Heads up: if you’re particularly concerned about passwords, and we all should be, you might want to pay attention to this flaw that was recently discovered in iOS 8. Apparently the autocomplete feature for the new QuickType keyboard in iOS 8 is a little too good.
iGen.Fr recently noticed that, while in Safari, a user might be prompted to enter his or her password using a new “autocomplete password” option that pops up at the top of the keyboard. Obviously this could be convenient for some people but it’s also dangerous if someone picks up your phone and suddenly has access to all of the sites with saved information in Safari. Cached passwords can be a security issue on all platforms, but this is worse. One member of Apple’s support forums recently posted an example where auto-complete actually recommends part of the actual password, revealing it to anyone who has the phone.
The user said his or her password is typically OrangeJuice!2 and that autocomplete has been suggesting he type “OrangeJuice,” into the password space, which is the bulk of his or her password. A would-be hacker could easily get the last two digits, which makes the password that much less secure. The poster noticed that this happens inside Safari but also in other places like Notes. We haven’t been able to replicate it on the Facebook Safari page or inside of our banking app, but there’s proof it exists.
Right now the best option to maintain your privacy is to simply turn off QuickType. You can do this by visiting Settings > General and then turning off “Predictive” on your iOS 8 device. Here’s a look at the flaw in action, as submitted to Apple’s support forums: