Apple Passwords’ Generated Strong Password Format
To make these passwords easier to type on suboptimal keyboard layouts like my colleague’s game controller, where the mode switching might be difficult, these new passwords are actually dominated by lowercase characters. And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables. That’s consonant, vowel, consonant patterns. With these considerations put together, in our experience, these passwords are actually a lot easier to type on a foreign, weird keyboard, in the rare instances where that might be needed for some of our users.
And we weren’t going to make any changes to our password format unless we can guarantee that it was as strong or stronger than our old format. So if you want to talk in terms of Shannon entropy once again, these new passwords have 71 bits of entropy, up from the 69 from the previous format.
[…]
So these new passwords are 20 characters long. They contain the standard stuff, an uppercase character. They’re dominated by lowercase. We chose a symbol to use, which is hyphen. We put two of them in there, and a single [digit]. We picked this length and the mix of characters to be compatible with a good mix of existing websites.
I like the password format that Safari generates, but I wish I could turn off auto-generation of passwords. It’s a really awkward workflow if I prefer to create new accounts and passwords in PasswordWallet. As far as I can tell, I can only opt out for individual text fields. That takes a bunch of extra clicks, and if I forget I end up with the password stored in the wrong place, which I may not realize until much later, when it’s harder to fix. Just let me choose to have an empty text field by default.
Previously:
- Apple Passwords App in Sequoia and iOS 18
- Lowercase Passwords
- Password Rules / UITextInputPasswordRules
- Minimum Password Lengths
- Choosing Secure Passwords
I love how Hulu’s password reset input field silently strips out the dashes and compacts the password, while Apple dutifully saves the original.
Update (2024-10-11): Ricky Mondello notes that on Sequoia there’s a setting in the Passwords app to turn off password generation.
Update (2024-10-18): See also: Hacker News.
6 Comments RSS · Twitter · Mastodon
20 lower case letters provides about 94 bits of entropy, buy because of these “must have a symbol, and an uppercase letter and a digit” requirements, you get these kids of smart passwords that have much lower entropy (and anyone who thinks 94 is not much better than 71, it's the difference between taking 1 hour to crack and taking 1000 years to crack - or, assuming computers double in power every 1.5 years, its an additional 15 years of protection).
Random lower cases letters are also relatively easy to type, and can be mentally chunked to about 5 characters so not appreciably harder to transfer mentally from one place to another than syllables.
PasswordWallet uses Blowfish encryption. Why haven’t they switched to newer successors like Blowfish2 oder Twofish, as recommended by the Blowfish creator Bruce Schneier?
I get not using 1Password but is there real concern about iCloud security precluding Passwords’ use rather than PasswordWallet?
@Sean Not really, I just like PasswordWallet’s design and feature set better. I do use Apple Passwords for verification codes and low-value logins that I want to sync to iOS.
@Sean I wasn’t concerned about the security, but I should have been concerned about iCloud syncing.