Agree with you 100%. Ive been using LastPass for some years now and it’s great, but integration on iOS is kinda crap, having to jump back and forth when saving a new password or to login on an app when the autofill doesn’t work. Sure I could use iCloud Keychain, but until it has a windows client and extensions for Firefox/Chrome/Edge it’s a complete no go unless you use Apple devices 100% of the time. That’s why I’ve always preferred cross platform solutions.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Launches Open Source Project to Let Password Management Apps Create Strong Passwords
- Thread starter MacRumors
- Start date
- Sort by reaction score
Agree with you 100%. Ive been using LastPass for some years now and it’s great, but integration on iOS is kinda crap, having to jump back and forth when saving a new password or to login on an app when the autofill doesn’t work. Sure I could use iCloud Keychain, but until it has a windows client and extensions for Firefox/Chrome/Edge it’s a complete no go unless you use Apple devices 100% of the time. That’s why I’ve always preferred cross platform solutions.
More than anything else password related I just want them to solve
- Consistent ability for Safari to suggest passwords in password fields. For some reason this works only about 5% of the time.
- The ability to fill app password fields with keychain information.
May I take this opportunity to rant against websites and security products that restrict the characters that you're allowed to use in a password?
There's absolutely no technical reason for this, as any competent programmer can handle the encoding and decoding where necessary, but I often run into sites that tell me I can't use spaces or less-than signs or ampersands in my password. Dumb!
</rant>
See bookofxero's post about the same thing.
There's absolutely no technical reason for this, as any competent programmer can handle the encoding and decoding where necessary, but I often run into sites that tell me I can't use spaces or less-than signs or ampersands in my password. Dumb!
</rant>
See bookofxero's post about the same thing.
Sure. Give hackers the open source code to help people generate passwords. What can go wrong?
Maybe not quite that simple but knowing passwords from different sites are based on the same generation algorithm could be an advantageous for hackers. Many sites need to be extremely secure, so it isn't surprising they take steps they think improve security ( whether it's true or not ).
Color me skeptical but Apple's gesture isn't entirely altruistic. Inviting more password managers might help Apple since they take a 30% cut on the app store. Maybe new password managers will be easier to hack. That possibility leaves me less than sanguine.
If apple was only concerned about selling more apps, they would just add this as an SDK and not open-source it.
Stop being so negative.
This sounds like a great idea! It’s a terrible experience when you try and auto fill a strong password and get that error, it causes massive hassle for the user and tempts them to use a poor password.
”Strong” passwords are dumb.
xkcd.com
The important thing is long passwords. Having to type in a bunch of weird characters is unnecessary. Having a long easily remembered password is More than strong enough.
My other gripe with passwords. So much software hiding what you are putting in. Great for a public library pretty dumb for in your house. My PS4 hides it from me. Who is watching me enter the password?
[automerge]1591390115[/automerge]
Password Strength
The important thing is long passwords. Having to type in a bunch of weird characters is unnecessary. Having a long easily remembered password is More than strong enough.
My other gripe with passwords. So much software hiding what you are putting in. Great for a public library pretty dumb for in your house. My PS4 hides it from me. Who is watching me enter the password?
[automerge]1591390115[/automerge]
The algorithm doesn’t help them. They would just be autogenerating billions of useless passwords.
1) it actually does, but it can be better
2) open-sourcing it will make it better
I don't think Apple is lecturing developers of password managers in so much as they're suggesting that documenting in a clear format how limiting some sites are could encourage those sites to support a wider range of characters or lengths.
I would also suggest that given Apple is open sourcing this so close to WWDC that this might be an upcoming feature coming to their own password manager. They've obviously compiled a list of items already and in a sense they're crowd sourcing the rest of the entries. I'm sure Apple could have figured something out to do this all in house but they're doing a win-win collaboration approach to solve a common problem. It's obvious that Apple recognises it as a problem and the dates I see in the repository go back to 2019 so they've potentially been working on it for a while.
Perhaps a sign of an announcement to come?
I like that password. Strong. I think I’ll use it for my login here.
It’s perfectly safe. On the other hand, using SplashID is not. I’d suggest finding a reputable password manager, there’s plenty out there to choose from.
