How Apple generates strong passwords to be user friendly


Apple’s algorithm generates strong passwords that are easier to type on gamepads and weird keyboard layouts without compromising security.

iPhone Passwords app in iOS 18

Apple’s platforms allow you to generate unique passwords that can’t be breached with brute-force methods. While these passwords are random, they’re created to be easier to type on unusual keyboard layouts like game controllers and TV remotes.

Did you notice that strong passwords you can generate on your iPhone, iPad and Mac are comprised of two-syllable fake words, dominated by lowercase characters, such as “humxux-mapnoH-5cisja” or “cAtvu5-pahjux-bomvod”?

According to Ricky Mondello, Apple’s software engineering manager responsible for leading Apple’s Authentication Experience team, this is by design.

How Apple generates strong passwords to be user-friendly

On his blog, Mondello pointed to a 2018 video where he discussed a new, more user-friendly format for strong passwords adopted in iOS 12 and macOS Mojave. In short, Apple’s algorithm intentionally creates strong passwords dominated by lowercase characters in order to make them easier to type on foreign keyboards, keyboards with weird layouts and input devices like gamepads.

“These new passwords are 20 characters long,” he said. “They contain the standard stuff, an uppercase character. They’re dominated by lowercase. We chose a symbol to use, which is the hyphen. We put two of them in there and a single digit.”

“And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables,” like consonant, vowel and consonant patterns. But these aren’t real syllables as defined by any language.

“We have a certain number of characters we consider to be consonants, which is 19,” he said. “Another set we consider to be vowels, which is six. And we pick them at random. There are five positions where the digit can go, which is on either side of the hyphen or at the end of the password.”

The new format is more secure than before

That doesn’t make these passwords any less secure than the old format, which included special characters and more uppercase ones. Actually, they’re more secure. “So if you want to talk in terms of Shannon entropy once again, these new passwords have 71 bits of entropy, up from the 69 from the previous format,” he said.

Another interesting tidbit is that generated passwords are filled against an on-device dictionary of offensive terms to avoid offensive substrings.

You can have your device generate strong, unique passwords when autofilling forms or within iOS 18’s new Passwords app. By default, strong passwords are mostly in lowercase and without special characters. Optionally, create unique passwords with special characters to make them even stronger (and harder to type).



Source link

admin
Shopping cart