Skip to main content

Apple strong passwords aren’t entirely random, but are cleverly designed

Whenever an Apple device generates a strong password for you, the structure of those secure passwords isn’t entirely random.

Instead, Apple created rules specifically designed to make them easier to type if you ever have to do that manually, and to make them briefly memorable …

Apple software engineering manager Ricky Mondello leads the team responsible for delivering the best possible authentication experience on the company’s devices, and responded to a post by someone who suspected that auto-generated strong passwords aren’t as random as you might imagine.

Jsveningsson made his observation on Mastodon.

@rmondello Having an annoying argument on Threads about Apple generated passwords. Every iOS Password (like hupvEw-fodne1-qabjyg) seems to be constructed from gibberish two-syllable “words”. Hup-vew, fod-ne and qab-jyg above. Is this all in my head? Am I going crazy? Is the two-syllable thing by design or random?

Mondello answered the question in the form of a blog post, confirming that the two-syllable structure is indeed by design.

To make these passwords easier to type on suboptimal keyboard layouts like my colleague’s game controller, where the mode switching might be difficult, these new passwords are actually dominated by lowercase characters.

And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables. That’s consonant, vowel, consonant patterns. With these considerations put together, in our experience, these passwords are actually a lot easier to type on a foreign, weird keyboard, in the rare instances where that might be needed for some of our users […]

So these new passwords are 20 characters long. They contain the standard stuff, an uppercase character. They’re dominated by lowercase. We chose a symbol to use, which is hyphen. We put two of them in there, and a single [digit]. 

Of course, usability couldn’t compromise security, and Apple was actually able to ensure that passwords generated according to this structure were stronger than its previous ones.

The blog post is a fascinating look into the level of detail Apple considers even in something we might expect to be random. Mondello also linked to a video discussing this back in 2019.

Via Daring Fireball. Image: Screengrab from a video by Per Thorsheim.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications