To make these passwords easier to type on suboptimal keyboard layouts like my colleague’s game controller, where the mode switching might be difficult, these new passwords are actually dominated by lowercase characters. And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables. That’s consonant, vowel, consonant patterns. With these considerations put together, in our experience, these passwords are actually a lot easier to type on a foreign, weird keyboard, in the rare instances where that might be needed for some of our users.
And we weren’t going to make any changes to our password format unless we can guarantee that it was as strong or stronger than our old format. So if you want to talk in terms of Shannon entropy once again, these new passwords have 71 bits of entropy, up from the 69 from the previous format.
[…]
So these new passwords are 20 characters long. They contain the standard stuff, an uppercase character. They’re dominated by lowercase. We chose a symbol to use, which is hyphen. We put two of them in there, and a single [digit]. We picked this length and the mix of characters to be compatible with a good mix of existing websites.
I like the password format that Safari generates, but I wish I could turn off auto-generation of passwords. It’s a really awkward workflow if I prefer to create new accounts and passwords in PasswordWallet. As far as I can tell, I can only opt out for individual text fields. That takes a bunch of extra clicks, and if I forget I end up with the password stored in the wrong place, which I may not realize until much later, when it’s harder to fix. Just let me choose to have an empty text field by default.
Previously:
- Apple Passwords App in Sequoia and iOS 18
- Lowercase Passwords
- Password Rules / UITextInputPasswordRules
- Minimum Password Lengths
- Choosing Secure Passwords
I love how Hulu’s password reset input field silently strips out the dashes and compacts the password, while Apple dutifully saves the original.
Update (2024-10-11): Ricky Mondello notes that on Sequoia there’s a setting in the Passwords app to turn off password generation.
Update (2024-10-18): See also: Hacker News.