Apple announces open-source project for password manager developers

Posted:
in General Discussion
Apple on Friday announced a new open-source project to help password manager developers create stronger and better-compatible passwords for users.

Credit: Apple
Credit: Apple


The so-called Password Manager Resources initiative, one of several open-source Apple projects, allows password manager apps to integrate web-site specific requirements used by the iCloud Keychain password manager in their own apps.

According to the documentation, the goal is to have password app makers collaborate on development resources to improve quality, document website-specific behaviors and improve user trust.

Some of those resources include website behavior "quirks" including specific password guidelines and credential backends. For instance, it's frustratingly common for poorly-designed websites to only tell users that they have a specific maximum password length, or requirements for special characters, after the user has tried to enter one. Regular password managers have no way to know a site's rules either, so the strong passwords they create can then be rejected by the site.

As an example of the goal of the project, Apple is collecting data on specific password rules of certain sites -- such as this use of special characters and length requirements -- and allowing developers to integrate this data in their own apps.

"Every time a password manager generates a password that isn't actually compatible with a website, a person not only has a bad experience, but a reason to be tempted to create their own password," the document reads.

Other aspects of the project include data on websites that share a single sign-in system and webpages where users can change their passwords.

Apple is encouraging developers to incorporate data and other resources from the project into their own apps, with the only stipulation being that they share their own data and findings with the project.

The full details of the program, along with the actual code for use is apps, is available on Github.

Comments

  • Reply 1 of 20
    XedXed Posts: 1,106member
    One thing I'd love to see as part of an open-source project is a standard, plaintext page on every website's login page, like robots.txt, that states the format and limitation by which their site's passwords need to be created. This would help make creating a new password in your password manager know the min and max length, special character limitations, and other limitations for password generators.
    focher
  • Reply 2 of 20
    lkrupplkrupp Posts: 9,633member
    I usually let Apple's Keychain app generate a strong password and those almost always work. I also use 1Password 7 and its password generator can be customized to generate passwords of different lengths, characters, numerical, capitalization, etc.
    paxmanRayz2016
  • Reply 3 of 20
    zimmiezimmie Posts: 568member
    I wonder if this per-site data could be used to shame a few companies into improving their password policies. Kind of like Password is Too Strong on Twitter, but with the backing of one of the biggest companies in the world.
    StrangeDays
  • Reply 4 of 20
    zimmiezimmie Posts: 568member
    Xed said:
    One thing I'd love to see as part of an open-source project is a standard, plaintext page on every website's login page, like robots.txt, that states the format and limitation by which their site's passwords need to be created. This would help make creating a new password in your password manager know the min and max length, special character limitations, and other limitations for password generators.
    On the topic of providing password requirements in a machine-readable way, I would also like to see password rotation exposed in a consistent way. Site announces a breach? Hit the button in your password manager to rotate the password, or have your password manager do it automatically. Done.

    Edited to add: This could be abused by whoever breached the site, of course, but the utility of a user authentication data set is the subset of users who used the same password on other services. Or, as in the case of Ashley Madison, the users who have accounts at all. Attackers don't typically care nearly as much about the passwords for the service which was breached.
    edited June 2020
  • Reply 5 of 20
    paxmanpaxman Posts: 4,678member
    lkrupp said:
    I usually let Apple's Keychain app generate a strong password and those almost always work. I also use 1Password 7 and its password generator can be customized to generate passwords of different lengths, characters, numerical, capitalization, etc.
    Ditto.
  • Reply 6 of 20
    SpamSandwichSpamSandwich Posts: 33,408member
    What could possibly go wrong?
    williamlondon
  • Reply 7 of 20
    XedXed Posts: 1,106member
    zimmie said:
    Xed said:
    One thing I'd love to see as part of an open-source project is a standard, plaintext page on every website's login page, like robots.txt, that states the format and limitation by which their site's passwords need to be created. This would help make creating a new password in your password manager know the min and max length, special character limitations, and other limitations for password generators.
    On the topic of providing password requirements in a machine-readable way, I would also like to see password rotation exposed in a consistent way. Site announces a breach? Hit the button in your password manager to rotate the password, or have your password manager do it automatically. Done.

    Edited to add: This could be abused by whoever breached the site, of course, but the utility of a user authentication data set is the subset of users who used the same password on other services. Or, as in the case of Ashley Madison, the users who have accounts at all. Attackers don't typically care nearly as much about the passwords for the service which was breached.
    1Password has Watchtower, which looks for websites that have been breached or has updated their SSL certificate. What I propose could simply be a universal notice on this "passwords.txt" page that suggests a user change their password, which will then be displayed by the password manager.

    As for having it automatically change the password, I'd have to see exactly how that mechanism works for me to want to enable it. Right now I prefer the one-way stream of data about sites that may have been compromised.
  • Reply 8 of 20
    XedXed Posts: 1,106member
    zimmie said:
    I wonder if this per-site data could be used to shame a few companies into improving their password policies. Kind of like Password is Too Strong on Twitter, but with the backing of one of the biggest companies in the world.
    LOL That Twitter account cracks me up.



    The only caveat to what I posted previously is that if someone was able to gain nefarious access to my fictionally-named "passwords.txt" file, they might be able to create enough arguments that the password options become severely limited in scope which would make it easy for the party in question to access. That said, the solution to this is to create rules that password generators (or the password managers that contain them) that make sure the arguments aren't dangerous for the user.
    edited June 2020
  • Reply 9 of 20
    zimmiezimmie Posts: 568member
    Xed said:
    zimmie said:
    Xed said:
    One thing I'd love to see as part of an open-source project is a standard, plaintext page on every website's login page, like robots.txt, that states the format and limitation by which their site's passwords need to be created. This would help make creating a new password in your password manager know the min and max length, special character limitations, and other limitations for password generators.
    On the topic of providing password requirements in a machine-readable way, I would also like to see password rotation exposed in a consistent way. Site announces a breach? Hit the button in your password manager to rotate the password, or have your password manager do it automatically. Done.

    Edited to add: This could be abused by whoever breached the site, of course, but the utility of a user authentication data set is the subset of users who used the same password on other services. Or, as in the case of Ashley Madison, the users who have accounts at all. Attackers don't typically care nearly as much about the passwords for the service which was breached.
    1Password has Watchtower, which looks for websites that have been breached or has updated their SSL certificate. What I propose could simply be a universal notice on this "passwords.txt" page that suggests a user change their password, which will then be displayed by the password manager.

    As for having it automatically change the password, I'd have to see exactly how that mechanism works for me to want to enable it. Right now I prefer the one-way stream of data about sites that may have been compromised.
    Yes, but with Watchtower, you still have to visit the site in a browser and poke around until you find that specific site's password reset link. I'm saying there should be a URL within the site where you can send an authenticated PUT with a new password, and it will change the account's password to what you just sent. That URL should then be listed in the same place as the machine-readable password requirements.

    As a bonus, for companies whose management or compliance departments ignore security advice after the early 80s, one of the machine-readable password requirements could be lifespan. The account password must be changed every 30 days? As long as there's a way to convey that information and a password reset endpoint to the user's password manager, you can still get decent security. Of course, such companies are also the ones which wouldn't provide machine-readable password requirements and which would try to disable pasting in the password field.
  • Reply 10 of 20
    StrangeDaysStrangeDays Posts: 11,764member
    But but but people said Tim Cook hates open source! lol
    williamlondon
  • Reply 11 of 20
    StrangeDaysStrangeDays Posts: 11,764member
    What could possibly go wrong?
    People could keep using manual passwords.
    williamlondon
  • Reply 12 of 20
    StrangeDaysStrangeDays Posts: 11,764member

    lkrupp said:
    I usually let Apple's Keychain app generate a strong password and those almost always work.
    It usually works, but I've had it not even on some high profile sites -- the one I have in mind excludes the hyphen character, doh.

    Another thing I'd like is the ability to generate one of the passwords at will -- sometimes Safari doesn't "get" that I'm on a signup page, and thus fails to generate/suggest a password, forcing me to manually create one until I can try again at a change-password page, where it hopefully recognizes the password fields.
  • Reply 13 of 20
    nicholfdnicholfd Posts: 716member
    Another thing I'd like is the ability to generate one of the passwords at will -- sometimes Safari doesn't "get" that I'm on a signup page, and thus fails to generate/suggest a password, forcing me to manually create one until I can try again at a change-password page, where it hopefully recognizes the password fields.
    You can use the Keychain app for this.  Open the Keychain app and hit Cmd-n for a New item.  Click the "key" button.  Choose your type & length, and you'll get a drop-down of 10 passwords.  Pick one or pick "More suggestions" to see another 10 passwords generated.  Hit Cmd-c top copy your choice to the clipboard.  Past it into the web site.
  • Reply 14 of 20
    seanismorrisseanismorris Posts: 1,624member
    Having Apple’s Keychain App cross platform would be more useful.  

    We don’t need more password managers.  We need one we trust available everywhere.  Then, we need better hardware keys that work everywhere... iOS, MacOS, Linux, Windows, Android.

    I want an iOS hardware key that works at boot authentication, and not just for websites.  Biometrics + hardware key (or password) would be beautiful.  Password managers should be doing only half the job, that way if your manager is compromised you’re not. 
  • Reply 15 of 20
    dewmedewme Posts: 3,946member
    This is rather interesting and heartwarming to see Apple continuing to promote the open source community. Apple's release of Swift to the open source community ranks as one of the most rewarding and productive open source software investments that Apple has made in the past decade. The Swift language is really blossoming.

