Open Radar

 
# Basic Information

## Please provide a descriptive title for your feedback:

Strong password UI doesn't work correctly

## Which area are you seeing an issue with?

Security

## What type of feedback are you reporting?

Incorrect/Unexpected Behavior

# Details

## What does the Security issue you are seeing involve?

Something else not on this list

## Are you able to reproduce the issue?

Yes

## What software version(s) and hardware have you reproduced the issue on?

iOS 15.1 - 15.5 and I've seen other people post about the issue on earlier versions, I just haven't tested further back.

# Description

## Please describe the issue and what steps we can take to reproduce it:

• Sample project and video attached.

I'm setting up a new user creation view with three fields: username, password, confirm password. The username field has the Content Type set to Username, the two password fields have their Content Type set to New Password.

We are using associated domains, with `webcredentials:domain.com` and have a `apple-app-site-accociation` file at `https://domain.com/apple-app-site-association`

```
{
    "webcredentials": {
        "apps": [
            "XXXX.com.domain.target",
            "XXXX.com.domain.target2"
        ]
    }
}
```

When the user's focus triggers the Strong Password UI, we see strange behaviour. The video attached has a good sample of the things we're seeing, so I'll add some commentary here for each of the 7 app launches shown in the video:

1. (0:00) Tapped Username, Tapped TestUser suggestion in the keyboard. Result: Blank strong password suggested.
2. (0:10) Reproduced #1, same result.
3. (0:18) Tapped Password first, strong password suggested and filled in password and confirm password fields. This is the correct/desired behaviour, but users don't tap the password field first.
4. (0:25) Reproduced #4, same result.
5. (0:30) Reproduced #1, different result. This time it suggested a strong password, but only populated the password field, the confirm field was left blank.
6. (0:39) Reproduced #5, same result.
7. (0:45) Tapped Username, manually typed text, then selected the password field. The system suggested a strong password, but again only populated the password field, the confirm field was left blank.

The sample project shown in the video and attached has no code added to the new project template, only the three fields added to a storyboard with their content types set as mentioned above. This is a Swift project, but I have reproduced it with Objective-C, and I've seen similar reports using SwiftUI.

In addition to this, it's difficult for us to work around it in code because there's another bug with the the UITextField when the strong password UI is used. The UITextFieldDelegate method '- (BOOL)textField:(UITextField*)textField shouldChangeCharactersInRange:(NSRange)range replacementString:(NSString*)string;` is called twice (expected since two fields have their text being changed), but both calls have the first password field passed as the `textField` rather than the password field once, and the confirm password field once.