&gt; Of the documented rules only minimum password length is even an excusable rule.Fun fact: bcrypt, still quite popular, has an inherent password length limit. Everything beyond a certain point (56 bytes) is just ignored. It&#x27;s possible to work around, but that&#x27;s messy and you&#x27;re no longer do &quot;the&quot; bcrypt, bye bye interoperability. And if you don&#x27;t enforce it, someone might do something silly-but-apparently-harmless, like reuse a long passphrase with some randomness at the end. Edge case, but not impossible. Of course in 2020 you probably should be using things like Argon or something (actually haven&#x27;t researched the current best in a couple of years, so no longer sure)., but AFAIR Rails, for example, still comes with just bcrypt by default.

This article[0] talks about why at least one company still has maximums. I too can relate to that, at my old job we had a 30 character hard limit because of interop with Oracle systems behind the scenes (we authenticated users twice, once in the web app which could have unlimited passwords stored as PBKDF2, and then again with an Oracle system that was hard restricted). A lot of businesses have backwards compatibility or proprietary systems in the way.[0] <a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;information-technology&#x2F;2012&#x2F;09&#x2F;secret-microsoft-policy-limited-hotmail-passwords-to-16-characters&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;information-technology&#x2F;2012&#x2F;09&#x2F;secre...</a>

Unfortunately I think they&#x27;d rather you just authorize everything against your Apple ID.

If Apple wants to throw their weight around on this, that would be best directed at pushing sites to stop having stupid rules IMNSHO.Of the documented rules only minimum password length is even an excusable rule. Should your site accept 40kB passwords? No, but that&#x27;s not a &quot;maximum password length&quot; rule at that point it&#x27;s just common sense about unauthenticated payload sizes. Whereas this list includes limits of just eight characters and in one case simply 4 digits.The other restrictions - required or prohibited characters - and the shared credential quirk (systems that let you, indeed often require you to use the same credentials but on different FQDNs) are both making users less safe. While there&#x27;s an argument that just documenting them is neutral I&#x27;d argue that for an outfit with Apple&#x27;s clout it isn&#x27;t enough and they need to be loudly calling for reform.That&#x27;s tempered by the knowledge that Apple has never been very good at doing more than one thing. &quot;Password stores&quot; are definitely not the new iPhone, and so they can&#x27;t pivot their whole company to this problem, and maybe in the absence of that level of focus this is all they can offer, but that&#x27;s kind of a shame on its own.

I feel like the GitHub link should be the submission link, not 9to5Mac which doesn&#x27;t really give extra useful info...

Direct link to Github: <a href="https:&#x2F;&#x2F;github.com&#x2F;apple&#x2F;password-manager-resources" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;apple&#x2F;password-manager-resources</a>Seems like a good idea, instead of every password manager trying to re-implement the same kind of edge cases. One day I hope we can just &quot;muss change&quot; password because sites follow a common theme like <a href="https:&#x2F;&#x2F;wicg.github.io&#x2F;change-password-url&#x2F;index.html" rel="nofollow">https:&#x2F;&#x2F;wicg.github.io&#x2F;change-password-url&#x2F;index.html</a> - but maybe we have a better strategy than passwords until then.

Why 64 characters? Because 128 would be too much...Seriously though, I like obnoxiously long passwords because it clues me in to who is storing my password in a manner than can be reverted to plain text if not in plaintext directly. If you&#x27;re using a salted hash to store my password it shouldn&#x27;t make a difference whether my password is &quot;HN&#x2F;2020&#x2F;Jun!&quot; or the full text of War and Peace -- just the hash will be stored. Anyone who tells me my password is too long makes me nervous because they are doing something different.And of course I&#x27;m a little paranoid: how many breach datasets are your credentials in?

&gt; I cannot conceive of any situation that would make a 64 character password necessaryPassword for a streaming service that you want to use on your smart TV&#x2F;Roku&#x2F;Fire TV&#x2F;Apple TV&#x2F;Cable box.Ideally, they provide some way so you do not have to type your password using a crappy onscreen keyboard and the up&#x2F;down&#x2F;left&#x2F;right&#x2F;enter keys on your remote. For example, I&#x27;ve seen some that tell you a simple URL (<a href="https:&#x2F;&#x2F;&lt;comany_name&gt;&#x2F;add_device" rel="nofollow">https:&#x2F;&#x2F;&lt;comany_name&gt;&#x2F;add_device</a>, say) and show you numeric code. You go to that site on your computer, log in to your account, and then enter the code from your device. Your password manager deals with the password.Sadly, some do not do this, and you find yourself entering your password via the remote and on screen keyboard. Every time your password has a change between {upper case letter, lower case letter, number, punctuation} you have to navigate to some kind of shift key and hit it.I do not want to try to enter some password like &quot;sW3&#x2F;W4Bmbx=Md%&quot; that way.An alternative might be a password that consists of 4 groups of 16 lower case letters, with no duplicate letters within a group, with the first and third groups sorted so the letters are encountered in this order: qwertyuioplkjhgfdsazxcvbnm [1]. The second and fourth groups are sorted using the reverse of that order.That gives you a 64 character all lower case letter password that can be entered by starting at &#x27;q&#x27; and then scanning across the keyboard back and forth, row by row, hitting enter when you come to the characters that are part of the password. It has about the same entropy as &quot;sW3&#x2F;W4Bmbx=Md%&quot; but might be less frustrating to type. Most of the time entering it you are only having to deal with two remote keys. The arrow for the direction of your scan on the current keyboard row and enter, with just an occasional up&#x2F;down to move between rows.(If it is a smart TV or cable box, there is a decent chance the remote includes a numeric keypad. In that case I&#x27;d consider a 27 character all digit password, if I wanted something with about the same entropy as &quot;sW3&#x2F;W4Bmbx=Md%&quot;).[1] assuming the on screen keyboard is QWERTY. Some use alphabetical order.

