Security news that informs and inspires

iOS 12 Goes Hard on Password Security


Generating and remembering new passwords has become the bane of many people’s existence. The modern brain is not great at this kind of thing (It’s much better at storing and retrieving ancient baseball stats and quotes from Karate Kid Part III.), which is why many people reuse passwords or create the simplest ones possible. Luckily, we have computers, and they’re really good at creating and storing complex bits of information.

In the next release of its mobile operating system, Apple plans to take better advantage of that capability by introducing several new features that help users create unique, complex passwords and ensure that they’re not reusing credentials on multiple sites. The biggest change in the way that iOS 12 will handle passwords is the addition of a feature that will automatically generate strong passwords and drop them into fields in Safari and other apps.

“Passwords are stored in iCloud Keychain and are available on all your Apple devices. And if you ever need to access your passwords, just ask Siri,” Apple said in its preview for the upcoming version of iOS.

Right now, this kind of functionality is available from third-party apps such as LastPass, which can generate strong passwords and fill forms in apps and web browsers. But iOS 12 will now include functionality to handle that task, as well as an API to allow other apps to integrate with iOS to deal with the form filling and other bits. Third-party apps that work with iOS 12 will let users get to their stored passwords from the QuickType bar that appears on the iPhone keyboard.

The second piece of the password changes coming to iOS is an auditing feature that will identify and call out passwords in the stored credential list that have been reused on more than one site. Users can then use the built-in password generator to create new credentials for any that have been reused. There’s also a new feature that allows users to share their passwords among various Apple devices, including iPhones, iPads, Macs, and Apple TV boxes.

There’s another feature that is in current beta releases of iOS that, if it winds up in the final version, will make life much more difficult for law enforcement agencies and others trying to unlock iPhones without the user’s passcode. Known as USB Restricted Mode, the feature would require the passcode in order to connect any device to an iPhone’s lightning port if the phone has been locked for at least an hour. That change would pretty much defeat the use of specialized devices sold by companies such as Cellebrite that use custom exploits to unlock iPhones through a lightning-port connection.

Law enforcement agencies are the main customers for these devices, and if the feature lands in iOS 12, it will mean officers will have less than an hour to get a seized iPhone unlocked.