Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Programming Apple IT

Apple Launches Open Source Project to Let Password Management Apps Create Strong Passwords (macrumors.com) 38

Apple today informed developers that it has launched a new open source project that's designed to let those who develop password management apps create strong passwords compatible with popular websites. From a report: The new Password Manager Resources open source project allows password management apps to integrate website-specific requirements used by the iCloud Keychain password manager to generate strong, unique passwords. "Many password managers generate strong, unique passwords for people, so that they aren't tempted to create their own passwords by hand, which leads to easily guessed and reused passwords. Every time a password manager generates a password that isn't actually compatible with a website, a person not only has a bad experience, but a reason to be tempted to create their own password. Compiling password rule quirks helps fewer people run into issues like these while also documenting that a service's password policy is too restrictive for people using password managers, which may incentivize the services to change," the company said.
This discussion has been archived. No new comments can be posted.

Apple Launches Open Source Project to Let Password Management Apps Create Strong Passwords

Comments Filter:
  • by dgatwood ( 11270 ) on Friday June 05, 2020 @01:25PM (#60149776) Homepage Journal

    The problem isn't the complex set of rules. The problem is that passwords are the wrong tool for the job. If Apple wants to help, it should try to find ways to make it easier for websites to adopt OpenID, not make it easier for them to continue the status quo.

    • by AmiMoJo ( 196126 )

      Passwords are okay, they just need to be combined with 2FA. I actually like having different passwords for each site rather than using OpenID or similar because centralised identity verification means a single point of failure.

      Apple do seem to have this arse about face though. Instead of adapting the passwords to match what the site can cope with they should just mandate that sites accept good passwords.

      • by tlhIngan ( 30335 )

        Instead of adapting the passwords to match what the site can cope with they should just mandate that sites accept good passwords.

        And yet, such strategies don't work.

        Forcing webmasters to fix their password policy just so you can use your password manager of choice? It's just as likely they'll push back and say "We don't support Mac. Use Windows." or other nonsense.

        And some of the worst offenders would be intranet servers at corporations, where due to legacy all sorts of crap happens, and the chance corporat

        • by AmiMoJo ( 196126 )

          Supporting iPhone is pretty much mandatory, it's a big chunk of the mobile market.

          They could make it optional but display a warning along the lines of "this web site may not support strong passwords", like how many browsers warn when accessing unencrypted HTTP sites now. No breakage but a strong incentive to suck less.

        • Here's an offender that I had to deal with: HMRC (for non-Brits: The UK tax office). I had a login with a Safari-supplied password. One day it stopped working. They had changed their password rules, and _my existing password_ didn't fit the new rules. And that's not a random website, that's a site that I need to use to pay my taxes.
          • If the change was to force a better-quality password, I can see that. People often don't change passwords for ages, especially if trying to to re-use them. A little warning and explanation would be nice, though, not just "your password is no longer good here" - hopefully they allowed you to change it.

      • How about GPG. Sign up with a username and a public key. The server can send a random blob of data that's encrypted to the public key, and your browser could automatically decrypt it and send it back with the servers public key. It could potentially eliminate a lot of TLS BS. I don't care if Bank of America has assert signed by Veresign, just that it can decrypt data using the public key I already have on file for them. Maybe even a key I exchanged when I opened an account with them in the physical bank.
    • by rho ( 6063 )

      Lots of websites have adopted OpenID, or something close to it. They just make you use Facebook, Google, Twitter, LinkedIn, etc.

      I don't want to use any of the privacy abusing services, and I sure don't want to be forced to manage what information RandomDotCom.com requests from these accounts.

      • And, of course, Google, MS, etc will ask for your password THERE, plus a 2FA code if that's enabled (and why isn't if if it's not?). One way or another, you still need a password, and I'd rather not have Google for instance tracking my secure logons all over the web.

        Keepass and other PW managers can generate passwords that follow all sorts of rules. Why not use one of those, now?

    • No thanks, I don't want a third-party knowing where I bank, where I post family pictures, and where I tell people on the Internet that they're wrong. OpenID is a fine system, and it's a massive improvement over the status quo for a great many people, but some of us want more control over our privacy than it provides.

      Towards that end, I want a non-intermediated, unique relationship between myself and each organization with which I do business, which means having an account with them that isn't tied to anythi

      • by dgatwood ( 11270 )

        No thanks, I don't want a third-party knowing where I bank, where I post family pictures, and where I tell people on the Internet that they're wrong. OpenID is a fine system, and it's a massive improvement over the status quo for a great many people, but some of us want more control over our privacy than it provides.

        Towards that end, I want a non-intermediated, unique relationship between myself and each organization with which I do business, which means having an account with them that isn't tied to anything or anyone else.

        And that's fine. OpenID shouldn't be the only option. Users should have the choice of having individual accounts or using a shared identity, on a per-site basis.

        BUT — and here's the big but — for 99% of websites, that account sign-in process should still not use passwords. A much better scheme would involve the browser generating a unique PK key pair and sending the public key to the server. The server would then sign a nonce with that key, and the browser would display that nonce. Then,

      • Great. And the way to achieve this self-sovereign identity is to require that web service signups will not ask for an email address.

        Every email is transmitted in plaintext across five-eyes jurisdictions and multiple ISPs and contain the exact information you are describing.

    • The âoecorrectâ solution is for even one to have a client certificate for each âoeidentityâ they have online. Copying and maintaining the key for their client certificate can then be handled through any system they want, such as they own storage, or logging into a single trusted provider.
      • by dgatwood ( 11270 )

        Agreed in principle, though the way client certificates are done in HTTPS right now is pretty much broken beyond repair, IIRC, and would need to be completely rethought.

