iOS 8’s predictive QuickType keyboard found to suggest parts of your passwords [updated]

By , Sep 29, 2014

iOS 8 QuickType (teaser 001)

QuickType, Apple’s new predictive keyboard featured on the iPhone, iPod touch and iPad devices running iOS 8, is reportedly plagued with a potentially dangerous oversight where the software would suggest parts of your passwords that you previously used on websites, as first reported by French-language blog iGen.fr [Google Translate].

A new thread on Apple’s Support Communities website includes a note by one user who reported the keyboard offering “OrangeJuice” as a suggestion each time he would type in “AppleUser” because QuickType remembered the “OrangeJuice!2” password he previously used to log in to Outlook Web App.

”The worst part is that also suggest me other passwords from other services and old passwords that I already change”, noted a user under the nick name “ramiroegueta”.

iOS 8 (QuickType, passwords in suggestions)

There’s no doubt this potentially dangerous oversight impacts the security and privacy of iOS 8 device owners. Theoretically speaking, anyone who gets hold of your device and gains access to it can visit websites like Facebook and Google in Safari to leverage QuickType to retrieve parts of the previously used passwords.

The issue is not isolated to iOS 8’s Safari and manifests itself throughout the system, in any app which provides standard text input, like Notes, Reminders and more.

Until Apple delivers a fix, you can protect yourself by disabling QuickType by setting “Predictive” to OFF in Settings > General > Keyboard.

Unfortunately, Apple does not permit users to selectively delete custom words picked up by QuickType as you use the keyboard over time.

If you have been able to reproduce the issue on your device, please share your experience with others in the comments below.

Update: From our tests, it appears that the described issue will happen when a user enters his password on a website that doesn’t properly use the password field, leaving it as a normal text field. When that happens, QuickType may remember your password as if it was any new word you typed. This is not an issue or a security flaw of iOS 8. In this instance, iOS 8 does its job of learning new words as you type them. The problem comes from sites that do not implement the password field properly. The issue would be the same as typing your password in the Notes app in plain text for example, and having QuickType learn it from there.

[iGen.fr, Apple Discussion Forums]

  • Share:
  • Follow:
  • Chetan

    LOL.. Apple’s bad week part 2!!

    • Bryan

      Part 3 you mean?

    • Text frames in an app can be set to be of various security.

      If it wasn’t… This would happen.

  • Ваше Онтатиле Масвибилили

    Of course it will and has to if you select it from the quicktype pane…

    • It’s an easy bug to fix. Simply inserting a command that basically says if [this box] is password field, disable/ignore inputted QuickType suggestion. The disable means it would disable the feature entirely and ignore would (obviously) ignore and forget anything the user types in said box

      • a name

        But that requires everyone to use the same way to designate a text input box as a “password” box, or for Apple to code in every way people designate “password” boxes into the predictive text program.

      • Zack Kenyon

        there are standards for creating password fields. I think Apple probably shouldn’t be doing anything predictive unless it’s in a text area anyway though, rather than a simple text field, since that is where the sensitive information tends to go.

    • Please note that neither Android nor Windows Phone has this problem, and both had predictive text YEARS before Apple, giving Cook and friends plenty of time to get their copy right on the first outing. That they failed at something so basic and obvious tells you a lot about the quality of their software engineering.

      • Great to have yet another person that thinks outside the “Apple can do no wrong” box here on iDB…

      • Hey, I used to be part of the Apple club, until I got a clue :).

      • Colonel Sanders

        iPhone was released with autocorrect before Android and Windows Phone were released…

      • Nope. Windows Mobile 5x had autocorrect before there was such a thing as iPhone. Don’t get me wrong, it sucked, but then, so does the autocorrect on the iPhone (and Android. Less so on WP8x, though).

        Also, we’re talking about PREDICTIVE text here, not autocorrect. Predictive text only became available on iOS as of version 8, a few days ago. Windows Phone and Android have both had it for YEARS.

    • noname

      Of course it should not do that. at least it doesn’t on android.

  • Dan

    well that’s no good

  • Jon20

    It looks like we won’t see a jailbreak for a while with all these bug fixes. There’s going to be so many versions of iOS 8 that it will be iOS 9 by the time they get it right. SMH.

    • Ottawa Gamerz

      go to android no break needed

      • Jon20

        Thanks for the offer but I’m not a fan. I’ll stick it out. I’m happy with what I have right now. Thanks though.

  • Faris

    it is not a big deal ! take it easy people.

    • Dan

      it kind of is, unless you don’t mind people finding out what your password is

      • Endriu Andrei

        don’t argue with fan boys. whatever apple does is good for them…

      • Seriously. Tim Cook could shove an iProbe up an infant’s ass on live tv and kill it, and some iTrolls would ooh and ahh about what an innovative device it was.

      • Anthony Snyder

        OrangeJuice is sort of a word but it doesn’t have the ! or the 2 so its kind of still useless.

        But turn it off if your scared about leaking your passwords.

      • Dan

        True but shouldn’t be required

      • felixtaf

        Whatever the password is or how simple it is. It should not predict the passwords!

      • have_gun_will_travel

        Password for WHAT? HOW would you know it was a password in the first place, and even if you THOUGHT it was, how would you know what it was FOR???

      • Dan

        I use the same password everywhere (yeah not smart). Anyways dude, no need to get worked up, everyone makes mistakes, even Apple. I’m sure they will fix it. I just saying why it could be an issue.

      • If, like myself, the user uses a password that isn’t a dictionary word, and contains random letters, numbers and symbols, then it’s kinda easy to gather it’s not a standard suggestion

      • have_gun_will_travel

        You’re completely missing the point. Even if you had what you thought might be a password, what would you DO with it? Where would you put it? Where would you try to GO with it? This appears to be another complete non-issue.

      • Ohh my mistake, I was, for some reason, under the impression that the “suggestion” would only show up on the relevant website

      • Sound_Mind24

        Do you give your phone to everyone? At least I don’t give my phone to anyone. I also have a password on the lockscreen and most of the apps are lock.

      • Dan

        I lend to my wife/friends as mentionned at times (not for long periods mind you). Would suck if my password came up.

      • Is it something naughty? Perhaps an ex’s name? 😛

      • Dan

        Starts with p and rhymes with corn lol j/k

      • LOL! Give yourself a cookie!

      • Faris

        So, you use the same password for everything and you lend your iPhone to your friends, and it is an apple problem. hemmmm.

      • Dan

        it is if suggestive typing blurts out my password 😉
        Never had a problem and always did this.

        anyway I wasn’t really complaining, it hasn’t happened to me since I went back to 7.1.2.

      • Considering most people would use the “remember login details” feature in Safari, this is no less secure

      • Shinku

        none issue unless the phone is stolen and they randomly look for keywords on your stolen phone.

  • Derik Stroisch

    that’s kinda weird cause I have the predictive keyboard enabled but it never shows up when I go to type in a password… it wont even let me enable predictive text when typing in my password either. hmm.. not saying it cant happen just I haven’t seen it on my phone yet.

    • Nick Chambers

      The article doesn’t say that it does it while typing in a password. It says that it would “…suggest parts of your passwords that you previously used on websites.”

      • Derik Stroisch

        thank you for pointing out my misunderstanding.. either way im not getting “suggest parts of my passwords on previously used websites” when I use the predictive keyboard in any app or website.

      • Nick Chambers

        Me neither, actually.

    • Supafly_Boy

      You’re right. Just tried the same thing and it doesn’t even bring up the QuickType plane or key in my suggested password. Hmm, I smell another #gate attention wh*re fishing for some click bait advertising money.

      • Poke Pokechu

        > The article doesn’t say that it does it while typing in a password. It says that it would “…suggest parts of your passwords that you previously used on websites.”
        –Nick Chambers
        Just keep that in mind; you’re not looking at the right place.

    • Kanwarpal Singh

      I totally agree with you. While entering passwords there’s no prediction tab above keyboard and also why to write the passwords now, when you can easily 1password now.

      • Tom Streetman

        It’s not during typing in of a password that the predictive text comes up. It’s in a normal safari window. When I go to safari, go to google and in the search bar begin to type, your password might pop up.

    • Applications and web pages have flags on the data type of the input frame… If it’s set right, this wouldn’t happen. But some developers think they know better.

  • Lucas Tres

    First of all, how are people supposed to access the keyboard if they won’t even be able to unlock my phone?? That’s not a big deal!

    • Dan

      I let my wife/friends use my phone, doesn’t mean I want them to know my password…

      • I guess you shouldn’t let them use your phone Dan…

        I’m kidding this should be fixed for those who let others borrow their devices for various reasons.

      • Eric Robinson

        yea… I agree with this guy don’t let other ppl use your phone. I really don’t know of any adult who doesn’t have there own

      • The level of security that I have when I might let someone look at a few pictures on my phone is not as high as, say, my bank account.

      • Lucas Tres

        I’m pretty sure your wife and friends won’t be accessing websites with login panels.

      • Dan

        They actually do, my friend borrowed my phone once to access his facebook (via safari) and my wife to check her email, both had forgotten theirs. I imagine now with iOS 8 I’ll have to tell them not to check their stuff since they might accidentally see my password.

      • Did you purchase a new iPhone or do you still have your Samsung? (The one now cropped out of your photo lol)

      • Dan

        I gave my Samsung to my wife about 5 months ago. Have had a 5S since then. I cropped it out because fanboys seem to freak out about it.

      • Take a new photo showing that gorgeous device bro lol

      • Dan

        I will soon lol. I just liked the pic of shirt and tie

      • justin666

        they don’t have their own? it’s almost 2015.

        cellphones have become FAR too personal of a device to hand them out to other people to use. We keep our lives to a large degree in an iPhone. I’d hand someone my razr or a nokia to make a call or whatever, but i don’t need people checking their mail or seeing my browsing history or a text message that should pop up something like on my personal phone..and honestly, i think it’s weird that someone would even ask. I don’t.

      • Dan

        it can happen to forget your phone 😉
        anyway I’m not preoccupied with it, I went back to 7.1.2

    • It is a pretty big deal if you have devices other then a phone running iOS 8.

      • Anthony Snyder

        Are the quick type suggestions saved over iCloud?

      • I don’t think so its probably per device, however that would be kind of cool. I think..

    • You are GENIUS !!! 😀

  • ThoseCurves

    This is weird, whenever i enter a user Id or password the keyboard always goes back to default quicktype from swype and predictive text is disabled and it shows in the screenshot above ? hmmm… :S

  • HooDatty

    It really sounds like they need more technical minded people as managers and team leads over there at apple. I mean, this is common sense stuff that under no circumstances should be overlooked, and I bet the reason it is is simply due to the fact they’re using junior help to program, and non technical leads approving said work. Unacceptable for a company of apples size.

    • …Or it’s totally up to the application/website designer to flag their password fields appropriately.

      • HooDatty

        This has absolutely nothing to do with a websites function. This is solely apples problem. Smh.

  • jaysoncopes

    I noticed that a couple weeks ago as well. I started using the iOS 8 GM a week before the release, and by the time it officially released, my keyboard was suggesting my actual password to me- a little scary, if you ask me. But I’m not a security freak, so I haven’t done anything about it.

  • Chang in Charge

    This is nuts they are really dropping the ball on the software side, having to pull updates, having to disable Healthkit to start, Carplay being delayed, now this, I will be surprised if we actually see Apple Pay roll out in October. If Apple Pay does launch in October I honestly don’t trust Apple right now with my info. Get your shit straight Cupertino I’m/we are dropping way too much money for all these mistakes. Tired of them teasing features that won’t be available for some time like Continuity with iOS and Yosemite and then the features they do release don’t work how they are supposed to. Seems like they are spread thin right now too many projects and not enough people or maybe just not the right people in the right places.

  • To be clear here, QuickType is automatically disabled when you are in a Password field. However, it appears that QuickType will offer parts of your password as an option when entering your username.

    • Supafly_Boy

      Hmmm, just tried that and I can’t seem replicate that either. Are people just fishing for another #gate now?

      • have_gun_will_travel

        Yes, they are. “Bendgate” didn’t fly, so now they’re looking for something else! So sad!

  • Andy Copeland

    I have been using iOS 8 since it came out and I’ve yet to have it suggest even the slightest part of any of my passwords.

  • Adam

    Scott Forstall is chillin’ at his crib laughing at Apple for sure.
    That guy was the man. The best iOS versions have been made by that man.

    • Tony Trenkle Jr.

      This got a laugh out of me. lol Good ole Scotty!

  • have_gun_will_travel

    First, I would LIKE for it to suggest my passwords, because it’s a PITA to keep typing them in. Second, SO WHAT if it does?!?!?! Even if it does suggest something you have used as a password before, how is ANYONE going to know that it even IS a password, and if they even THOUGHT it was, they still wouldn’t know what the password is FOR!
    Good grief, people, GET A LIFE!

    • Blip dude

      I am actually with you on that one. For starters, it doesn’t even suggest my passwords to begin with, and second, even if it did, I’d say it’s much more convenient (I don’t think its a pain in the A, but still convenient). How would someone know that A) it is a password and B) it’s a password for what?? Up until now, I never used a passcode on my phone, but since the only way to use Apple Pay is to use Touch ID (so it seems), I didn’t have a choice. The QuickType sucks anyways!!! I Rarely get a correct prediction, and when I do, it spells the words wrong.

      P.S. – I was one of those whose info was compromised during the Target credit card breach. I still kept using the same debit card and the only reason why I ended up getting a new debit card is because my bank forced me to do it.

  • Noah

    Use 1Password’s password generator. No need for typing when you can copy and paste. Also, it’s better to use 1Password so you don’t have duplicate passwords and stronger passwords.

  • Lou

    People probably typed their password in some other field by mistake, at least once, and QuickType is remembering it because it was a non-secure field. That’s probably why people are seeing parts of passwords, too.

    • White Michael Jackson

      i doubt that.

  • BooBee

    I disabled predictive text. I loved it for Android with SwiftKey but got so used to not having it with iPhone that I now don’t like it. Crazy, I know.

  • Sound_Mind24

    Why people concern when you put a password on your device, you don’t want anyone to use your phone and last, read what you write before you send

  • cr0ft

    Well, my phone is my phone, nobody should be using it but me. That’s why it’s password protected, so this doesn’t affect me in the slightest. But then again I suppose lots of people share devices, even though I think that’s unwise for something as personal as a phone. Unless it’s your wife, and you have no mistress to hide, at which point it becomes moot if she sees your passwords.

  • Ben Lutgens

    Apple Sucks. Someday the masses might recognize that.

  • Michael Longuepee

    does apple have a freakin clue?… putting out crap like this… it is a wonder they can do anything right at all…

    • have_gun_will_travel

      Ron White is right…again!

  • Piyush

    1password team would be happy after reading this. 🙂

  • utsav koju

    How vulnerable it would be if apple store your each keystroke. Your password will be there in apple main server. You never know. Apple need to avoid suggesting and saving keystrokes when it come to password fields.

  • Tiena

    This isn’t true. When i log into websites, suggested typing doesn’t even offer an option when in the “username” and “password” fields. Clocking anywhere else like in the “search bar” then it becomes available. Never had this issue.

  • Ottawa Gamerz

    apple stop what ur doing and fix ur os kitkat doesnt have ur issues take it from google and make it right test and take ur time 🙂

    • Shinku

      Before you open your mouth please VERIFY if it is a problem first. As a software developer I don’t actually see this happening unless you are an idiot who developed a website that doesn’t correctly label a password field as PASSWORD. predictive text does not cache words/keywords from the password KEYCHAIN. EVER. ever ever.

  • jp2002

    This is what happens when a pro like Scott Forstall is kicked and an idiot like jony ivy is given overhyped importance.

  • Notmyrealname

    This hasn’t happened to me (the password thing)but there does need to be a way of deleting individual suggested words. At the moment the only way is to reset the whole keyboard dictionary. I had to do this as each time I was putting an “x” at the end of messages to my girlfriend it was suggesting “xhamster”.

  • I’m NOTHERE

    and you want to trust Apple with your finances and health… gfl

  • claystorage

    How does it know things I’ve never typed, for instance associating my fathers email “suchandsuch@email.com” with words I have typed, such as my own email- it looks like: myownemail suchandsuch