The long term is likely to be some form of biometrics authentication. But it will be a long time to come unless support is baked into various frameworks and APIs.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
How to Use Automatic Strong Passwords and Password Auditing in iOS 12
- Thread starter MacRumors
- Start date
- Sort by reaction score
The hypen is mainly to satisfy websites that require a special character, along with readability. With machine generated passwords, special characters aren't required, entropy is entropy.
Already done on Windows. You sign in with fingerprint/face/PIN, which is bound to your TPM (a.k.a secure enclave). Then the Edge browser automatically signs you in via FIDO to Microsoft, Office 365 and sites that talk with Azure Active Directory. Called Windows Hello for Business. Works amazingly well.
If the website is set up properly then iOS can read the requirements and generate the strongest password possible. It says this in the iOS 12 security paper.
So far no entires with warning symbols..and my passwords are not even stupid long either, like 12-16 characters.. maybe they are long enough.
What if I want to share PWs with my wife? Our current system is we have 8 characters that preceded every site. For example:
5west4thAmazon!
5west4thGoogle!
The 5west4th isn’t written down anywhere. It isn’t perfect but we aren’t protecting the launch codes and it’s better than QWERTY. We know what the other will have used when creating a new account, at least 90% of the time.
Do any of the managers allow two people to share passwords without jumping through hoops?
5west4thAmazon!
5west4thGoogle!
The 5west4th isn’t written down anywhere. It isn’t perfect but we aren’t protecting the launch codes and it’s better than QWERTY. We know what the other will have used when creating a new account, at least 90% of the time.
Do any of the managers allow two people to share passwords without jumping through hoops?
I would rethink your password reuse policy. Even if an account is something you don't care about, all those accounts combined, and breached with the same password, might give someone more than enough info to masquerade as you online. Maybe the last four digits of your SSN comes from one site, your cat's name from another account, your gradeschool from another account... Not caring about the site/app is one thing, but each of us should really care about every piece of personal info that's out there, no matter how small. Don't give up multiple pieces of the puzzle so easily.
[doublepost=1537487663][/doublepost]
If a site thinks you need a password, then they are certainly collecting something about _you_ (browsing habits? which products you click on or purchased?) that a thief might want to know. Just having my email address saved with a useless account is enough for me to want to use unique passwords everywhere.
I'm in a similar boat, age-wise, but I couldn't care less about executors and whatnot after I'm dead. The important things are safely filed with the proper authorities, in a place and/or with a person my wife is aware of. Nobody is really going to need to know my BestBuy.com password after I'm dead. My $10 award isn't that much of a loss.
[doublepost=1537488082][/doublepost]
1Password has the notion of shared vaults. My wife and I don't use it but I know it's there!
This has to be the dumbest excuse ever not using this. Really?
1Password can easily. My wife and I have a shared vault for called bills that we can not access easily. And if one of us changes the password, the other person will get the updated info automatically. Probably one of the best features.
Sites I don't care about have nothing on me but a username/email, often not the same one. They're usually ones where I'm forced to make an account for no good reason. It'd also take a very intense manual effort to even attempt that kind of attack on me.
[doublepost=1537502292][/doublepost]
I haven't encountered a site requiring ≤10 alphanum chars. If those exist, that's sad; they're probably not even hashing your password if they're that incompetent.
[doublepost=1537502342][/doublepost]
This isn't a real concern. I thought you might want reasoning instead of just being insulted by the guy above... They use a secure source of randomness, which is meant to be impossible to reverse-engineer but could in theory be broken if someone makes a really bad mistake. As long as that's in place, it doesn't matter what else is known about the password generator.
Same goes with that trick of using 4-5 English words. Doesn't matter if attackers know you're doing that as long as you're truly randomly selecting the words. Sadly a so-called "security expert" wrote a really flawed blog post saying it's insecure because attackers know you'll use 4 words. You should really only trust authorities on security, which means don't take my word either.
Last edited:
This is one the main reasons I use 1Password and (gasp) pay their subscription fee. I use shared vaults for different types of password. Video sites (Netflix, etc.) that I want to share with my family are in one vault. Banking websites are only shared with my wife. Work passwords are in their own vault. And my personal password in another.
Passwords only feel "excessively long and confusing" if you're trying to remember them. If you're using a password manager you trust and have on you all the time, you can ditch memorability as a factor and make them as hack-resistant as possible.
I have a few apps I can sign into on my iPhone via Touch ID, including my bank accounts. A few on my spare Android phone also accept fingerprint authorisation. Depends whether developers or website managers think it is worth the effort incorporating this.
Yeah, I got locked out of my iCloud account briefly while travelling and it was a little scary, honestly. Using a trusted third-party password system like 1Password or LastPass might be the way to go, then. I believe 1Password also allows you to export your passwords to something universally readable like CSV.
