Apple Passwords’ Generated Strong Password Format

This post briefly summarizes part of a talk I gave in 2018. All information in this post has been accessible on YouTube since then. There is no new information or news in this post.

On Mastodon recently, jsveningsson@mastodon.social asked me:

Having an annoying argument on Threads about Apple generated passwords. Every iOS Password (like hupvEw-fodne1-qabjyg) seems to be constructed from gibberish two-syllable “words”. Hup-vew, fod-ne and qab-jyg above. Is this all in my head? Am I going crazy? Is the two-syllable thing by design or random?

This is not in their head, they are not “going crazy”, and the two-syllable thing is by design. Let me explain!

I gave a talk in 2018 called, “How iOS Encourages Healthy Password Practices”, that told the story of this generated password format. Although the talk is a bit dated now, it also covers other topics related to password management that, given that you’re reading this post, you might be interested in.

I explain the thinking behind the generated strong password format at 18 minutes and 30 seconds into the video:

To make these passwords easier to type on suboptimal keyboard layouts like my colleague’s game controller, where the mode switching might be difficult, these new passwords are actually dominated by lowercase characters. And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables. That’s consonant, vowel, consonant patterns. With these considerations put together, in our experience, these passwords are actually a lot easier to type on a foreign, weird keyboard, in the rare instances where that might be needed for some of our users.

And we weren’t going to make any changes to our password format unless we can guarantee that it was as strong or stronger than our old format. So if you want to talk in terms of Shannon entropy once again, these new passwords have 71 bits of entropy, up from the 69 from the previous format. And a little tidbit for folks who are trying to match our math — [note that] we actually have a dictionary of offensive terms on device that we filter these generated passwords against and we’ll skip over passwords that we generate that contain those offensive substrings.

So these new passwords are 20 characters long. They contain the standard stuff, an uppercase character. They’re dominated by lowercase. We chose a symbol to use, which is hyphen. We put two of them in there, and a single [digit]. We picked this length and the mix of characters to be compatible with a good mix of existing websites.

And a few more details: These aren’t real syllables as defined by any language. We have a certain number of characters we consider to be consonants, which is 19. Another set we consider to be vowels, which is six. And we pick them at random. There are five positions for where the digit can go, which is on either side of the hyphen or at the end of the password.

So yes, the passwords that Apple Passwords generates do contain gibberish two-syllable “words”. The syllables help them to be memorable briefly, but still not memorizable. I hope this helps!

New Quirks in the Password Manager Resources open source project

Note: This post is intended for people interested in using and contributing to the Password Manager Resources open source project. I am writing it in a personal capacity, as a maintainer and contributor to an open source project that I am passionate about.

I recently contributed two new quirks to the Password Manager Resources open source project that I want folks to know about.

(Quirks? Open source project? This open source project is, “a place for creators and users of password managers to collaborate on resources to make password management better”. The project contains “quirks” — data that pertains to specific websites, that can make the experience of using a password manager on those websites better.)

The first quirk expresses relationships between apps and websites. From the project README:

The file apple-appIDs-to-domains-shared-credentials.json expresses relationships between apps running on macOS, iOS, and iPadOS, and domains that use the same credentials. Information in this file is used by iOS and iPadOS (since version 17.4) and macOS (since version 14.4) for suggesting credentials in apps that do not have an association with domains. The system AutoFill capability makes use of this information to improve the user experience of signing into these apps by giving users inline suggestions of the appropriate credentials when signing in. This works for all password managers that make use of the Credential Provider Extension mechanism.

The JSON file is a map from App Identifier to an array of domains. Domains should be ordered by prominence from most prominent to least. The apps do not need to be distributed on Apple’s App Store.

That is, if you know of an app that doesn’t get specific passwords suggested on the QuickType bar, and instead has a generic “Passwords…” button, you can file an issue about it or contribute a fix.

