search

apple / password-manager-resources

A place for creators and users of password managers to collaborate on resources to make password management better.
MIT License
4.19k stars 451 forks source link

Weak Password Warning Exception List - A new Quirk? #436

Open m33x opened 3 years ago

m33x commented 3 years ago

Hi all,

don't know whether this issue belongs here or it better fits an iOS bug report, so feel free to close.

(At least) in Germany there are many banks that make use of 3-4-5-6-digit (alpha)numeric PINs for online banking. Even though the websites are heavily rate-limited (3-5 tries before the account is locked) the iCloud keychain displays a(n) (incorrect) warning message that discomforts users. There is no way to choose a longer (more secure) password. All 5-digit PINs cause this warning, because they are all "so frequently used."

Here are some German banks that use such 5-digit PINs for online banking:

One problem with such a warnings exception list: While the Sparkasse bank runs a central IT infrastructure, their online banking services are decentrally organized. Thus, their domain names differ quite a lot, some examples:

https://www.berliner-sparkasse.de - Sparkasse Berlin https://www.haspa.de - Sparkasse Hamburg https://www.sskm.de - Sparkasse Munich

So, there is no simple regex-based approach to fix this issue for Sparkasse bank.

Warning 1:

Warning 2:

Are there any opinions or ideas on that matter?

rudyrichter commented 3 years ago

Its too bad so many banks choose bad systems (5 digit pin, SMS 2FA). I think a quirk to suppress certain weak password warnings might be helpful to the user here as they have no control over the structure of the password being supplied. @rmondello?

Cldfire commented 3 years ago

It sounds like such banking websites would need custom password rules specified for them anyway (to ensure that passwords meeting their strict requirements are generated for use on those sites). Would it be possible to use the existing password rules quirk to accomplish this behavior?

Password managers could look at the list of password rules quirks, find the password rule quirk for a given site, and then determine based off the rule whether or not it's appropriate to show a weak password warning for a given site. This would have the added benefit of allowing each password manager to determine said appropriateness in the context of their system.

rmondello commented 3 years ago

I haven’t thought about the mechanics of taking a “here’s a formula to generate a strong password” recipe and statically derive that all passwords on a domain are PINs. Seems doable. I like using the existing list for this purpose!