Note: This post is intended for people interested in using and contributing to the Password Manager Resources open source project. I am writing it in a personal capacity, as a maintainer and contributor to an open source project that I am passionate about.
I recently contributed two new quirks to the Password Manager Resources open source project that I want folks to know about.
(Quirks? Open source project? This open source project is, “a place for creators and users of password managers to collaborate on resources to make password management better”. The project contains “quirks” — data that pertains to specific websites, that can make the experience of using a password manager on those websites better.)
The first quirk expresses relationships between apps and websites. From the project README:
The file apple-appIDs-to-domains-shared-credentials.json expresses relationships between apps running on macOS, iOS, and iPadOS, and domains that use the same credentials. Information in this file is used by iOS and iPadOS (since version 17.4) and macOS (since version 14.4) for suggesting credentials in apps that do not have an association with domains. The system AutoFill capability makes use of this information to improve the user experience of signing into these apps by giving users inline suggestions of the appropriate credentials when signing in. This works for all password managers that make use of the Credential Provider Extension mechanism.
The JSON file is a map from App Identifier to an array of domains. Domains should be ordered by prominence from most prominent to least. The apps do not need to be distributed on Apple’s App Store.
That is, if you know of an app that doesn’t get specific passwords suggested on the QuickType bar, and instead has a generic “Passwords…” button, you can file an issue about it or contribute a fix.
The second quirk is a bit more esoteric. From the project README:
The file quirks/websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party.json contains a JSON array of domains that, when embedded as a third party, are known to ask for credentials for other services. For example, some payment processors conduct transactions by being embedded in an <iframe> on a website. These payment processors may ask for banking credentials directly, without using OAuth.
A password manager may wish to not offer to save a new password submitted in such an <iframe>, because the credentials are likely to not be for the service itself.
I love this project. It’s been a delight to work with folks at 1Password, Dashlane, and the enthusiastic users of password managers to make password management better for everyone. If you’re interested in contributing to the project, it’s pretty easy, and you’ll be joining the over 200 people who already have made contributions!
Thanks for dropping by to learn about these two new quirks. :)
I’ve never attended a conference before in a personal capacity[1]. Sure, I’ve worked events my employer has put on and spoken at conferences about what I do professionally, but I’d never paid money to show up somewhere just to learn, get inspired, or hang out. That changed a few weeks ago, when I visited Portland, OR to attend the final XOXO Festival.
I genuinely had one of the best times of my life at XOXO. From the first lovely moment until the very last, I was smiling like a goofball. The kind of happy where you spontaneously wiggle or catch yourself skipping a little bit. (I have to assume that other people skip involuntarily when they’re happy. Let me know.)
Why did I have such a great time?
Andy Baio and Andy McMillan, the founders, created an event where it was possible to fully participate while having a chance of avoiding contracting COVID–19. The festival had a firm policy around masking indoors and handed out masks to folks who needed them. More importantly, it was possible and convenient to participate outdoors, with a dedicated outdoor area for viewing talks and having conversations. That safety allowed me to actually enjoy myself, rather than feel like I was fighting another skirmish in my war against getting sick with COVID–19.
I ran into and got to catch up with internet friends who I had no idea were going, who I hadn’t seen in person since before the start of the pandemic. It was so nice to see them!
I got to introduce myself to people who I admire and tell them exactly what their work has meant to me, which I something that I love doing. And some people were kind enough to introduce themselves to me and tell me what my work has meant to them, which catches me off guard every time it happens.
The event self-selected for warmth and kindness. If you and another person started chatting, you were pretty much guaranteed to have a pleasant and meaningful conversation.
The event also self-selected for people who were comfortable and sometimes eager to talk about burnout, which is something that I’ve slowly been healing from by blowing up my life. I found it really helpful to talk about my feelings around burnout.
There was a gentleness to everyone who was there. It felt like we were all doing the work to heal after the collective traumas of the last few years. I had some particularly nice downtime sitting alone, but together, with someone who I had just met.
