websites that create their own stupid password rules that no password manager that generates strong passwords will be able to comply. People are still going to have to roll their own- kinda taking away the spark of this project. - But at least it's a step in the right direction.

True. PayPal use a restricted numbers of special characters (becouse is safer so - they say) so it is not possible to use the Apple built in password generator. No comment.

 

[Rychiar]

My Mac sometimes generates strong passwords that don't even work with the sites...

 

[justperry]

there's still going to be (and are) plenty of websites that create their own stupid password rules that no password manager that generates strong passwords will be able to comply. People are still going to have to roll their own- kinda taking away the spark of this project. - But at least it's a step in the right direction.

Maybe it's just you, I had no troubles on any sites I registered with over what....the last >5 years.

Note: My passwords are long, similar to this..."1A%9BGd#@)M3?+V"

 

[bookofxero]

It would be great if websites would have some consistency in their input validation and database schemas. I know one company that allows almost every special character but a comma - and the error message doesn't tell you which special character is the disallowed one. I used 1password and had to go through the generated password and remove each special character 1-by-1 to figure out which one was problematic.
"Hrm, octothorp? Nope. Modulus? Nope. Pipe? Nope. Asterisk? Nope. Greater than symbol? Nope. That just leaves the comma. What?! Seriously?"
It really is an awful experience and I can see why other users would resort to weak and/or reused passwords.
I've see other sites with very specific character length guidelines and other weird combinations. One site, which has since updated to something more secure, even once required 8-15 characters, letters and numbers only. If I were trying to brute force or guess a potentially weak password, wouldn't that make the dictionary size much smaller and thus easier to crack?

 

[Mr. Heckles]

Maybe it's just you, I had no troubles on any sites I registered with over what....the last >5 years.

Note: My passwords are long, similar to this..."1A%9BGd#@)M3?+V"

I have this issue too, and recent. I know the passwords for the state where I live is very picky.

Someone just said this too:

True. PayPal use a restricted numbers of special characters (becouse is safer so - they say) so it is not possible to use the Apple built in password generator. No comment.

 

[The Barron]

Any reason why the article shows the password generator from 1Password without references?

1Password is "the gold standard" for password creation & encryption. Apple may be on the verge of a buy out here. I LOVE 1Password!
[automerge]1591377244[/automerge]

My Mac sometimes generates strong passwords that don't even work with the sites...

Further proof why you have to READ the details about password creation for each site. That's where 1Password allows YOU 100% control. It rocks!

 

[bookofxero]

Oh! And then there was the Amazon weirdness that they may or may not have fixed yet. Long PWM-generated password that works great on their site. Try to use my PWM to log in to the Kindle app and it keeps failing. Lots of trial and error and find out the Kindle apple truncates the password length. Emailed them about it, but I'm sure support just sent it to the circular file.
Anyway, had to shorten my password to... 20 characters if I remember correctly. Still really secure, but once again not the sort of thing an average user would subject themselves to figuring out.

 

[mw360]

Why?

as soon as someone identifies a site with weird rules, someone can build that into the open source project.

Yes, someone will do this the very instant you're trying to register the account to buy the widget you've put in your basket before the cookie times out.

 

[randomnut]

Let’s be honest if Apple cared that much about collaboration on this they’d let you insert passwords into password apps rather than just read from them.

I use LastPass but the integration on Android is far better where you can save credentials into the app natively rather than just read

 

[JosephAW]

Sure. Give hackers the open source code to help people generate passwords. What can go wrong?

 

[Stanfield]

Sure. Give hackers the open source code to help people generate passwords. What can go wrong?

Openness enables collaboration. Black boxes maintained by a single company aren't usually the best method for strong security. I want security that shows you exactly what its doing, has been vetted by a community of security experts, and dares the hackers to break it.

 

[cmaier]

Yes, someone will do this the very instant you're trying to register the account to buy the widget you've put in your basket before the cookie times out.

Way to take my comment out of context. He said "no password manager WILL BE able to comply." Future tense. No immediacy required.
[automerge]1591379346[/automerge]

Sure. Give hackers the open source code to help people generate passwords. What can go wrong?

How would that possibly help a hacker? A repository of what websites have what password rules is somehow going to magically enable someone to know your particular 16-digit random string of alphanumeric characters?

 

[Shpyda]

Maybe it's just you, I had no troubles on any sites I registered with over what....the last >5 years.

Note: My passwords are long, similar to this..."1A%9BGd#@)M3?+V"

Not just him. I run into this problem fairly regularly. There are a good amount of sites that don’t accept Apple’s format and it’s always a problem because Apple won’t let you change the password constraints. The fact that they’re doing this program is a strong indicator that this is a common occurrence in any case.

Very pleased that they're finally working to address this.

 

[MauiPa]

My Mac sometimes generates strong passwords that don't even work with the sites...

Congratulaltations, you hit the point of the article and the point of the project directly on center.
[automerge]1591380475[/automerge]

Not just him. I run into this problem fairly regularly. There are a good amount of sites that don’t accept Apple’s format and it’s always a problem because Apple won’t let you change the password constraints. The fact that they’re doing this program is a strong indicator that this is a common occurrence in any case.

Very pleased that they're finally working to address this.

you certainly visit different sites than I do, it has been years since the apple password suggestion has failed for me

 

[subi257]

Maybe it's just you, I had no troubles on any sites I registered with over what....the last >5 years.

Note: My passwords are long, similar to this..."1A%9BGd#@)M3?+V"

Mine too, I have been using SplashID Safe and it can generate some crazy ass passwords. The problem is, if I can't copy and past, then it can suck.
[automerge]1591380588[/automerge]

The thing I’d really like to see is password generation in safari for 3rd party apps.

It’s a bit of a pain to create new accounts in 1Password with the proper url. You have to go back and forth between the app and 1Password a time or two. It’d be nice if it was more streamlined for 3rd party apps kind of like it is for keychain.

That does not sound very secure to me...maybe it's just me.

 

[gk4]

The thing I’d really like to see is password generation in safari for 3rd party apps.

It’s a bit of a pain to create new accounts in 1Password with the proper url. You have to go back and forth between the app and 1Password a time or two. It’d be nice if it was more streamlined for 3rd party apps kind of like it is for keychain.

Exactly. The only reasons I ever re-use passwords now, are because the sites are not very sensitive and it’s a pain to generate the pass in LastPass when in Mobile Safari. It’s of course easy to do it with Apple Keychain, but 100% of the computers I use on a daily basis are not MacOS or iOS, so Keychain is a non starter. I don’t care much about a password manager that I can only use 50% of the time.



For my own personal usage, if Apple was trying to address the lowest hanging fruit (or do the least work for the most impact) letting me use my password manager of choice to generate passwords would be a far bigger benefit.