Rendered at 21:07:55 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
zerobees 18 minutes ago [-]
This article appears to be 100% AI. I guess there's some irony that a company ships an AI feature and someone else uses AI to come up with criticisms of that feature. But the article... doesn't actually say anything?
It's just full of weird, generic short-sentence LLMisms ("Detection is observation.", "Changing the password is authority.", "The security benefit is real.", "That is a meaningful improvement.", "This is not just text generation. It is an agent taking action with a sensitive credential.", ...). It doesn't offer any insights into the actual architecture that Apple came up with, whatever it might be. It doesn't propose a better design, other than a bunch of super-generic things that apply to every single software project ever ("The system should verify the exact website and account before filling or changing anything.", "This feature deserves focused adversarial testing during the beta period."). So... it's upvoted just because the title mentions Apple and AI?
Animats 40 minutes ago [-]
Back in 1984, I wrote the original "obvious password detector".[1]
It just checks whether a password has English language trigram stats. This prevents dictionary attacks.
There's this standard that is being worked on by the people working on the Passwords app at Apple (They are active on Mastodon, and often talking about that) which will probably be helpful for this feature too: https://www.w3.org/TR/change-password-url/
thallavajhula 53 minutes ago [-]
Thank you for this resource. I'm reading up on this spec and it seems like an interesting direction.
I feel like this solution isn't about solving a problem for the user, but driving adoption (and lock-in) to Apple's Password app, while undercutting third-party apps.
They don't just identify the issue, they update the password with the service, and then lock it in their app. If you use apps like 1Password, your passwords will automatically be out of sync, without explanation.
Finally, I simply don't trust Apple software. It hasn't been sufficient quality for almost a decade. The UX for this is going to be a nightmare: imagine dozens of old sites sending you notifications that your password has been changed. Is it identity theft, or Apple trying to be helpful? Are you going to trust that it's Apple, or spend time investigating, just to be sure?
AshamedCaptain 41 minutes ago [-]
Call me when it can _delete the account_ from all those websites, which is likely the primary reason the user has not updated the password yet.
flyingshelf 12 minutes ago [-]
The app already proposed to change passwords and lead the users onto the website to do it. Now it can just do it autonomously (reportedly.)
At any rate this is just the first step towards a first-party agentic OS.
nikisweeting 16 minutes ago [-]
Very curious if they're implementing browser driving themselves or using an off-the-shelf library like stagehand, browser-use, etc. to drive the DOM. Hopefully they open source it if it's in Swift.
A11y-tree alone is not enough for many sites because lots of auth stuff happens in OOPIF frames that need special handling/stitching/interactive element filtering.
There's also the issues of many captchas around auth stuff being implemented using canvas elements (that are hard to instrument for browser agents without relying on CUA). Can their on-device 3B model really handle accurate CUA driving? I guess we'll see...
doodlebugging 17 minutes ago [-]
I wonder whether the AI generated password that you allow to be created on your iPhone in the Passwords app can be recovered and added to whatever password manager you might be using on Windows or Linux desktop.
It seems like this is a great way to lock oneself out of access to an account on some of the devices that they own that do not have access to the Passwords data storage.
I can see where this can be a benefit in helping users secure their accounts with stronger passwords but I think that there is a lot of potential for this to become a real problem.
pokstad 24 minutes ago [-]
I’ve had the iOS password app think that it changed my password, when it did not, and then lose my old password.
tcoff91 18 minutes ago [-]
It doesn't retain all previous passwords??? that's crazy.
vablings 32 minutes ago [-]
This could have nuclear level consequences. Imagine somehow your keychain is compromised. Using a change password URL means an attacker could literally lock you out of every account at the same time
john_strinlai 26 minutes ago [-]
this only really changes things for obscure sites. there's already automation readily available for all the popular social media, banks, crypto sites, etc.
eboy 29 minutes ago [-]
[dead]
flyingshelf 14 minutes ago [-]
This is a great article except the "That can happen for plenty of boring reasons" list. Almost each of those reasons is completely unrelated to AI and can happen even if you attempt the change 100% manually with or without a password manager.
15 minutes ago [-]
TechRemarker 44 minutes ago [-]
Yes, also immediately thought of all the endless ways this could go wrong and end with someone losing access to their account, which depending on their account could be trivial or life altering, especially if their loss ends up being someone else's gain. Apple takes baby steps so I'm sure this will be limited in nature and most likely will get delayed until fully tested, but I'd definitely avoid testing during betas (with any real accounts that is).
throwaway85825 42 minutes ago [-]
People already have a hard time remembering passwords without them being automatically changed.
Schiendelman 33 minutes ago [-]
You should not be trying to remember your passwords. That's what autofill is for, so you can use passwords that are actually secure.
throwaway85825 14 minutes ago [-]
I'm trying, but its not so easy to convince people I know.
Schiendelman 10 minutes ago [-]
Let Apple change their passwords so they have to use the manager! :D
mikestew 25 minutes ago [-]
I can remember two passwords: the one that gets me into my laptop, and the one that gets me into my password manager. And this feature requires one to use Apple's default password manager, ergo...