Strangers paid me compliments about choices that I had intentionally made about my appearance in a way that was welcome and not creepy. This by itself was delightful, but it again reflects on the thoughtfulness of the community.
I want to thank the Andys, everyone who sponsored and volunteered to work the event, and all of the attendees for making it such a great time. In a world where many of us are more isolated than ever, I think it’s critically important to connect with people in the way that XOXO facilitated.
If you’ll let me get a little woo-woo for a second: Why are we alive if not to connect with other people? Our consciousness is so precious. It’s mind-blowing that any one of us exists and knows that we exist — let alone that we can share feelings, spaces, and thoughts with each other. To wrap oneself in the blanket of a community where that happens is so beautiful to be almost sacrosanct.
See y’all online,
<3
Okay, fine. I attended a single conference before this one: jQuery Conference 2010: Boston on a student scholarship. Three things about that conference:
My bicycle was stolen the first day of the event; I eventually got that bike back, but whoever stole it messed it up really bad.
I decided to strike up a conversation with John Resig, creator of jQuery. I told him that I thought that jQuery Mobile was a weird name for the framework because jQuery was an all-purpose utility library, but jQuery Mobile was just another super-opinionated mobile UI development framework. He did not ask for that feedback, nor did he want it. I learned a lot from that interaction.
Rebecca Murphey changed my life by giving a talk that could be summarized as, “Learn JavaScript. Stop living your life in frameworks and learn the damn language.” ↩
Important Note: Although I work at Apple and am deeply involved in the creation of its new Passwords app, in this post I am speaking only for myself and not for Apple. There is no “news” in this post, or any kind of “inside scoop”. My intention is to help the kind of person who would read a blog post about password managers think about and manage their credential data better.
You may find yourself wanting to move your passwords and verification codes to Apple’s new Passwords app from whatever app you’re using right now. If so, awesome! (And you have great taste!)
In this post I’ll discuss two different strategies for doing this: The Bulk Import Method and The Online Method. The Bulk Import Method involves exporting your data from your current password manager and importing it into Passwords, whereas The Online Method involves moving credentials over one-at-a-time by signing in to their associated accounts, cleaning up your collection in the process.
“The Tortoise and the Hare”, from an edition of Aesop’s Fables illustrated by Arthur Rackham, 1912; Get it?
As you read through this post, I challenge you to consider slowing down when moving your data. Rather than expect the process to take ten minutes, use the once-every-ten-years event of switching password managers as an opportunity to scrub your data, create some passkeys, enable two-factor authentication, and touch base with old websites and apps that might have something to offer you. By using this process, you’ll have a clean start with your beautiful new app, prove to yourself that all of your data made it over, and expedite the process of actually, finally, for real, ditching your old password manager.
Okay, let’s define and discuss the two methods.
The Bulk Import Method
As of the publish date of this post (September 2024), it is only possible to do a bulk move of your data with a Mac. It is relatively uncommon for password managers for iOS and iPadOS to offer exporting and importing functionality. Although it’s possible to import your passwords into Apple Passwords from Safari or the Passwords pane in System Settings prior to macOS Sequoia, I strongly recommend doing it from the Passwords app on macOS Sequoia, because its importer is more robust than the one in older versions of macOS.
The Bulk Import Method is ideal when Passwords is not currently the canonical home of any of your data, but you want it to become that single source of truth. Why? Because if there is no data in the Passwords app, importing (and verifying) new data will go more smoothly. Consider this: if you don’t know, across multiple password managers, which of your entries is current and which are old-and-busted, you can’t really expect today’s software to know that for you. The messier your data, the more you should consider augmenting The Bulk Import Method with The Online Method.
Either way, I recommend starting clean in Passwords. Removing old, non-canonical entries will allow the import to go more smoothly. The Passwords app has a “Recently Deleted” section, so it’s always safe to delete something in the app.
