Expose password rules to web UI/HTML and API

[michaelstingl]

Next versions of macOS and iOS come with very convinient system integration for password managers. This means for example, users can create a secure password and use it in the web UI or input fields in apps. Those fields can tell the system the requirements for secure passwords.

Here you can find more information:
https://nshipster.com/uitextinputpasswordrules/

I wouldn’t be surprised if other platforms follow.

/cc @pmaier1 @PVince81 @DeepDiver1975 @settermjd @pablocarmu @felix-schwarz

[PVince81]

this would only apply when entering passwords in the web UI then ?

[michaelstingl]

iOS client also has native input fields where you can set a new password for a private link for example. If the clients would get the password rules via API, they could request a new password from system that is generated according those rules.

[PVince81]

hmm ok, so there are two requests here:

• expose rules in web UI using the special attribute
• provide API (capabilities?) to retrieve current rules for clients

[michaelstingl]

@PVince81 yes, that's the way I understand it

[PVince81]

how about exposing as capability section ? it makes sense that any user and client can read this and the user can anyway find out about the rules just by typing passwords. this info isn't secret.

[pablocarmu]

You could do it in the capabilities. Then the clients could read this password policy options and map it to each platform native options.

We could use it in multiple cases:

• Suggestions for the user while a private/public link creation.
• Suggestions for the user when changing passwords.
• Ensure the passwords used in the app follow the specific rules.
• ...

Even we could have multiple password policies for different use cases.

There is a talk from this year Apple's WWDC explaining in detail the new APIs and changes:
Automatic Strong Passwords and Security Code AutoFill