Note: This post is intended for people interested in using and contributing to the Password Manager Resources open source project. I am writing it in a personal capacity, as a maintainer and contributor to an open source project that I am passionate about.
I recently contributed two new quirks to the Password Manager Resources open source project that I want folks to know about.
(Quirks? Open source project? This open source project is, “a place for creators and users of password managers to collaborate on resources to make password management better”. The project contains “quirks” — data that pertains to specific websites, that can make the experience of using a password manager on those websites better.)
The first quirk expresses relationships between apps and websites. From the project README:
The file apple-appIDs-to-domains-shared-credentials.json expresses relationships between apps running on macOS, iOS, and iPadOS, and domains that use the same credentials. Information in this file is used by iOS and iPadOS (since version 17.4) and macOS (since version 14.4) for suggesting credentials in apps that do not have an association with domains. The system AutoFill capability makes use of this information to improve the user experience of signing into these apps by giving users inline suggestions of the appropriate credentials when signing in. This works for all password managers that make use of the Credential Provider Extension mechanism.
The JSON file is a map from App Identifier to an array of domains. Domains should be ordered by prominence from most prominent to least. The apps do not need to be distributed on Apple’s App Store.
That is, if you know of an app that doesn’t get specific passwords suggested on the QuickType bar, and instead has a generic “Passwords…” button, you can file an issue about it or contribute a fix.
The second quirk is a bit more esoteric. From the project README:
The file quirks/websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party.json contains a JSON array of domains that, when embedded as a third party, are known to ask for credentials for other services. For example, some payment processors conduct transactions by being embedded in an <iframe> on a website. These payment processors may ask for banking credentials directly, without using OAuth.
A password manager may wish to not offer to save a new password submitted in such an <iframe>, because the credentials are likely to not be for the service itself.
I love this project. It’s been a delight to work with folks at 1Password, Dashlane, and the enthusiastic users of password managers to make password management better for everyone. If you’re interested in contributing to the project, it’s pretty easy, and you’ll be joining the over 200 people who already have made contributions!
Thanks for dropping by to learn about these two new quirks. :)