In the Passwords app, you can trigger an import from the File menu › Import Passwords…
The software will ask you to provide a CSV file containing your passwords exported from your current app. Treat that plaintext CSV file of your data like a hot potato or contamination that you need to clean up! It has all your passwords in it! For you, being safe may involve not saving it to a cloud filesystem, putting it in a place where backup software won’t capture it, and deleting it as soon as you’re done with it.
The Passwords app may tell you that it could not import some of your data. If this happens, it’ll offer guidance for dealing with data that conflicts with data Passwords already has saved, and it’ll tell you when some entries weren’t able to be imported because the shape of the data didn’t fit with what Passwords supports.
If you’re like me, after you’ve imported your data, you’ll say to yourself, “That’s it? I’m done?” You’ll relax for a moment, and suddenly blurt out, “Wait, how do I know that all of my data correctly made it over? I guess I’ll have to keep my old password manager around forever, just in case?”
Good news! Applying The Online Method can give you the confidence to ditch the old app forever.
The Online Method
With or without a Mac, there is a straightforward but time-consuming way to move your data that will give you 100% confidence that you’ve moved it all over. I call it The Online Method because it encourages you to touch base with (read: sign in to) every online service you have an account saved for. The “algorithm” for this method, is, roughly:
for each credential entry in your current password manager with a website:
sign in to that website with the assistance of your current password manager
accept Passwords’ offer to save your user name and password
if you have a time-based one-time password or TOTP (a rotating verification code like you’d see in Google Authenticator) attached to the account:
visit the security settings for the website
turn off the current time-based one-time password enrollment
set up a new time-based one-time password:
if offered a QR code to scan with your phone, first try to right-click or tap and hold on it; in many cases you’ll be offered an option to “Set up Verification Code” or “Add Verification Code in Passwords”
critical: sign out of the website and then sign back in, only with the assistance of AutoFill from the Passwords app, ensuring that your next sign-in experience will be effortless
optional but recommended: fix up your account security while you’re there
if your password is one that you created — that is, if it has any kind of emotional significance or human-readable pattern in it — upgrade it to a strong password
create/add a passkey to your account, if the website offers it
turn on “two-factor” or “multi-factor” authentication for the account; see the tip above for the easiest experience when setting up verification codes in Apple Passwords
if the online service does not exist anymore:
choose whether to delete or keep your old credentials; I recommend not being precious about them; if by some miracle the defunct service comes back, you’ll almost certainly be able to reset your account via your email address
for each credential entry in your current password manager without a website:
manually add the information to Passwords (the Passwords app accepts entries without websites)
for each non-credential entry in your current password manager:
find a home for it in Passwords or a password-protected note in Apple Notes
Benefits of The Online Method
When you’re done, your collection of credentials will all be for valid accounts that you care about, eliminating that “wild west” or “junk drawer” feeling in your collection. Given that we live so much of our lives online, a clean password manager can be the difference between logging in to get the tickets and buying them aftermarket.
If you go on the optional and recommended side quest, your accounts will have a better security posture!
This one’s a little goofy and sentimental, but I mean it: you may remind yourself about things you care about or once cared about. If you’re like me, you’ll feel wistful when re-visiting the outposts of your online life.
The Online Method is almost Marie Kondo-like; you touch each of your saved items and ask yourself, “Does this spark joy?”
You Can Combine Both Methods
If you bulk-import your passwords, you can then clean them up using The Online Method. You’ll use the steps above, but now the “your current password manager” referenced in the first line is Apple Passwords. This can save you a lot of time while still delivering the benefits of slowing down.
I know, I know. I wrote an entire post advocating for manually doing work when there’s a more automatic, less involved alternative available. You might think I’m encouraging you to defrag your password manager. And if you’re not convinced, that’s totally okay! But I’ve found that there’s a special feeling that comes from knowing that any one of my mission critical systems is clean.
Anyway, I hope you found this post helpful! Take care, and enjoy the Passwords app!