The second quirk is a bit more esoteric. From the project README:

The file quirks/websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party.json contains a JSON array of domains that, when embedded as a third party, are known to ask for credentials for other services. For example, some payment processors conduct transactions by being embedded in an <iframe> on a website. These payment processors may ask for banking credentials directly, without using OAuth.

A password manager may wish to not offer to save a new password submitted in such an <iframe>, because the credentials are likely to not be for the service itself.

I love this project. It’s been a delight to work with folks at 1Password, Dashlane, and the enthusiastic users of password managers to make password management better for everyone. If you’re interested in contributing to the project, it’s pretty easy, and you’ll be joining the over 200 people who already have made contributions!

Thanks for dropping by to learn about these two new quirks. :)

XOXO

I’ve never attended a conference before in a personal capacity[1]. Sure, I’ve worked events my employer has put on and spoken at conferences about what I do professionally, but I’d never paid money to show up somewhere just to learn, get inspired, or hang out. That changed a few weeks ago, when I visited Portland, OR to attend the final XOXO Festival.

I genuinely had one of the best times of my life at XOXO. From the first lovely moment until the very last, I was smiling like a goofball. The kind of happy where you spontaneously wiggle or catch yourself skipping a little bit. (I have to assume that other people skip involuntarily when they’re happy. Let me know.)

Why did I have such a great time?

  • Andy Baio and Andy McMillan, the founders, created an event where it was possible to fully participate while having a chance of avoiding contracting COVID–19. The festival had a firm policy around masking indoors and handed out masks to folks who needed them. More importantly, it was possible and convenient to participate outdoors, with a dedicated outdoor area for viewing talks and having conversations. That safety allowed me to actually enjoy myself, rather than feel like I was fighting another skirmish in my war against getting sick with COVID–19.
  • I ran into and got to catch up with internet friends who I had no idea were going, who I hadn’t seen in person since before the start of the pandemic. It was so nice to see them!
  • I got to introduce myself to people who I admire and tell them exactly what their work has meant to me, which I something that I love doing. And some people were kind enough to introduce themselves to me and tell me what my work has meant to them, which catches me off guard every time it happens.
  • The event self-selected for warmth and kindness. If you and another person started chatting, you were pretty much guaranteed to have a pleasant and meaningful conversation.
  • The event also self-selected for people who were comfortable and sometimes eager to talk about burnout, which is something that I’ve slowly been healing from by blowing up my life. I found it really helpful to talk about my feelings around burnout.
  • There was a gentleness to everyone who was there. It felt like we were all doing the work to heal after the collective traumas of the last few years. I had some particularly nice downtime sitting alone, but together, with someone who I had just met.
  • Strangers paid me compliments about choices that I had intentionally made about my appearance in a way that was welcome and not creepy. This by itself was delightful, but it again reflects on the thoughtfulness of the community.

I want to thank the Andys, everyone who sponsored and volunteered to work the event, and all of the attendees for making it such a great time. In a world where many of us are more isolated than ever, I think it’s critically important to connect with people in the way that XOXO facilitated.

If you’ll let me get a little woo-woo for a second: Why are we alive if not to connect with other people? Our consciousness is so precious. It’s mind-blowing that any one of us exists and knows that we exist — let alone that we can share feelings, spaces, and thoughts with each other. To wrap oneself in the blanket of a community where that happens is so beautiful to be almost sacrosanct.

See y’all online,
<3


  1. Okay, fine. I attended a single conference before this one: jQuery Conference 2010: Boston on a student scholarship. Three things about that conference:

    1. My bicycle was stolen the first day of the event; I eventually got that bike back, but whoever stole it messed it up really bad.
    2. I decided to strike up a conversation with John Resig, creator of jQuery. I told him that I thought that jQuery Mobile was a weird name for the framework because jQuery was an all-purpose utility library, but jQuery Mobile was just another super-opinionated mobile UI development framework. He did not ask for that feedback, nor did he want it. I learned a lot from that interaction.
    3. Rebecca Murphey changed my life by giving a talk that could be summarized as, “Learn JavaScript. Stop living your life in frameworks and learn the damn language.”  ↩