Six Colors
Six Colors

Apple, technology, and other stuff

Support this Site

Become a Six Colors member to read exclusive posts, get our weekly podcast, join our community, and more!

by Dan Moren

October 18, 2024 6:55 AM PT

Report a mistake

Apple’s strong but “easy” password generation algorithm

Apple’s Ricky Mondello recaps how the company’s password generation system tries to come up with easy to type—but still very secure—passwords:

To make these passwords easier to type on suboptimal keyboard layouts like my colleague’s game controller, where the mode switching might be difficult, these new passwords are actually dominated by lowercase characters. And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables. That’s consonant, vowel, consonant patterns. With these considerations put together, in our experience, these passwords are actually a lot easier to type on a foreign, weird keyboard, in the rare instances where that might be needed for some of our users.

Having had to repeatedly type the password I generated for my kid’s Apple ID, I have noticed a certain degree of…memorability?…there. Brains work in strange ways when it comes to words and reading, so I think this is a clever compromise between making sure that passwords are easy to type and also having them remain as secure as possible.

A side note: I first saw the link to Mondello’s blog post over at Daring Fireball, amidst several posts about passkeys and the relevant benefits and drawbacks, to which I’ll add one pro for passkeys that I think John didn’t mention: not only are passkeys resistant to phishing, but in a world where we all see countless compromises of servers that contain our passwords—hopefully securely hashed, but not always—there’s basically no valuable information that a remote server will store for passkeys.

At worst, what would end up leaking is the public key side of the private/public key pair, from which it is nigh impossible1 to do anything malicious. Moreover, with individual passkeys being mandatorily generated on a per-site basis, you can’t even compare that value to other leaked values. So it’s not just about you maintaining your security, but about improving the security of entities you need to trust who are outside of your control.

  1. The exception would be if the algorithm generating the keys is flawed in some way—which is not impossible, but is unlikely. 

Search Six Colors

Six Colors® is copyright © 2026 by The Incomparable Inc.
Powered by WordPress | Hosted by Pressable