Revealed: How Apple creates your passwords

Macworld

When you log into a new service or website on an iPhone, iPad, or Mac, the operating system will promptly suggest a ready-made password that you can accept or reject. This password will be quite long; it will not contain any recognizable words; and it will contain special characters such as hyphens and numbers. All of this fulfills the requirements for passwords so that attackers cannot crack them easily by brute force, simply guessing common combinations of characters.

However, if you’ve adopted a few such passwords from iOS or macOS, you’ll probably have noticed a pattern emerging. They’re not just random. The character sequence is always divided into three sections, with hyphens in between, and the three short parts each sound a bit like words–just not words that occur in any earthly language. Is this a coincidence, or is it intentional? And how does Apple come up with these passwords?

Apple’s secret language

The passwords suggested by iOS and macOS actually follow a sophisticated system, reveals Ricki Mondello, a long-time Apple employee on the security team. The iPhone manufacturer introduced the system in 2018 with iOS 12, and there’s even a WWDC video about it.

The suggested passwords consist of twenty characters, mostly letters, and the hyphens divide these sequences into three equal parts. The idea is that users find it much easier to memorise three short sections than one long sequence of symbols: an important consideration if they ever have to enter the password manually on another platform.

To further help users remember the passwords, at least in short-term memory, the individual letter parts are structured to create syllables that can be spoken (or ‘heard’ in your head): a consonant is followed by a vowel, then another consonant. Apple has created a library of 19 consonants and 6 vowels and uses them to form randomly generated syllables that do not occur in any natural language. There is also a block list of some combinations, which primarily contains the syllables that can occur in profane language.

Another rule you may have spotted: Apple’s proposed passwords each feature just one capital letter. According to Mondello, the reasoning here is that it’s much easier to enter lower-case letters, even on exotic keyboards such as on a game controller. Finally, the single digit that occurs in an apparently random position in the auto-generated password actually has rules governing where it appears: it can appear on either side of a hyphen or at the very end of the password, but it will never appear in the middle of one of Apple’s made-up ‘words’.

The hidden logic of auto-generated passwords

To conclude, Apple’s randomly generated passwords are not actually random at all but follow several fixed rules. In this way, Apple creates a compromise between strong passwords that cannot be guessed and reasonably good usability if the user has to type them in manually on other platforms.