Apple Announced Open Source Password Management Initiative

Passwords are a huge hassle. We all must use them, and generally hate doing so. There’s no way to sugarcoat it. The typical user has hundreds of username and password combinations that they must remember and manage. We all forget and must reset passwords regularly. And, over time, many of these accounts, along with the associated passwords, will be abandoned. And over time, they will be compromised. Because so many people reuse their passwords, those credentials will lead to data breaches.

The recently published 2020 Verizon Data Breach Investigations Report found that such stolen credentials are the number one technique used by attackers in data breach incidents. This has been common for as long as there have been passwords, which isn’t a new phenomenon. Using stolen credentials has unfailingly remained high among the ways enterprises are breached.

One of the ways people try to get a handle on their passwords are password managers. Those handy applications that help people create, store, and manage their logons. Last week, Apple took steps to help the makers of password managers improve their products.

On Friday, Apple announced a new open-source development effort, The Password Manager Resources open source project” designed to help password management makers work together to create stronger passwords that are compatible with frequently used websites:

“Apple has created a new open source project to help developers of password managers collaborate to create strong passwords that are compatible with popular websites. The Password Manager Resources open source project allows you to integrate website-specific requirements used by the iCloud Keychain password manager to generate strong, unique passwords. The project also contains collections of websites known to share a sign-in system, links to websites’ pages where users change passwords, and more.”

Apple placed the Password Manager Resources project on GitHub. The project is attempting to solve so-called “quirks” in password use among websites. These quirks, Apple says, refer to website-specific, hard-coded behavior website issue workarounds “that can’t be fixed in a principled, universal way.” These include:

  • Password Rules: Rules to generate compatible passwords with websites’ particular requirements.
  • Websites with Shared Credential Backends: Groups of websites known to use the same credential backend, which can be use to enhance suggested credentials to sign in to websites.
  • Change Password URLs: To drive the adoption of strong passwords, it’s useful to be able to take users directly to websites’ change password pages.

Apple says the collaborative effort will help, through the sharing of resources, password manager-makers improve their applications, incentivize websites to use standards, and improve password manager compatibility. Apple also hopes that publicly documenting websites that don’t follow the standards will prod them into doing so.

“We encourage you to incorporate the data from this project into your password manager, but kindly ask that you please contribute any quirks you have back to the project so that all users of participating password managers can benefit from your discoveries and testing,” Apple wrote on the project GitHub page.

Interesting, also late last week, cloud file storage provider Dropbox announced (through invite only), that has created a password manager. Dropbox’s password manager is named Dropbox Passwords.

According to TechSpot, “the app is invite-only for now. While the general public can download and install it onto their devices, no one can use it without being granted access (presumably a beta key of some kind)”

“From what we can tell, Dropbox Passwords will work almost the same way as most of its competitors, such as 1Password or LastPass. It will save your passwords for you and allow you to auto-fill them across various apps and websites with a single click. Additionally, it has password generation and syncing functionality, which are also pretty common features in this category of apps,” TechSpot wrote.

As Silviu Stajie wrote in a recent post, users need help with managing their passwords. A Balbix survey sampling data from more than 10,000 users across all major industries came back with a lot of interesting and worrying data. The most significant issue seems to be that more than 99% of all users reuse passwords, either across work accounts or between work and personal accounts,” he wrote.

“Also, the same password is shared on an average of 2.7 accounts, with the average user having eight passwords shared between work and personal accounts,” he continued. “Even if people don’t reuse passwords, they often choose to alter it slightly. Sixty-eight percent of users prefer this method for new passwords, while 32% substitute the letter with symbols or numbers. Only 28% take the time to generate random numbers or words, and 17% use a sentence. Surprisingly, 6% of users choose to roll dice with words to find a new password.”

Hopefully, Apple’s new effort will help make it, so that fewer of us find it necessary to roll the dice.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by George V. Hulme. Read the original post at: