How to Use Automatic Strong Passwords and Password Auditing in iOS 12

[MacRumors]

In iOS 12, Apple has introduced new password-related features that are designed to make it easier for iPhone and iPad users to create strong, secure, and unique passwords for app and website logins. In this guide, we'll show you how to use two of those features: automatic strong passwords and password auditing.

Automatic strong passwords ensures that if you're prompted by a website or app to make up a password on the spot, Apple will automatically offer to generate a secure one for you. Password auditing meanwhile flags weak passwords and tells you if a password has been reused for different account login credentials. Here's how to use the two features.

How to Use Automatic Strong Passwords in iOS 12

1. Launch Safari and navigate to the site asking you to create new login credentials, or launch a third-party app asking you to sign up for a new account.
2. Enter a username or email address in the first field.
   Tap on the Password field - iOS will generate a strong password.
   
   
   
   Tap Use Strong Password to accept the password suggestion and save it to your iCloud Keychain.

Pro tip: Next time you need one of your passwords, you can ask Siri. For example, you could say: "Siri, show me my BBC password." Siri will then open up your iCloud Keychain with the relevant entry, but only after you authenticate your identity with a fingerprint, a Face ID scan, or a passcode.

How to Identify Reused Passwords in iOS 12

1. Launch the Settings app on your iPhone or iPad.
2. Tap Passwords & Accounts.
   
   
   
   Authenticate via Touch ID, Face ID, or your passcode.
3. Scroll down the list of passwords and tap on any entries with a triangular warning symbol.
   
   
   
   Tap Change Password on Website to open the associated website and make the change.

Note that the last screen shows you on which other websites you've used the same password.

Pro tip: You can share passwords with other people directly from the iOS Password Manager via AirDrop. Simply tap the password field and an option to AirDrop the login will appear. The login can be AirDropped to any device running iOS 12 or macOS Mojave.

Article Link: How to Use Automatic Strong Passwords and Password Auditing in iOS 12

 

[maflynn]

As long as it doesn't force me to use excessively long and confusing passwords, I'm ok with this. I know many sites, institute insanely long and complex passwords so this may be helpful

 

[rikscha]

Can you edit that strong password? There are a lot of stupid websites that don’t take passwords longer than 10 characters or accept the dashes.

 

[JosephAW]

I prefer not to use automatically generated passwords because they eventually are reversed engineered.

 

[nwcs]

As long as it doesn't force me to use excessively long and confusing passwords, I'm ok with this. I know many sites, institute insanely long and complex passwords so this may be helpful

If it’s stored in a password manager, I wouldn’t see the problem. The problem I see are the sites that have password length limitations like 8-10 chars and also don’t accept many non alphanumeric characters so the password is inherently weaker from the start.

 

[Saipher]

Thank you MacRumors. I love this kind of articles. They are very helpful.

Scroll down the list of passwords and tap on any entries with a triangular warning symbol.

I'm browsing on my mobile and I thought that warning symbol was the poo emoji... I think I might need glasses.

 

[Fall Under Cerulean Kites]

I prefer not to use automatically generated passwords because they eventually are reversed engineered.

Really? There are plenty of easier and more likely vectors than “reverse engineering” the password generation mechanism.

As long as it doesn't force me to use excessively long and confusing passwords, I'm ok with this. I know many sites, institute insanely long and complex passwords so this may be helpful

This is the world we’re heading to. Away from simple passwords that can be memorized and on to machine-generated passwords which are complex enough to thwart brute-force hacking. Look at SSL/TLS. Sure, these use certificates, but it’s a similar idea. Machine-generated, machine-stored, machine-entered authentication. Personally, I welcome it, as I would argue no one can reasonably generate and remember secure, unique passwords for all of the services they use.

Can you edit that strong password? There are a lot of stupid websites that don’t take passwords longer than 10 characters or accept the dashes.

If it doesn’t exist already, this will be a feature of future password managers. It would be trivial to screen-scrape and/or keep a database of password requirements, and generate a compliant password based on that knowledge.

 

[Infinite Vortex]

Personally I'm not a big fan of this type of thing for a number of reasons…

1) At no time do you, or will you, know your password. So what do you do when you need to use that auto-generated password outside of Safari or something that has access into the Keychain?

2) There is no means to access the saved passwords outside of fully connecting to your iCloud account on an Apple device. So if you lose/damage your iPhone (or iPad or Mac) and don't have another Apple device available you that you are able to connect to iCloud as a primary account you are completely locked out of EVERYTHING until you replace that Apple device with another Apple device. Clever on Apple's part but infuriating the moment the customer realises it.

3) Each time you want to access a password you need to use a credential that protects ALL of your other credentials. This means that primary credential is used more often making it more susceptible to "breach". Credentials are typical most at risk at the point/time of entry so the more you need to use it the more at risk it is.

4) It is all highly presumptive that everything is working right.

 

[Apple_Robert]

Personally I'm not a big fan of this type of thing for a number of reasons…

1) At no time do you, or will you, know your password. So what do you do when you need to use that auto-generated password outside of Safari or something that has access into the Keychain?

2) There is no means to access the saved passwords outside of fully connecting to your iCloud account on an Apple device. So if you lose/damage your iPhone (or iPad or Mac) and don't have another Apple device available you that you are able to connect to iCloud as a primary account you are completely locked out of EVERYTHING until you replace that Apple device with another Apple device. Clever on Apple's part but infuriating the moment the customer realises it.

3) Each time you want to access a password you need to use a credential that protects ALL of your other credentials. This means that primary credential is used more often making it more susceptible to "breach". Credentials are typical most at risk at the point/time of entry so the more you need to use it the more at risk it is.

4) It is all highly presumptive that everything is working right.

I use 1Password. However, you can pull up passwords in your keychain if you want to know what it is, or edit the password. Very easy.

 

[Christoffee]

As long as it doesn't force me to use excessively long and confusing passwords, I'm ok with this. I know many sites, institute insanely long and complex passwords so this may be helpful

I find the opposite a problem. I have a password system, that gives me a memorable unique password that is long, uses caps numbers and a special character. And then I meet a website that has limitations. It knackers my system and makes me use a less secure password.

Annoyingly, my bank is one!

 

[addonexus]

Is this available for public beta? Mine does not suggest strong password or any password for that matter.

 

[Rafamrqs1]

How would one integrate this password control with a windows machine? My workstation at the office is windows. Today I use Intel’s true key in my iPhone, MacBook, iMac and PC.

 

[Flatus McGillicuddy]

Article Link: How to Use Automatic Strong Passwords and Password Auditing in iOS 12

Anybody know why Apple uses the hyphen and 5-character words routinely? Wouldn't that be a hint as to the password? Split it into 5-character words by looking for the hyphens, then brute-force each word. What am I missing?

 

[now i see it]

I see now (now I see it) that Apple has decided to use five characters separated by dashes to generate a "strong" password. Previous versions of Safari only generate three characters followed by dashes like this (8CJ-dke-uiB-FQ7)

So is this Apple's way of telling us (by not telling us) that earlier versions of Safari generated passwords that aren't "strong"? They sure made a fuss during the keynote when it was introduced years ago that the password generated was secure. Apparently they don't think so anymore. Otherwise they wouldn't have upped it to five characters.

 

[Kip_]

The old version using 4 groups of 3 characters has a possible max of (62^3)^4 or 3.22x10^21 combinations.

The new version using 3 groups of 6 characters has a possible max of (62^6)^3 or 1.83x10^32 combinations.

This assumes that the groups are made up of any of the 26 lower case letters, 26 upper case letters and the 10 digits. If we eliminate i,I,l,L,o,O,1,0 that reduces to 54 possible characters and values of 6.14x10^20 and 1.52x10^31 respectively.

I'm reasonably assured they're not going to get guessed by knowing that the dash is in a particular place.

 

[nwcs]

I see now (now I see it) that Apple has decided to use five characters separated by dashes to generate a "strong" password. Previous versions of Safari only generate three characters followed by dashes like this (8CJ-dke-uiB-FQ7)

So is this Apple's way of telling us (by not telling us) that earlier versions of Safari generated passwords that aren't "strong"? They sure made a fuss during the keynote when it was introduced years ago that the password generated was secure. Apparently they don't think so anymore. Otherwise they wouldn't have upped it to five characters.

Security is a moving landscape. Just about anything that was secure several years ago is at risk today. And generally one should be updating passwords on some sort of periodic basis in addition to uniqueness.

 

[jonblatho]

If it doesn’t exist already, this will be a feature of future password managers. It would be trivial to screen-scrape and/or keep a database of password requirements, and generate a compliant password based on that knowledge.

Apple already does this.

 

[Fall Under Cerulean Kites]

Anybody know why Apple uses the hyphen and 5-character words routinely? Wouldn't that be a hint as to the password? Split it into 5-character words by looking for the hyphens, then brute-force each word. What am I missing?

I would speculate it’s for readability. The fact there are hyphen in “known” positions is irrelevant. Even if a cracker “knew” the password was generated by Apple’s latest gen pw engine (that’s a big ‘if’), and that there were a specific number of groups of characters of a specific length, there are still sufficient unknown characters to make the password “uncrackable” with today’s technology.

If I told you I created a password that was 30 characters long, but that the last 15 characters were all the letter A, you’d still have the first 15 characters to figure out. The password would be preceisely as difficult to crack as one which was 30 characters long but with a hyphen as every other character. ex: A-9-C-d-F-$-g-g-l[…].

Yes, the dashes sound like a hint, but it doesn’t help solve (“crack”) the problem.

 

[justperry]

Article Link: How to Use Automatic Strong Passwords and Password Auditing in iOS 12

Anybody know why Apple uses the hyphen and 5-character words routinely? Wouldn't that be a hint as to the password? Split it into 5-character words by looking for the hyphens, then brute-force each word. What am I missing?

I would speculate it’s for readability. The fact there are hyphen in “known” positions is irrelevant. Even if a cracker “knew” the password was generated by Apple’s latest gen pw engine (that’s a big ‘if’), and that there were a specific number of groups of characters of a specific length, there are still sufficient unknown characters to make the password “uncrackable” with today’s technology.

If I told you I created a password that was 30 characters long, but that the last 15 characters were all the letter A, you’d still have the first 15 characters to figure out. The password would be preceisely as difficult to crack as one which was 30 characters long but with a hyphen as every other character. ex: A-9-C-d-F-$-g-g-l[…].

Yes, the dashes sound like a hint, but it doesn’t help solve (“crack”) the problem.

I'll add more, even if it's 5 digits only, it's alphabetic lowercase and Capitals, this means,
it's 52^5=380.204.032

 

[fairuz]

I'm wary of this feature ever since the macOS password generator set an impossible to remember password that somehow never got stored anywhere... RIP my old Minecraft account. I think it generated it for the password reset box then overwrote it when I tried to log in after. Don't get why it ever overwrites passwords instead of saving the history!
[doublepost=1532635296][/doublepost]

This is the world we’re heading to. Away from simple passwords that can be memorized and on to machine-generated passwords which are complex enough to thwart brute-force hacking. Look at SSL/TLS. Sure, these use certificates, but it’s a similar idea. Machine-generated, machine-stored, machine-entered authentication. Personally, I welcome it, as I would argue no one can reasonably generate and remember secure, unique passwords for all of the services they use.

The new standard for auth is "something you have and something you know," 2-factor auth. The entire purpose of a password is that you know it and don't store it. Also what Infinite Vortex above said. This is excluding things like touch and face ID.

Apple uses password gen because it's a good way to delegate everything to one security mechanism, iCloud, which sits behind a password you have to memorize.

Rant below: I don't trust iCloud with all my passwords. I use it for low-tech sites just cause I'm lazy and know I can reset it by email if needed. Besides those, I just have a few passwords I remember, with a quality level for each. Every account I don't care about has the same exact password. 2 more passwords are reserved for semi-important things that have 2FA anyway, maybe with the name of the site on the end. Only a few special things with no 2FA, like my PC, get a unique password.

 

[dfs]

In iOS 12, Apple has introduced new password-related features that are designed to make it easier for iPhone and iPad users to create strong, secure, and unique passwords for app and website logins. In this guide, we'll show you how to use two of those features: automatic strong passwords and password auditing.

Automatic strong passwords ensures that if you're prompted by a website or app to make up a password on the spot, Apple will automatically offer to generate a secure one for you. Password auditing meanwhile flags weak passwords and tells you if a password has been reused for different account login credentials. Here's how to use the two features.

How to Use Automatic Strong Passwords in iOS 12

1. Launch Safari and navigate to the site asking you to create new login credentials, or launch a third-party app asking you to sign up for a new account.
2. Enter a username or email address in the first field.
   Tap on the Password field - iOS will generate a strong password.
   
   
   
   Tap Use Strong Password to accept the password suggestion and save it to your iCloud Keychain.

Pro tip: Next time you need one of your passwords, you can ask Siri. For example, you could say: "Siri, show me my BBC password." Siri will then open up your iCloud Keychain with the relevant entry, but only after you authenticate your identity with a fingerprint, a Face ID scan, or a passcode.

How to Identify Reused Passwords in iOS 12

1. Launch the Settings app on your iPhone or iPad.
2. Tap Passwords & Accounts.
   
   
   
   Authenticate via Touch ID, Face ID, or your passcode.
3. Scroll down the list of passwords and tap on any entries with a triangular warning symbol.
   
   
   
   Tap Change Password on Website to open the associated website and make the change.

Note that the last screen shows you on which other websites you've used the same password.

