Whenever an Apple device generates a strong password for you, the structure of those strong passwords is not completely random.
Instead, Apple has created rules specifically designed to make them easier to enter if you ever have to do it manually, and to make them memorable …
Apple software engineering manager Ricky Mondello leads the team responsible for ensuring the best possible authentication experience on the company's devices, and he responded to a post from someone who suspected that the auto-generated strong passwords weren't as random as you might think.
Josveningsson made his observation on Mastodon.
@rmondello I'm having an annoying argument on Threads about Apple-generated passwords. Every iOS password (like hupvEw-fodne1-qabjyg) seems to be made up of nonsensical “two-syllable words.” Hup-vew, fod-ne, and qab-jyg above. Is it all in my head? Am I going crazy? Is the two-syllable structure intentional or accidental?
Mondello responded to the question in the form of a blog post, confirming that the two-syllable structure is indeed intentional.
To make these passwords easier to type on suboptimal keyboard layouts like my coworker's game controller, where switching modes can be difficult, these new passwords are actually all lowercase.
And to make it easier to remember little bits of it in your head for a short time, to transfer it to another device, the passwords are based on syllables. It's consonant, vowel, consonant patterns. When you combine those considerations, in our experience, these passwords are actually much easier to type on a foreign, strange keyboard, in those rare cases where some of our users might need to do that […]
So these new passwords are 20 characters long. They have the standard stuff, the uppercase character. They're dominated by lowercase letters. We chose the character to use, which is the hyphen. We put two of them in there and one [number].
Of course, usability couldn't compromise security, and Apple was indeed able to ensure that passwords generated according to this structure were stronger than previous ones.
The blog post is a fascinating look at the level of detail that Apple takes into account even what we might expect to be random. Mondello also linked to a video discussing this back in 2019.
Via Daring Fireball. Image: Screenshot from Per Thorsheim's video.
