QuickType, Apple’s new predictive keyboard featured on the iPhone, iPod touch and iPad devices running iOS 8, is reportedly plagued with a potentially dangerous oversight where the software would suggest parts of your passwords that you previously used on websites, as first reported by French-language blog iGen.fr [Google Translate].
A new thread on Apple’s Support Communities website includes a note by one user who reported the keyboard offering “OrangeJuice” as a suggestion each time he would type in “AppleUser” because QuickType remembered the “OrangeJuice!2” password he previously used to log in to Outlook Web App.
”The worst part is that also suggest me other passwords from other services and old passwords that I already change”, noted a user under the nick name “ramiroegueta”.
There’s no doubt this potentially dangerous oversight impacts the security and privacy of iOS 8 device owners. Theoretically speaking, anyone who gets hold of your device and gains access to it can visit websites like Facebook and Google in Safari to leverage QuickType to retrieve parts of the previously used passwords.
The issue is not isolated to iOS 8’s Safari and manifests itself throughout the system, in any app which provides standard text input, like Notes, Reminders and more.
Until Apple delivers a fix, you can protect yourself by disabling QuickType by setting “Predictive” to OFF in Settings > General > Keyboard.
Unfortunately, Apple does not permit users to selectively delete custom words picked up by QuickType as you use the keyboard over time.
If you have been able to reproduce the issue on your device, please share your experience with others in the comments below.
Update: From our tests, it appears that the described issue will happen when a user enters his password on a website that doesn’t properly use the password field, leaving it as a normal text field. When that happens, QuickType may remember your password as if it was any new word you typed. This is not an issue or a security flaw of iOS 8. In this instance, iOS 8 does its job of learning new words as you type them. The problem comes from sites that do not implement the password field properly. The issue would be the same as typing your password in the Notes app in plain text for example, and having QuickType learn it from there.