Pro tip: You can share passwords with other people directly from the iOS Password Manager via AirDrop. Simply tap the password field and an option to AirDrop the login will appear. The login can be AirDropped to any device running iOS 12 or macOS Mojave.

Article Link: How to Use Automatic Strong Passwords and Password Auditing in iOS 12

[doublepost=1532654726][/doublepost]A few comments:

1. This assumes that all sites, apps., etc. etc. need or deserve the same degree of security. For some, all this rigmarole is obviously necessary. But for others (such as websites I visit which store no personal information, allow access to my finances, etc. etc.) they fall more in the "unwelcome nuisance" category. So thanks any, but I'll stick to short, simple, easily remembered ones.

2. Different people have different security needs. For inst., I am old enough that sooner or later I am scheduled to wake up dead one morning, and the executors of my estate will require quick and easy access to all the information they will need to do their jobs. So I have made a deliberate decision to maintain a simple password for my desktop Mac. Call me smart, call me stupid, this is the personal choice I have made and I would resent it if Apple were to take this freedom of choice away from me. This is a situation in which Apple's tendency to impose "one size fits all" solutions on its user base would be a very bad idea indeed.

3. I recently read how Apple is nudging all its employees to use the commercial app. 1Password. Why are they doing this if they are going to introduce a rival system on Mojave (one that will quickly put 1Password out of business?)

 

[Shirasaki]

as I would argue no one can reasonably generate and remember secure, unique passwords for all of the services they use.

I have a 23-character Apple ID password that contains alphanumeric characters and special characters. I have remembered it.

outside of Safari or something that has access into the Keychain

If something has access to Keychain, then just access Keychain.

2) There is no means to access the saved passwords outside of fully connecting to your iCloud account on an Apple device. So if you lose/damage your iPhone (or iPad or Mac) and don't have another Apple device available you that you are able to connect to iCloud as a primary account you are completely locked out of EVERYTHING until you replace that Apple device with another Apple device. Clever on Apple's part but infuriating the moment the customer realises it.

This is the exact reason why I refuse to adapt into 2FA. Unfortunately, this scenario is also not uncommon. There has to be a safe backup password storage outside iCloud Keychain.

However, you can pull up passwords in your keychain if you want to know what it is, or edit the password. Very easy.

This will be difficult for users with only one Apple device (mostly their iPhone) as you have no place to pull up passwords when you have no Apple device left.

 

[Brien]

Passwords are a mess. We keep upping complexity and now we’re at a point managers like these are nearly mandatory if you care at all about security.

Not sure what the long-term solution is but whatever it is will have to NOT be a PITA for widespread adoption (3FA etcetera are probably not the answer in that case).

 

[Mr. Heckles]

[doublepost=1532654726][/doublepost]A few comments:



3. I recently read how Apple is nudging all its employees to use the commercial app. 1Password. Why are they doing this if they are going to introduce a rival system on Mojave (one that will quickly put 1Password out of business?)

iCloud Keychain is OK for personal use, but not in a business environment... and ONLY if you use all Apple Products. Quickly to put 1Password (and other password mangers like Dashlane and Lastpass) out of business? I HIGHLY doubt that. I said this many times, iCloud Keychain is 100% useless if you use anything outside of Apple products. I use Windows, Linux, Android, and Apple. 1Password works on all, iCloud Keychain.... nope. Last I tried iCloud Keychain, it won't even work on other browsers.

Apple also makes apps and need to test their stuff on other platforms (Apple Music of Android, iTunes for Windows, iCloud.com on other browsers to name a few), so using a cross platform password manager makes sense on Apple's part.

 

[velocityg4]

If it’s stored in a password manager, I wouldn’t see the problem. The problem I see are the sites that have password length limitations like 8-10 chars and also don’t accept many non alphanumeric characters so the password is inherently weaker from the start.

I hate websites like that. Even worse are the ones that give you no hint as to what you are doing wrong or they list rules but your generated password breaks a rule they don't mention. Another problem are sites that automatically cut the length without telling you. You generate a password, everything seems fine, you can't login. After resetting multiple times you figure out it was only taking the first 16 or so characters from the auto-generated password and ignoring the rest.

There should be some standards. Websites must accept uppercase, lowercase, numbers and specific special characters and some universal maximum limit. That way password generators can easily generate passwords for any website.

Also websites must clearly label password and username fields so a password manager can readily fill them. Plus allow pasting passwords.

I also wouldn't mind if apps on devices like TVs all allowed a simple time limited access code sent to an authorized device and available for generation on their websites to login a new app. Long usernames and complex passwords are a huge pain when adding something to a FireTV or AppleTV.