Customizing Password AutoFill Rules

Modify the strong password rules for your app by adding your own restrictions.


While automatic strong passwords generated by Password AutoFill are designed to be robust, your app may require its own restrictions in order to remain compatible with other technologies.

To customize password rules for an automatically generated password, use the passwordRules property in UITextInputTraits or the passwordrules attribute in the HTML input element in your webpage.

The value for these both of these properties must follow the same set of restrictions in the following form:

required: (<identifier> | <character-class>), ..., (<identifier> | <character-class>); allowed: (<identifier> | <character-class>), ..., (<identifier> | <character-class>); max-consecutive: <non-negative-integer>

Use a combination of keywords to specify your rules:

  • Required or Allowed Keys: Use required if the restrictions must be followed by all passwords; use allowed if the restrictions specify a subset of allowed characters. If you don’t include the allowed property, all the required characters are permitted. If you include both properties, all the allowed and required characters are permitted. If neither are specified, then all ASCII printable characters are permitted

  • Character Classes: Use a combination of upper (A-Z), lower (a-z), digits (0-9), special (-~!@#$%^&*_+=`|(){}[:;"'<>,.? ] and space), ascii-printable (all ASCII printable characters), or unicode (all unicode characters).

  • Maximum Length Key: Use max-consecutive to specify the maximum length of consecutive characters in your password. If you have multiple max-consecutive properties in your rule, the minimum value of the properties will be applied. Without this property, the password can be of any length.

  • Custom Character Class: A <character-class> is a custom characters class. This property consists of a list of ASCII characters surrounded by square brackets. For example, [abc] only allows characters "a", "b", and "c".

  • Non-negative Integer Class: A <non-negative-integer> is a valid non-negative integer. This property is used to specify the max-consecutive property, since the maximum length can’t be negative.

The default password rule is applied without any definition for the password rules property. It allows all ASCII printable characters, written as allowed: ascii-printable.

You can combine these keywords to form your rule. Duplicate property values, empty character classes, and properties without a value are ignored. Don’t specify the pattern property if using password rules. If you have two password fields (one for the password, one for confirmation), you don’t need to specify password rules for both fields when the user enters a new password.

The specified password length can’t be less than 12, and the allowed characters must consist of at least 2 of the following classes: ASCII uppercase letters, ASCII lowercase letters, and digits. If your password restrictions don’t meet these guidelines after all the properties for your text field have been combined, they will be ignored by the user agent.

Construct a Password Rule

For example, say you want to require a password with at least eight characters consisting of a mix of uppercase and lowercase letters, at least one number, and at most two consecutive characters. You would add this markup:

<input type="password" minlength="8" passwordrules="required: upper; required: lower; required: digit; max-consecutive: 2">

To require at least one digit or one special character, but not both, add this to your markup:

<input type="password" minlength="8" passwordrules="required: upper; required: lower; required: digit, [-().&@?'#,/&quot;+]; max-consecutive: 2">

Or, you could require at least one of a set of special characters ( -().&@?’#,/“+) by adding this to your markup:

<input type="password" minlength="8" passwordrules="required: upper; required: lower; required: digit; required: [-().&@?'#,/&quot;+]; max-consecutive: 2">

Alternatively, to optionally allow one special character, add this to your markup:

<input type="password" minlength="8" passwordrules="required: upper; required: lower; required: digit; allowed: [-().&@?'#,/&quot;+]; max-consecutive: 2">

And as another example, to allow a password to contain an arbitrary mix of letters, numbers, and special characters, add this to your markup:

let newPasswordTextField = UITextField()
newPasswordTextField.passwordRules = UITextInputPasswordRules(descriptor: "allowed: upper, lower, digit, [-().&@?’#,/&quot;+]; minlength: 8;")

Specifying multiple character classes is equivalent to specifying one character class that represents the union of the characters in all character classes.

The exception to this equivalency is required. A password must contain at least one character in every specified required property. For example:

allowed: upper; allowed: lower <=> allowed: upper, lower
required: upper; required: lower <=> required: upper; required: lower

See Also

Password Rules


Requirements for passwords for your service to ensure iOS can generate compatible passwords for users.


A class that represents password rules for a text input field.