Apple goes open source to make password managers work better

Apple has published a rich selection of open source Password Manager Resources developers can use to help build highly secure password management systems.

The code is being made available on GitHUb.

Why this matters?

The idea is that the project should help password managers generate passwords that are compatible with a specific website. Think about the number of times you’ve requested an ultra-secure passcode and the site has rejected it because of its length, special characters or some other reason.

This should be useful to a range of developers, including those developing proprietary enterprise security systems, while all users should benefit from more secure experiences.

What Apple says

“Apple has created a new open source project to help developers of password managers collaborate to create strong passwords that are compatible with popular websites. The Password Manager Resources open source project allows you to integrate website-specific requirements used by the iCloud Keychain password manager to generate strong, unique passwords. The project also contains collections of websites known to share a sign-in system, links to websites’ pages where users change passwords, and more.”

Quietly revealed on Apple’s site

What does Apple say on GitHub?

Writing on the GitHub project page, Apple’s open source team explains:

• “By sharing resources, all password managers can improve their quality with less work than it’d take for any individual password manager to achieve the same effect.
• “By publicly documenting website-specific behaviors, password managers can offer an incentive for websites to use standards or emerging standards to improve their compatibility with password managers; it’s no fun to be called out on a list!
• “By improving the quality of password managers, we improve user trust in them as a concept, which benefits everyone.”

What are Password Manager Resources?

“The Password Manager Resources project exists so creators of password managers can collaborate on resources to make password management better for users. Resources currently consist of data, or “quirks”, as well as code.

“Quirk” is a term that refers to website-specific, hard-coded behavior to work around an issue with a website that can’t be fixed in a principled, universal way.

The current quirks are:

• Password Rules: Rules to generate compatible passwords with websites’ particular requirements.
• Websites with Shared Credential Backends: Groups of websites known to use the same credential backend, which can be used to enhance suggested credentials to sign into websites.
• Change Password URLs: To drive adoption of strong passwords, it’s useful to be able to take users directly to websites’ change password pages.

Apple wants developers to use these resources inside their own apps, so long as they share information with the project.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.