“Balance between security and usability” How Apple creates ‘strong passwords’

When you log in to a new service or website on your iPhone, iPad, or Mac, you can immediately use the ‘strong password‘ is proposed. The user can accept or reject it. These OS-generated passwords are quite long, do not contain any recognizable words, and contain special characters such as hyphens or numbers. All of these methods meet the requirements for strong passwords, so attackers cannot easily crack them using brute force by guessing common character combinations.

But if you’ve ever used a few of the passwords suggested by iOS or macOS, you’ve probably noticed a certain pattern. It’s not random. A character sequence is always divided into three parts with a hyphen in between, and each of the three short parts looks like a syllable that could make sense, but is not an actual language. Is it a coincidence or intentional? How does Apple create passwords?

Apple’s Secret Language

Ricky Mondello, a longtime member of Apple’s security team, said the passwords suggested by iOS and macOS actually follow a sophisticated system. Apple introduced the system in iOS 12 in 2018, and details about it are WWDCIt was also covered in

The proposed password consists of 20 mostly alphabetic characters, with hyphens dividing this sequence into three equal parts. This takes into account that it is much easier for users to memorize three short sections rather than one long string. This is an important design consideration for cases where passwords must be entered manually on other platforms.

To help users easily store passwords in short-term memory, the alphabet part is structured to form pronounceable syllables, such as a consonant followed by a vowel, followed by another consonant. Apple creates a library of 19 consonants and 6 vowels and uses it to generate random syllables that do not exist in natural language. There is also a list that blocks syllables that may constitute inappropriate language, such as profanity.

Another rule is that Apple’s proposed passwords contain only one uppercase letter each. According to Mondello, that’s because it’s much easier to type lowercase letters, even on special keyboards like game controllers. Finally, even seemingly randomly placed numbers in automatically generated passwords have rules for positioning them. Numbers can be placed on either side of a hyphen or at the end of a password, but they are never placed in the middle of the virtual ‘word’ that Apple has created.

In conclusion, the passwords that Apple randomly generates aren’t actually random at all, but follow some fixed rules. In this way, Apple creates passwords that are a good compromise between strong, unguessable passwords and usability when users manually enter them on other platforms.
editor@itworld.co.kr