If the customer wants to do it why should the institution care?

pass phrases, where each word is relatively low entropy, but its a lot easier for humans to memorize a long phrase than a long series of random characters

I cannot conceive of any situation that would make a 64 character password necessary. Even 256 bits of random data can be encoded into less than 42 printable ASCII characters.And even that is twice as much as would ever seem necessary.

The idea of reading a password manager reading a website&#x27;s password rules (which they are calling &quot;quirks&quot; apparently) is a great idea as the app would then know what the controlling parameters are (15 characters, must have an upper, a lower, and three special characters) when it auto-generates a password. Since I started using KeePassXC I&#x27;ve been shocked at how many websites -- especially financial institutions! -- don&#x27;t allow you to use 64 character long passwords using multiple &quot;special characters&quot; (why would you make a password rule that says I can only use five select non-number, non-letter characters and only &quot;one to three&quot; of said characters?)...

Why would any site do that? Other than in a banks website I haven&#x27;t encountered that behaviour previously

Sites would immediately use it to essentially disable password managers &quot;for security.&quot; Sites have done everything they can to block password managers historically, I don&#x27;t anticipate that changing.

I feel like this would be better as a Well-Known URI, for example &#x2F;.well-known&#x2F;password-manager.json with similar format to the repo – That way it&#x27;s not up to Apple to decide what goes in the repository

I&#x27;m probably just doing something wrong but I haven&#x27;t figured out how to save a new password for something I just signed up for anywhere other than Apple&#x27;s password manager.

What are your suggestions? Genuinely curious as I find the iOS integration quite excellent, it lets me pick from 1Password directly on the password prompt.

That&#x27;s not an actual retort to the critique.Apple cripples third party password managers on purpose. Pointing at Apple&#x27;s worse product, a product that only works within their confined ecosystem, while claiming it is better than it was isn&#x27;t a retort, it is a polite middle finger.On that note, I recently set up a new iPhone &amp; Watch. I had to enter my Apple Password six separate times, and 2F twice. And not once was my password manager allowed to populate it, even though it is saved in there.Sure, I could use Keychain, but it lacks common &amp; basic features and doesn&#x27;t work on PCs, non-Apple mobile devices, or on the web. Maybe if Apple competed fairly on quality rather than abusing their anti-competitive silo(s), they&#x27;d have a better password manager.

They are upgrading Keychain to be a first class password manager in iOS14. Along with WebAuthN improvements, this might negate the need for many third party password managers.

It is miles better than the implementation on Android.

I just wish Apple allowed better integration with third-party password managers.

1 hour ago this began appearing on plenty of Mac news sites. The PR game is a push not a pull.

<a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;news&#x2F;?id=06052020a&amp;1591373342" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;news&#x2F;?id=06052020a&amp;1591373342</a> doesn&#x27;t seem like a &quot;heavy publicity push&quot;. It&#x27;s a niche topic and the target audience of people who build password managers isn&#x27;t exactly a huge one.

No. Not hating on it because it&#x27;s from Apple. Hating on it because they must have more information then they released in the repo.Perhaps they truly don&#x27;t have more information and released everything they have – and this is a &quot;what if we were to come together&quot;.But it doesn&#x27;t feel immediately useful, and so I&#x27;m reluctant to believe that companies will bidirectionally contribute to this.

&gt; Not that it would be a joke if an individual developer released itYou&#x27;re hating on it for being from Apple? That makes as much sense as loving it because it&#x27;s from Apple.

This is not even a drop in the bucket if you think this is some sort of publicity stunt. Outside of the tech bubble nobody knows any of this stuff even exists, and inside the tech bubble there&#x27;s a much, much higher percentage of incel&#x2F;redpill types than the general population, so it wouldn&#x27;t even make sense as a way to change their perception within the tech world.It may or may not be useful to anyone, I have no idea. But to characterize this as a &quot;heavy publicity push&quot; doesn&#x27;t make sense. It&#x27;s not a push, there&#x27;s no publicity, and there&#x27;s nothing heavy about it.

I’ll say it. This is kind of a joke.Not that it would be a joke if an individual developer released it, and built an active community who contributed, or if it was more than 100 websites long.But the heavy publicity push seems a bit early. And, it feels like Apple’s announcement is little more than “hey guys, check out this POC repo!”.It kinda feels like Apple doesn’t get OSS.

Apple releases open source 'Password Manager Resources' project for developers