Apple announces open-source project for password manager developers
Apple on Friday announced a new open-source project to help password manager developers create stronger and better-compatible passwords for users.
Credit: Apple
The so-called Password Manager Resources initiative, one of several open-source Apple projects, allows password manager apps to integrate web-site specific requirements used by the iCloud Keychain password manager in their own apps.
According to the documentation, the goal is to have password app makers collaborate on development resources to improve quality, document website-specific behaviors and improve user trust.
Some of those resources include website behavior "quirks" including specific password guidelines and credential backends. For instance, it's frustratingly common for poorly-designed websites to only tell users that they have a specific maximum password length, or requirements for special characters, after the user has tried to enter one. Regular password managers have no way to know a site's rules either, so the strong passwords they create can then be rejected by the site.
As an example of the goal of the project, Apple is collecting data on specific password rules of certain sites -- such as this use of special characters and length requirements -- and allowing developers to integrate this data in their own apps.
"Every time a password manager generates a password that isn't actually compatible with a website, a person not only has a bad experience, but a reason to be tempted to create their own password," the document reads.
Other aspects of the project include data on websites that share a single sign-in system and webpages where users can change their passwords.
Apple is encouraging developers to incorporate data and other resources from the project into their own apps, with the only stipulation being that they share their own data and findings with the project.
The full details of the program, along with the actual code for use is apps, is available on Github.
Credit: Apple
The so-called Password Manager Resources initiative, one of several open-source Apple projects, allows password manager apps to integrate web-site specific requirements used by the iCloud Keychain password manager in their own apps.
According to the documentation, the goal is to have password app makers collaborate on development resources to improve quality, document website-specific behaviors and improve user trust.
Some of those resources include website behavior "quirks" including specific password guidelines and credential backends. For instance, it's frustratingly common for poorly-designed websites to only tell users that they have a specific maximum password length, or requirements for special characters, after the user has tried to enter one. Regular password managers have no way to know a site's rules either, so the strong passwords they create can then be rejected by the site.
As an example of the goal of the project, Apple is collecting data on specific password rules of certain sites -- such as this use of special characters and length requirements -- and allowing developers to integrate this data in their own apps.
"Every time a password manager generates a password that isn't actually compatible with a website, a person not only has a bad experience, but a reason to be tempted to create their own password," the document reads.
Other aspects of the project include data on websites that share a single sign-in system and webpages where users can change their passwords.
Apple is encouraging developers to incorporate data and other resources from the project into their own apps, with the only stipulation being that they share their own data and findings with the project.
The full details of the program, along with the actual code for use is apps, is available on Github.
Comments
Edited to add: This could be abused by whoever breached the site, of course, but the utility of a user authentication data set is the subset of users who used the same password on other services. Or, as in the case of Ashley Madison, the users who have accounts at all. Attackers don't typically care nearly as much about the passwords for the service which was breached.
As for having it automatically change the password, I'd have to see exactly how that mechanism works for me to want to enable it. Right now I prefer the one-way stream of data about sites that may have been compromised.
The only caveat to what I posted previously is that if someone was able to gain nefarious access to my fictionally-named "passwords.txt" file, they might be able to create enough arguments that the password options become severely limited in scope which would make it easy for the party in question to access. That said, the solution to this is to create rules that password generators (or the password managers that contain them) that make sure the arguments aren't dangerous for the user.
As a bonus, for companies whose management or compliance departments ignore security advice after the early 80s, one of the machine-readable password requirements could be lifespan. The account password must be changed every 30 days? As long as there's a way to convey that information and a password reset endpoint to the user's password manager, you can still get decent security. Of course, such companies are also the ones which wouldn't provide machine-readable password requirements and which would try to disable pasting in the password field.
It usually works, but I've had it not even on some high profile sites -- the one I have in mind excludes the hyphen character, doh.
Another thing I'd like is the ability to generate one of the passwords at will -- sometimes Safari doesn't "get" that I'm on a signup page, and thus fails to generate/suggest a password, forcing me to manually create one until I can try again at a change-password page, where it hopefully recognizes the password fields.
I just started playing around with the open source password manager Bitwarden this week just to get a sense of how easy it is to use compared to my current choice, 1Password. It's not that I dislike 1Password at all, it's just that I'm always looking to get a sense of what's happening in the open source community. I also believe that fundamental utilities that are essential on every platform, like password management, should be interoperable across multiple platforms and should probably be open source. So far I've been able to use Bitwarden on Mac, Windows, 64-bit Linux, and Raspberry Pi OS (32-bit) using a Chrome plug-in in Chromium.
The notion of having personal tangible assets, like account login credentials, locked into a proprietary solution, or worse a subscription model that can expire (like when you miss a payment, expire, or the software vendor goes belly-up) is somewhat of a concern. Yeah, most of the current proprietary models have safeguards in place for most common scenarios, like allowing someone else to have an access key in case you take the big dirt nap. Being open source doesn't guarantee eternal support either, but I believe that being open source increases the probability of continued support well beyond the "commercial viability threshold" that most proprietary solutions would allow.
Kudos to Apple.
Right click on the offending field
Show a series of numbered squares.
Congratulations. You just flunked Apostrophe School.
Banks in general have incomprehensibly awful security, but that's beyond the pale.