Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple announces open-source project for password manager developers

Apple on Friday announced a new open-source project to help password manager developers create stronger and better-compatible passwords for users.

The so-called Password Manager Resources initiative, one of several open-source Apple projects, allows password manager apps to integrate web-site specific requirements used by the iCloud Keychain password manager in their own apps.

According to the documentation, the goal is to have password app makers collaborate on development resources to improve quality, document website-specific behaviors and improve user trust.

Some of those resources include website behavior "quirks" including specific password guidelines and credential backends. For instance, it's frustratingly common for poorly-designed websites to only tell users that they have a specific maximum password length, or requirements for special characters, after the user has tried to enter one. Regular password managers have no way to know a site's rules either, so the strong passwords they create can then be rejected by the site.

As an example of the goal of the project, Apple is collecting data on specific password rules of certain sites — such as this use of special characters and length requirements — and allowing developers to integrate this data in their own apps.

"Every time a password manager generates a password that isn't actually compatible with a website, a person not only has a bad experience, but a reason to be tempted to create their own password," the document reads.

Other aspects of the project include data on websites that share a single sign-in system and webpages where users can change their passwords.

Apple is encouraging developers to incorporate data and other resources from the project into their own apps, with the only stipulation being that they share their own data and findings with the project.

The full details of the program, along with the actual code for use is apps, is available on Github.



20 Comments

Xed 4 Years · 2896 comments

One thing I'd love to see as part of an open-source project is a standard, plaintext page on every website's login page, like robots.txt, that states the format and limitation by which their site's passwords need to be created. This would help make creating a new password in your password manager know the min and max length, special character limitations, and other limitations for password generators.

lkrupp 19 Years · 10521 comments

I usually let Apple's Keychain app generate a strong password and those almost always work. I also use 1Password 7 and its password generator can be customized to generate passwords of different lengths, characters, numerical, capitalization, etc.

zimmie 9 Years · 651 comments

I wonder if this per-site data could be used to shame a few companies into improving their password policies. Kind of like Password is Too Strong on Twitter, but with the backing of one of the biggest companies in the world.

zimmie 9 Years · 651 comments

Xed said:
One thing I'd love to see as part of an open-source project is a standard, plaintext page on every website's login page, like robots.txt, that states the format and limitation by which their site's passwords need to be created. This would help make creating a new password in your password manager know the min and max length, special character limitations, and other limitations for password generators.

On the topic of providing password requirements in a machine-readable way, I would also like to see password rotation exposed in a consistent way. Site announces a breach? Hit the button in your password manager to rotate the password, or have your password manager do it automatically. Done.

Edited to add: This could be abused by whoever breached the site, of course, but the utility of a user authentication data set is the subset of users who used the same password on other services. Or, as in the case of Ashley Madison, the users who have accounts at all. Attackers don't typically care nearly as much about the passwords for the service which was breached.

paxman 17 Years · 4729 comments

lkrupp said:
I usually let Apple's Keychain app generate a strong password and those almost always work. I also use 1Password 7 and its password generator can be customized to generate passwords of different lengths, characters, numerical, capitalization, etc.

Ditto.