And I shouldn't remember the first one, I just haven't gotten 'round to setting up the Yubikey on the laptop just yet.
thewebguyd 19 minutes ago [-]
That's the point of the password manager. You shouldn't be remembering individual passwords, they should largely be random.
Petersipoi 19 minutes ago [-]
If you're trying to remember passwords, you're already doing it wrong
john_strinlai 30 minutes ago [-]
people should not really be remembering any password other than the master password for their password manager.
this also requires the passwords app to even function. so this should be a non-issue.
drob518 2 hours ago [-]
Yea, I saw that during the WWDC keynote and physically cringed. As the article says, what could go wrong?
coldtea 20 minutes ago [-]
Nothing much different than e.g. Chrome suggesting a password and saving it?
cyanydeez 1 hours ago [-]
It's good to know Apples not immune from the insecure by design hype machine; just late to the game!
dotcoma 43 minutes ago [-]
Can it be turned off ?
eblume 41 minutes ago [-]
As per the demo, in order for Siri to rotate your passwords "for you", you have to open the Password app, go to their dashboard on weak or exposed passwords, and click a button asking it to rotate your password account by account.
So yes. It's off by default. You have to affirmatively use the feature. (This is purely based on what I remember from the demo, mind you. I have not used the feature.)
srik 30 minutes ago [-]
This one is getting a lot of undue flak. Not only does it require explicit confirmation, it’s also contained entirely within the passwords app which already has access to all your passwords because you chose to trust it.
If you use this app, open it and look at how many entries fall under the “security” section. Everyday another password is compromised and added to the list, just too many to keep up. So, albeit apprehensively, I for one appreciate this feature.
I already let 1Password generate all my passwords, so as long as they're just invoking tools with AI rather than having it attempt manually, it doesn't seem like such a big deal?
ThejaCH 1 hours ago [-]
I mean isn't it either to complex to implement or not a good implementation kind off thing?
A good chunk of people do use devices other than apple eco system one's and if they try to login and then suddenly, you can't!
Schiendelman 32 minutes ago [-]
If they already use devices outside the Apple ecosystem, they're not using the Passwords app, or they're using the plugins that get you access to it in other ecosystems.
TylerE 45 minutes ago [-]
Isn't that a completely defeating attitude? V1.0 is rarely anything close to perfect.
It's just full of weird, generic short-sentence LLMisms ("Detection is observation.", "Changing the password is authority.", "The security benefit is real.", "That is a meaningful improvement.", "This is not just text generation. It is an agent taking action with a sensitive credential.", ...). It doesn't offer any insights into the actual architecture that Apple came up with, whatever it might be. It doesn't propose a better design, other than a bunch of super-generic things that apply to every single software project ever ("The system should verify the exact website and account before filling or changing anything.", "This feature deserves focused adversarial testing during the beta period."). So... it's upvoted just because the title mentions Apple and AI?
Everything is so much more complicated now.
[1] https://www.animats.com/source/obvious/obvious.c
For anybody else trying to know what else the .well-known URI can hold: https://en.wikipedia.org/wiki/Well-known_URI#List_of_well-kn...
I'd have really preferred another term: registered, reserved, defined, meta -- or really anything else.
They don't just identify the issue, they update the password with the service, and then lock it in their app. If you use apps like 1Password, your passwords will automatically be out of sync, without explanation.
Finally, I simply don't trust Apple software. It hasn't been sufficient quality for almost a decade. The UX for this is going to be a nightmare: imagine dozens of old sites sending you notifications that your password has been changed. Is it identity theft, or Apple trying to be helpful? Are you going to trust that it's Apple, or spend time investigating, just to be sure?
At any rate this is just the first step towards a first-party agentic OS.
A11y-tree alone is not enough for many sites because lots of auth stuff happens in OOPIF frames that need special handling/stitching/interactive element filtering.
There's also the issues of many captchas around auth stuff being implemented using canvas elements (that are hard to instrument for browser agents without relying on CUA). Can their on-device 3B model really handle accurate CUA driving? I guess we'll see...
It seems like this is a great way to lock oneself out of access to an account on some of the devices that they own that do not have access to the Passwords data storage.
I can see where this can be a benefit in helping users secure their accounts with stronger passwords but I think that there is a lot of potential for this to become a real problem.
And I shouldn't remember the first one, I just haven't gotten 'round to setting up the Yubikey on the laptop just yet.
this also requires the passwords app to even function. so this should be a non-issue.
So yes. It's off by default. You have to affirmatively use the feature. (This is purely based on what I remember from the demo, mind you. I have not used the feature.)
If you use this app, open it and look at how many entries fall under the “security” section. Everyday another password is compromised and added to the list, just too many to keep up. So, albeit apprehensively, I for one appreciate this feature.
A good chunk of people do use devices other than apple eco system one's and if they try to login and then suddenly, you can't!