It's a matter of weighing convenience and usability vs. the actual security threats you face. If you're a journalist or a political dissident or a celebrity, sure, you might want to have a few layers of security -- but I suspect that for the vast number of people having one very strong password (my 1Password master password is over 20 characters long but still memorable by me) is probably going to deter everyone you need to deter without making your life hell every time you want to log into something.
I'm always skeptical of this too, but 1Password works online or off, and I'm several years into using it with not a single glitch. Again, having a CSV or text file backup of your passwords kept somewhere safe is probably not a terrible idea...
[doublepost=1537559704][/doublepost]
1Password does. I have a vault that's strictly my own, and another I share with my wife for household/shared stuff like Hulu, utility company logins, etc. It works beautifully.
This new password function in Safari is crap. It's failing to remember the password in both the Safari prefs and in keychain. On one web site it alters the field that has an email to be the user-ID which makes the web site unable to execute a change of PW.
Exactly, one should think of the password as being everything without the hyphens, like with spaces in credit card numbers.
[doublepost=1537630776][/doublepost]
If one of the sites that you use these passwords on gets hacked and your password gets out, it is hardly rocket science for the attacker to understand your password system and everything linked to the same email address could get compromised.
1Password does but only on a subscription plan.
I did this way before subscription. My wife and I shared a Dropbox account, and it had 3 vaults in it. One was mine, one was my wife’s, and the other was for bills. My 1Password would have mine and the one for bills, and her 1Password has hers and Bills. You can easily move stuff from one valut (my personal) to the shared vault (bills).
Exactly. Each "system" has its flaws and one needs to weigh those flaws against the benefits. The problem is that most people don't stop to think that their exposure isn't limited to the site/device that was broken. The second a credential pair is compromised *every* site/resource that uses that same pair is compromised. Not only that, you have no idea when the breach occurred so the moment you're made aware the clock isn't ticking from that time, rather, it started at the time of the breach which was who know when.
Because of this, rather than having unique passwords I obfuscate though unique email addresses/user IDs. So if a credential pair is compromised its stops there at the one site/location. Metaphorically, rather than having unique keys for each door that's the same, I'm hiding the doors. Which means irrespective of whether you have the right key you're going nowhere fast unless you're able to find the right door.
Of course this means needing to document email addresses but even then that's only half of the credential pair anyway. And in having documented all of the email addresses if the time comes when a pair is compromised I have a concise list of what I have to do and where I have to change things.
PS BTW, when I mean unique email addresses I don't mean silliness like apple@, google@, adobe@, netflix@ etc. I mean addresses like b8efcjh@, fkrm5yap@, j3msqtcr@, xh6gbdtz@.
This seems like a lot of admin work to me, but if you need it, Gmail's "plus addressing" is useful for generating on-the-fly unique addresses -- though some website struggle with them.
Nah, I manage my own domains and I can bulk create them in hundreds at a time all forwarding to a single address. Once created I just grab the next free one in the list. The trick part is mostly the keep of a few free ones around on my phone & iPad for when I'm not in front of a computer. Just grab a few and stick them into Notes.
idk about now, but Mac OS X Snow Leopard used to do that in extreme cases. I set an excessively long password (which I know is dumb) and got locked out.
Honestly I can't think of many sites with dumb password requirements. The one nasty one was for checking my Princeton decision, which was even dumber because they could've just emailed me it. Was something like 16 characters, mixed case, no consecutively same characters, no using the same character 3 times in total, and a special character that can't be at the beginning or end... I don't even know what other rules there were cause they only told me a rule if I broke it, so I ended up totally unable to find a suitable password and had to randomly generate one (took two tries). Wrote it down because it was impossible to remember.
Just a note of caution on this method: If two people access the same (shared) vault at the same time, in particular if two people edit the content of the same vault at the same time, Dropbox might not be able to reconcile things and some changes might be lost.
[doublepost=1537690377][/doublepost]
Maybe they took the idea of randomness too serious and decided to let their password rules to be created randomly.
[doublepost=1537690964][/doublepost]
Does it really matter which part of the credentials pair is unique (and random)? Regardless of which part of the pair you randomise, you need a method to create a random string and a method to store it. Of course there are often other elements attached to a credentials pair that one would also ideally like to randomise: shipping address, payment method, birthday, security questions. The latter two can be randomised, the former two much less so. However payment methods that are attached to your email address (PayPal, Apple Pay) avoid giving out another unique identifier (credit card number).
Last edited:
A couple of critical sites have their own pw - bank, brokerage - but I’m willing to take the risk on Hulu, Hilton Honors, etc