Apple Project Aims To Improve Password Managers

Apple’s open source Password Manager Resources project includes site-specific data aimed at improving compatibility of third-party password tools

Apple has launched an open source project aimed at improving the way password managers work, in an effort to boost their usage and, in turn, web security in general.

Passwords have long been seen as a critical weak spot in the web, with people continuing to commonly reuse weak passwords across multiple services.

Microsoft said in December of last year that some 44 million users were still using passwords that had previously been compromised in data breaches.

Passoword managers are seen as a way of improving the situation, since they automatically generate strong passwords that the service fills in automatically when a user logs into a website or app.

World Password Day: Is the Password Still Fit For Purpose?
World Password Day: Is the Password Still Fit For Purpose?

Compatibility

But Apple noted that in many cases the automatically generated password isn’t compatible with the site or app, for one reason or another.

This may cause a user to abandon the process and create a weaker password themselves, Apple said.

Password Manager Resources, published on GitHub, includes a list of website-specific rules – called “quirks” – that must be followed when generating passwords.

“Although ideally, the industry will work to eliminate the need for all of the quirks in this project, there’s value in customising behaviours to ensure better user experience,” Apple said in the project’s documentation.

Aside from password rules, the “quirks” also include groups of websites known to use the same credential backend, which can be used to enhance suggested passwords, and website-specific URLs for changing passwords, in order to take a user directly to the right page.

User experience

“By sharing resources, all password managers can improve their quality with less work than it’d take for any individual password manager to achieve the same effect,” Apple said.

The company said that by publicly documenting website-specific behaviours, password managers can offer an incentive or sites to use standards to improve their compatibility with third-party password tools.

“By improving the quality of password managers, we improve user trust in them as a concept, which benefits everyone,” the company said.

Apple encouraged developers to make use of its data and code, but asked that they contribute quirk data back to the project so that it can be used by other password management tools.

“Compiling password rule quirks helps fewer people run into issues like these while also documenting that a service’s password policy is too restrictive for people using password managers, which may incentivize the services to change,” Apple said.

It said the quirk data included in the project is sourced from Apple’s own iCloud Keychain password manager.