    • There is no OpenID, just other people's passwords.

    • by fermion ( 181285 )
      I have cases where all credentials are handled by a third party token key, i.e your cell phone. I have cases where there is weak security for entry, the a third token is needed to verify operations.

      Security is a balance between ease of use and defense. A key lock is easy to use but easy to break. Passwords are often insecure because secure passwords are hard to use. Passwords managers allow us to use more secure passwords, but have drawbacks. In apples case it is that you tend to lose data between devices

  • Is Apple doing this for humorous purposes? Apple is the same company that wont allow chrome and firefox to use the OS keychain/safari password store. Why don't they allow that first?

  • How about no mmmkay? I don't want my passwords in the cloud even if they are generated by open source.

    • Idiots indeed. Someone sees "cloud" and starts frothing at the mouth while writing an angry clueless rant. Your passwords don't get stored in the cloud and this has zero to do with storing passwords in the cloud, something you'd know if you read the summary and actually understood it as well.

  • They should offer free 2FA services for websites as apps. No lock can't be broken, but 2FA is time consuming and difficult enough to make most attempts a unprofitable.
  • And you can't use apg because...?

    • That would be answered if you had a clue about what this is doing, but for that I guess you'd need to read the summary.

  • with 2FA everywhere that requires username and a 6 digit PIN

    failing that, long plain alphabetic "pass phrases" are superior to passwords of limited length no matter how complex you make them and of course the problem with a long complex password is no one can remember the dozens required for modern life

    • That's what this article is about. Apple generates very long passwords with tons of entropy - but too many sites have stupid rules that disallow these passwords. So here we have an open source project that tries to collect which stupid rules which website is used, so that the Safari password manager and every other password manager can generate passwords that are secure, and that fit the rules of each site. A very low tech and common sense approach.
  • Stop with this whole complexity thing and "trying to protect the user" garbage!

    The age old established rule that a password must be at least x characters and no more than y characters is nuts. Allow the user to put in as short of a password, or as long of a password with any variety of character (heck even emoji should be allowed). Then transform this to something that is hashable, hash it and store the hash. When the user re-enters, re-hash what they give you and compare it to the stored hash.

    Now if
    • Stop with this whole complexity thing and "trying to protect the user" garbage!

      The age old established rule that a password must be at least x characters and no more than y characters is nuts. Allow the user to put in as short of a password, or as long of a password with any variety of character (heck even emoji should be allowed). Then transform this to something that is hashable, hash it and store the hash. When the user re-enters, re-hash what they give you and compare it to the stored hash.

      Now if the user wants a password to be "12345" or "password", that is on them not you. But for the love of god stop making me put in at least 1 upper case, 1 lower case, 1 number, 1 symbol (but only from a limited set of symbols), more than 12 characters, but no more than 16 characters. This isn't security, this is just repeating the same mistakes over and over again.

      I for one tend to use phrases for passwords, long 32+ character phrases. When I can't enter these because some site has deemed a max of 16 characters or some stupid enforcement that I can't use words, or some symbol; then I have to write the thing down somewhere because of an artificial limit you have placed on your software!

      This.

      https://xkcd.com/936/ [xkcd.com]

      https://xkcd.com/792/ [xkcd.com]

    • For lots of sites, I WANT to use a super short, simple/guessable password. I'm looking to just download a driver or single file, and the site forces a registration. Great, you get a stupid user name, a disposable e-mail address, and a password I don't even care about. But NOOOO... It's got to be 12 to 24 characters, have an upper and lower case letter, contain a special character (other than $ or # or some other character), and cannot contain more than 3 characters in common with your username.
    • This. And the worst is that it could even be more secure. Just implement state of the art attack detection to limit the number of tries and report to the user his account is under attack, but do not lock it !. 2FA is fine as well, on top of it.

      All these stupid rules came from math on local attacks (i.e. I have the hash and want to brute force it). But those attacks are a lost cause now. If you want to truly defend against those, you would require extra-long, truly random passwords. So, password managers or

      • by bob4u2c ( 73467 )

        This. And the worst is that it could even be more secure. Just implement state of the art attack detection to limit the number of tries and report to the user his account is under attack, but do not lock it !. 2FA is fine as well, on top of it.

        Sort of the right idea. Instead monitor from where the login request is coming from (ip address/host), then limit the attempts from this host to no more than say 7 attempts in 7 minutes. That gives a legit user 7 chances to login (usually after the couple of attempts they realize they incremented the only digit in their password by 1 last time). More than 7 attempts and the user has no idea or isn't the right user. Also if they don't wait the 7 minutes it resets the lock out period again.

        Now the plus

        • limit the attempts from this host to no more than say 7 attempts in 7 minutes

          And that's the completely wrong approach. If I have a password that can be guessed then I don't have a password. If I can't remember whether I added an 11 or a 12 at the end after I was forced 11 or 12 times to change my password, that's just nonsense. Safari (which we are talking about here) generates passwords with about 70 bits of entropy. That's uncrackable if your site doesn't store passwords.

          • by bob4u2c ( 73467 )

            Safari (which we are talking about here) generates passwords with about 70 bits of entropy.

            This is exactly the problem, your using some password manager to store your passwords which is way less safe the knowing your password. If your device is compromised, lost, or dies, there goes all your passwords. Backing these up to some cloud storage is also a bad idea as that to will be eventually cracked or leaked. Storage tools no matter how well built will be cracked. That is the first rule of security, all encryption will be broken at some point. On top of that a random generated password does y

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...