Apple Platform Security
- Welcome
- Intro to Apple platform security
-
- System security overview
- Signed system volume security
- Secure software updates
- Rapid Security Responses
- Operating system integrity
- BlastDoor for Messages and IDS
- Lockdown Mode security
- System security for watchOS
- Random number generation
- Apple Security Research Device
-
- Services security overview
-
- Apple Pay security overview
- Apple Pay component security
- How Apple Pay keeps users’ purchases protected
- Payment authorization with Apple Pay
- Paying with cards using Apple Pay
- Contactless passes in Apple Pay
- Rendering cards unusable with Apple Pay
- Apple Card security
- Apple Cash security
- Tap to Pay on iPhone
- Secure Apple Messages for Business
- FaceTime security
- Glossary
- Document revision history
- Copyright
Automatic strong passwords
When iCloud Keychain is enabled, iOS, iPadOS, macOS, and visionOS create strong, random, unique passwords when users sign up for or change their password on a website in Safari. Automatic strong password generation is also available in apps. Users must opt out of using strong passwords. Generated passwords are saved in the keychain and kept up to date across devices with iCloud Keychain, when it’s enabled.
By default, passwords generated are 20 characters long. They contain one digit, one uppercase character, two hyphens, and 16 lowercase characters. These generated passwords are strong, containing 71 bits of entropy.
Passwords are generated based on heuristics that determine whether a password-field experience is for password creation. If the heuristic fails to recognize a context-specific password being used at password creation, app developers can set UITextContentType.newPassword
on their text field and web developers can set autocomplete= "new-password"
on their <input> elements.
To help ensure that generated passwords are compatible with the relevant services, apps and websites can provide rules. Developers provide these rules using UITextInputPasswordRules
or the passwordrules
attribute on their input elements. Devices then generate the strongest password they can that fulfills these rules.