Apple on Friday announced a new open-source project to help password manager developers create stronger and better-compatible passwords for users.
The so-called Password Manager Resources initiative, one of several open-source Apple projects, allows password manager apps to integrate web-site specific requirements used by the iCloud Keychain password manager in their own apps.
According to the documentation, the goal is to have password app makers collaborate on development resources to improve quality, document website-specific behaviors and improve user trust.
Some of those resources include website behavior "quirks" including specific password guidelines and credential backends. For instance, it's frustratingly common for poorly-designed websites to only tell users that they have a specific maximum password length, or requirements for special characters, after the user has tried to enter one. Regular password managers have no way to know a site's rules either, so the strong passwords they create can then be rejected by the site.
As an example of the goal of the project, Apple is collecting data on specific password rules of certain sites — such as this use of special characters and length requirements — and allowing developers to integrate this data in their own apps.
"Every time a password manager generates a password that isn't actually compatible with a website, a person not only has a bad experience, but a reason to be tempted to create their own password," the document reads.
Other aspects of the project include data on websites that share a single sign-in system and webpages where users can change their passwords.
Apple is encouraging developers to incorporate data and other resources from the project into their own apps, with the only stipulation being that they share their own data and findings with the project.
The full details of the program, along with the actual code for use is apps, is available on Github.
20 Comments
One thing I'd love to see as part of an open-source project is a standard, plaintext page on every website's login page, like robots.txt, that states the format and limitation by which their site's passwords need to be created. This would help make creating a new password in your password manager know the min and max length, special character limitations, and other limitations for password generators.
I usually let Apple's Keychain app generate a strong password and those almost always work. I also use 1Password 7 and its password generator can be customized to generate passwords of different lengths, characters, numerical, capitalization, etc.
I wonder if this per-site data could be used to shame a few companies into improving their password policies. Kind of like Password is Too Strong on Twitter, but with the backing of one of the biggest companies in the world.