
Apple releases open source 'Password Manager Resources' project for developers - sharjeelsayed
https://9to5mac.com/2020/06/05/apple-releases-new-open-source-password-manager-resources-project-for-developers/
======
dewey
Direct link to Github: [https://github.com/apple/password-manager-
resources](https://github.com/apple/password-manager-resources)

Seems like a good idea, instead of every password manager trying to re-
implement the same kind of edge cases. One day I hope we can just "muss
change" password because sites follow a common theme like
[https://wicg.github.io/change-password-
url/index.html](https://wicg.github.io/change-password-url/index.html) \- but
maybe we have a better strategy than passwords until then.

~~~
tialaramex
If Apple wants to throw their weight around on this, that would be best
directed at pushing sites to stop having stupid rules IMNSHO.

Of the documented rules only _minimum_ password length is even an excusable
rule. Should your site accept 40kB passwords? No, but that's not a "maximum
password length" rule at that point it's just common sense about
unauthenticated payload sizes. Whereas this list includes limits of just eight
characters and in one case simply 4 digits.

The other restrictions - required or prohibited characters - and the shared
credential quirk (systems that let you, indeed often require you to use the
same credentials but on different FQDNs) are both making users less safe.
While there's an argument that just documenting them is neutral I'd argue that
for an outfit with Apple's clout it isn't enough and they need to be loudly
calling for reform.

That's tempered by the knowledge that Apple has never been very good at doing
more than one thing. "Password stores" are definitely not the new iPhone, and
so they can't pivot their whole company to this problem, and maybe in the
absence of that level of focus this is all they can offer, but that's kind of
a shame on its own.

~~~
eli
Unfortunately I think they'd rather you just authorize everything against your
Apple ID.

~~~
tialaramex
That's far from the worst outcome. There are anti-trust concerns in play of
course, and we certainly don't want a world where anybody without an AppleID
is a second class citizen, but from the security side such systems are a win-
win for users and site owners.

------
mikece
The idea of reading a password manager reading a website's password rules
(which they are calling "quirks" apparently) is a great idea as the app would
then know what the controlling parameters are (15 characters, must have an
upper, a lower, and three special characters) when it auto-generates a
password. Since I started using KeePassXC I've been shocked at how many
websites -- especially financial institutions! -- don't allow you to use 64
character long passwords using multiple "special characters" (why would you
make a password rule that says I can only use five select non-number, non-
letter characters and only "one to three" of said characters?)...

~~~
LeoPanthera
I cannot conceive of any situation that would make a 64 character password
necessary. Even 256 bits of random data can be encoded into less than 42
printable ASCII characters.

And even that is twice as much as would ever seem necessary.

~~~
mikece
Why 64 characters? Because 128 would be too much...

Seriously though, I like obnoxiously long passwords because it clues me in to
who is storing my password in a manner than can be reverted to plain text if
not in plaintext directly. If you're using a salted hash to store my password
it shouldn't make a difference whether my password is "HN/2020/Jun!" or the
full text of War and Peace -- just the hash will be stored. Anyone who tells
me my password is too long makes me nervous because they are doing something
different.

And of course I'm a little paranoid: how many breach datasets are your
credentials in?

------
CornishPasty
I feel like this would be better as a Well-Known URI, for example /.well-
known/password-manager.json with similar format to the repo – That way it's
not up to Apple to decide what goes in the repository

~~~
Someone1234
Sites would immediately use it to essentially disable password managers "for
security." Sites have done everything they can to block password managers
historically, I don't anticipate that changing.

~~~
merightnow
Why would any site do that? Other than in a banks website I haven't
encountered that behaviour previously

~~~
Someone1234
You're asking the wrong person: Sites shouldn't do that. But they do, often.

Banks are the worst offenders, but it isn't limited to that. Any site that
thinks it is "special" and requires "extra security" targets password managers
for reasons unknown.

------
Hamuko
I just wish Apple allowed better integration with third-party password
managers.

~~~
jeromegv
What are your suggestions? Genuinely curious as I find the iOS integration
quite excellent, it lets me pick from 1Password directly on the password
prompt.

~~~
mcintyre1994
I'm probably just doing something wrong but I haven't figured out how to save
a new password for something I just signed up for anywhere other than Apple's
password manager.

~~~
satysin
I am going by memory here so I very well could be wrong/it may have changed
but I think the process is as follows -

1\. On the signup page select either the username/email or password text box

2\. Press the key icon.

3\. Select add in whatever password manager you use (I use Bitwarden)

4\. Generate a password, etc. then hit save

5\. Select it and it will autofill and add any extra stuff in the sign up form

That is how I have done it in the past (maybe not exactly like that, as I said
this is from memory) and it has worked well enough. Not a great user
experience though to be fair.

~~~
mcintyre1994
Thanks! I think I was missing the key actually, I usually use the little pop
up asking me to save to iCloud, didn’t realise the key let you save too and to
any password manager. Nice! :)

------
dfee
I’ll say it. This is kind of a joke.

Not that it would be a joke if an individual developer released it, and built
an active community who contributed, or if it was more than 100 websites long.

But the heavy publicity push seems a bit early. And, it feels like Apple’s
announcement is little more than “hey guys, check out this POC repo!”.

It kinda feels like Apple doesn’t get OSS.

~~~
dewey
[https://developer.apple.com/news/?id=06052020a&1591373342](https://developer.apple.com/news/?id=06052020a&1591373342)
doesn't seem like a "heavy publicity push". It's a niche topic and the target
audience of people who build password managers isn't exactly a huge one.

~~~
dfee
1 hour ago this began appearing on plenty of Mac news sites. The PR game is a
push not a pull.

~~~
dewey
Every tiny bit of information trickling out of Apple is circulating on Mac
news site. Even if it's just a delivery date changing somewhere in the store.
These news site are actively looking for that.

I doubt the PR department is pushing out a footnote on the developer portal to
a bunch of Mac rumor blogs.

~~~
threeseed
It's not even on the major Mac rumor blogs.

MacRumors and AppleInsiders both don't have the article.

~~~
Hamuko
[https://www.macrumors.com/2020/06/05/apple-open-source-
passw...](https://www.macrumors.com/2020/06/05/apple-open-source-password-
management-project/)

[https://appleinsider.com/articles/20/06/05/apple-
announces-o...](https://appleinsider.com/articles/20/06/05/apple-announces-
open-source-project-for-password-manager-developers)

