Strong Passwords with SecAccessControlCreateWithFlags

Hello, I have no idea how to enforce that. At for example windows domains, there is a policy GPO that controls the password complexity but I think that you need to enforce the complexity before storing the password. I am new, so learning ;)

Is there a way to enforce strong password requirements when using the .applicationPassword flag?

There is not.

I think that’d made a fine enhancement request.

If you do file an ER, please post your bug number, just for the record.

If enforcing strong passwords isn’t possible, is there an alternative approach to provide a predefined strong password during the creation process, bypassing the need for user input?

No.

But I suspect I’m missing something here. Let’s say you could do this, what would the workflow look like? Would you expect the user to remember this high-complexity password? That seems rather… well… brittle.

With SecAccessControlCreateWithFlags, I noticed the item isn’t stored in the traditional file-based Keychain but in an iOS-style Keychain … ?

Correct. This is officially known as the data protection keychain. I recommend that you read TN3137 On Mac keychain APIs and implementations, which explains the backstory here.

is there a way to store it in a file-based Keychain while marking it as unexportable?

No. The data protection keychain uses a completely different access control mechanism than the file-based keychain, and SecAccessControl is part of that data protection keychain model.

But, again, I suspect I’m missing some part of the big picture. What do you mean by “unexportable” here?

The file based keychain does support private keys where you can’t export the raw key bits, but that’s under a different name (extractable). And it only applies to keys, not passwords.

If you can explain more about your overall security goals, I may be able to offer better advice.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for the clear answers, I really appreciate the help!

For context, a client asked us to tie a key to an access control flag while enforcing a strong password. Alternatively, they wanted to store a key in the file-based keychain but ensure that the user couldn’t export it (e.g., as a .p12 file). We were exploring the feasibility of these options.

Now that we know it’s not possible, we can provide them with a clear answer. Thanks again for your support!

ensure that the user couldn’t export it

That is definitely an option for the file-based keychain. I’ve got code for it somewhere… OK, here we go… check out this thread.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"