You're right, it might not be perfectly up to date for every case for every user all the time, so let's just drop it and keep doing things the old hard way.
Or maybe some people will have trouble, and pretty soon someone who knows how will submit an update, and then it'll be good on that site for everyone from then on.
Not everyone is fighting against a timer. I've had plenty of times where I had to go figure out exactly what a site would support (often digging into the javascript in their validation routine), and then... that information is lost, once I get my password set up. In those cases I would have happily submitted a few lines of JSON to this project.
[automerge]1591395823[/automerge]
Sure, don't bother understanding what the article is actually saying before posting snarky comments. What could go wrong?Sure. Give hackers the open source code to help people generate passwords. What can go wrong?
I was almost excited. What I really want is the ability to store OTP/2FA codes in iCloud Keychain. For anyone using Google Authenticator, don't, it won't back up the codes anywhere and when you lose your device or just upgrade, you'll lose all your codes.
Why use Google Authenticator? Both Authy and Microsoft Authenticator can backup and sync between devices. Or use a good password manger with OTP codes built in. That is one of reasons I use 1Password.
[automerge]1591396370[/automerge]
You're right, it might not be perfectly up to date for every case for every user all the time, so let's just drop it and keep doing things the old hard way.
Or maybe some people will have trouble, and pretty soon someone who knows how will submit an update, and then it'll be good on that site for everyone from then on.
Not everyone is fighting against a timer. I've had plenty of times where I had to go figure out exactly what a site would support (often digging into the javascript in their validation routine), and then... that information is lost, once I get my password set up. In those cases I would have happily submitted a few lines of JSON to this project.
[automerge]1591395823[/automerge]
Sure, don't bother understanding what the article is actually saying before posting snarky comments. What could go wrong?
I don't think 90% of the people commenting on this story either (a) understand what Apple released today or (b) have looked that the GitHub repository to learn more.
I think that we will see the Apple integrate this feature in to their password generator at WWDC. By making the JSON files Open Source, it encourages crowd sourcing.
And this is being announced a few weeks ahead of Apple's yearly developer conference where they unveil all the new bits they've added to their operating systems.
You don't think the timing, and the effort they've put into this would mean Apple is going to-- no, I'm sure it's all just a big coincidence, right?
Apple themselves have dumb password rules. Perhaps they could look into this first? I can’t use a six word passphrase and instead have to use a bunch of arcane characters.
gizmodo.com
I like this initiative but it’s the big websites (who probably have reasonable password rules in the first place) that will end up on this list. Not obscure little hobbyist sites.
The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time
We’ve all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase
gizmodo.com
I like this initiative but it’s the big websites (who probably have reasonable password rules in the first place) that will end up on this list. Not obscure little hobbyist sites.
Last edited:
I just used Google Auth because I didn't know any better at the time, it was just the one every company said to use. Obviously not going to use MS, so yes I do have Authy. I used to use 1Password but it's insanely expensive for the Mac/Windows version.
I thought "4 random words" create the strongest passwords ="JohnDiamondTitanicJapan" . Using funny symbols and capitals make it harder for you to remember but not the computer to crack. To make it hard for the computer you have to make it longer. In my example, its 23 characters, it will take 3.3274555705665723e+22 years for it to be cracked(according to random-ize.com)
Go and take a look at strongbox. Keepass based, open source, totp support.
If you don’t want to host your own database (though very easy to stick on a cloud service somewhere if you need), look at Bitwarden instead. Also open sourced, also totp support.
Much much better options for your secret keeping.
It depends on the assumptions the cracker makes. If it assumes that any password over a certain length is made of words, it can be cracked quite quickly using a dictionary attack, whereas using characters other than a-z then makes things much stronger.
The best bet is a long password that uses punctuation, numbers, and letters. “Hard to remember” is irrelevant if you are using tools like 1Password or the like.
So what dictionary will have JohnDiamondTitanicJapan in it? A dictionary attack will have John, Diamond, Titanic, and japan separately, but not as one word... unless it was used and one of those passwords that got leaked out in a previous breach. Now to make it stronger put a symbol in there and numbers: John*Diamond-2-Titanic-Japan56