    I just started playing around with the open source password manager Bitwarden this week just to get a sense of how easy it is to use compared to my current choice, 1Password. It's not that I dislike 1Password at all, it's just that I'm always looking to get a sense of what's happening in the open source community. I also believe that fundamental utilities that are essential on every platform, like password management, should be interoperable across multiple platforms and should probably be open source. So far I've been able to use Bitwarden on Mac, Windows, 64-bit Linux, and Raspberry Pi OS (32-bit) using a Chrome plug-in in Chromium. 

    The notion of having personal tangible assets, like account login credentials, locked into a proprietary solution, or worse a subscription model that can expire (like when you miss a payment, expire, or the software vendor goes belly-up) is somewhat of a concern. Yeah, most of the current proprietary models have safeguards in place for most common scenarios, like allowing someone else to have an access key in case you take the big dirt nap. Being open source doesn't guarantee eternal support either, but I believe that being open source increases the probability of continued support well beyond the "commercial viability threshold" that most proprietary solutions would allow. 

    Kudos to Apple.
    edited June 2020
  • Reply 16 of 20
    shanegshaneg Posts: 5member
    Xed said:
    One thing I'd love to see as part of an open-source project is a standard, plaintext page on every website's login page, like robots.txt, that states the format and limitation by which their site's passwords need to be created. This would help make creating a new password in your password manager know the min and max length, special character limitations, and other limitations for password generators.
    Apple has access to everything in your iCloud account data.   They already go through and check images in your iCloud account.   Read Apples polices on iCloud data.   So whats to stop Apple from now collecting your passwords?  Nothing, especially since this open source password manager uses Apples iCloud Keychain for password generation.
  • Reply 17 of 20
    XedXed Posts: 1,106member
    shaneg said:
    Xed said:
    One thing I'd love to see as part of an open-source project is a standard, plaintext page on every website's login page, like robots.txt, that states the format and limitation by which their site's passwords need to be created. This would help make creating a new password in your password manager know the min and max length, special character limitations, and other limitations for password generators.
    Apple has access to everything in your iCloud account data.   They already go through and check images in your iCloud account.   Read Apples polices on iCloud data.   So whats to stop Apple from now collecting your passwords?  Nothing, especially since this open source password manager uses Apples iCloud Keychain for password generation.
    First of all, no. Second, did you actually read my comment because making a foolish anti-Apple comment with a new account? Answer: no.
    StrangeDaysroundaboutnowRayz2016
  • Reply 18 of 20
    Rayz2016Rayz2016 Posts: 6,957member
    paxman said:
    lkrupp said:
    I usually let Apple's Keychain app generate a strong password and those almost always work. I also use 1Password 7 and its password generator can be customized to generate passwords of different lengths, characters, numerical, capitalization, etc.
    Ditto.
    Same here. 

    Lots of banks use annoying setups that require you to enter something like the 4th, 8th and 22rd character from your password. What I’d like to see in a password app:

    Right click on the offending field
    Show a series of numbered squares. 
    Click a square to fill in that character from your password. 
  • Reply 19 of 20
    Rayz2016Rayz2016 Posts: 6,957member

    shaneg said:
    Xed said:
    One thing I'd love to see as part of an open-source project is a standard, plaintext page on every website's login page, like robots.txt, that states the format and limitation by which their site's passwords need to be created. This would help make creating a new password in your password manager know the min and max length, special character limitations, and other limitations for password generators.
    Apple has access to everything in your iCloud account data.   They already go through and check images in your iCloud account.   Read Apples polices on iCloud data.   So whats to stop Apple from now collecting your passwords?  Nothing, especially since this open source password manager uses Apples iCloud Keychain for password generation.
    Congratulations. You just flunked Apostrophe School. 
    edited June 2020
  • Reply 20 of 20
    zimmiezimmie Posts: 568member
    Rayz2016 said:
    paxman said:
    lkrupp said:
    I usually let Apple's Keychain app generate a strong password and those almost always work. I also use 1Password 7 and its password generator can be customized to generate passwords of different lengths, characters, numerical, capitalization, etc.
    Ditto.
    Same here. 

    Lots of banks use annoying setups that require you to enter something like the 4th, 8th and 22rd character from your password. What I’d like to see in a password app:

    Right click on the offending field
    Show a series of numbered squares. 
    Click a square to fill in that character from your password. 
    If my bank did that, I would drop them immediately. To be able to do this, the bank must be storing your password in clear text. There is no possible justification for that. The most fundamental rule of password authentication is to never store the password in the same form the user provides.

    Banks in general have incomprehensibly awful security, but that's beyond the pale.
Sign In or Register to comment.