When we first set up our website, we didn’t allow user-specified passwords; we just generated one, and that was your password (rather like a registration key, in a way). This was obviously not ideal, so pretty soon we started allowing customers to specify their own passwords — but we wanted to make sure that the passwords were reasonably strong as we do occasionally see attacks on our systems.

Rather than re-inventing the wheel, we started out using cracklib, an Open Source password checking library. Over time, two things became apparent:

• The checks that cracklib does are in some cases too onerous.

• When the check does fail, cracklib does not give error messages that are understandable or useful to end users.

Now, we prefer to spend our time working on our products rather than our website, and this was a relatively minor issue (some of you didn’t think so, I accept, but you were in the minority) and had an easy workaround of using a somewhat more secure than necessary password and storing it in Keychain (or in your chosen browser’s password database). As a result, while we were aware of the problem, it took us a while to get around to doing anything about it.

Attempt number two was based on another piece of Open Source code, pwtools, which is a port of the algorithm from the OpenWall Project’s passwdqc to Python. This was a distinct improvement, and we’re actually still using it to generate and suggest passwords, but it still ended up with some customers puzzled as to why it was rejecting their passwords when they felt they were perfectly good enough. We didn’t always disagree.

Anyway, I’m pleased to let everyone know that we are now on attempt number three. This time, we’ve written the code ourselves rather than borrowing from others; fewer passwords should be banned, and because we have a Javascript implementation of the checking code it’s now possible to see in real time in the Change Password form how strong we think your chosen password is.

I’m sure there will still be people who want to use a password that our form doesn’t like. Hopefully, though, this should now mean that the password they’ve chosen is genuinely bad as opposed to not meeting some unusual rule that someone else has come up with. If you were one of the people who wanted to set their own password but found it too tricky, please do try again and let us know how you get on.

p.s. Please don’t use the same password on multiple websites. While we’ve implemented our site in such a way that we can’t tell what your password is, not everyone does, and some database administrators and website operators will, as a result, have access to the text of your password. It’s much better to use Keychain Access or 1Password so that you can have separate passwords for each purpose.

We’ve received a number of queries (and a few bug reports) relating to the OS X 10.8 Mountain Lion developer preview, some in under 24 hours from the developer seeds becoming available. To be clear:

• We do not recommend running disk utility software (anybody’s, not just ours) on pre-release versions of Mac OS X. For all we know, Apple has made changes to the filesystem that require updates to our code.

• We do not provide support for use of our software on developer preview versions of OS X.

• Developer pre-releases of OS X have been known to contain serious bugs, some of which could result in data loss. While we are aware that some end-users like to run the developer previews, they are really intended for developers to test their products in advance of the release of the new version, and Apple does not even recommend that developers run the seed releases on their main development systems.

Finally, please remember that, no matter how many people have access to it, developer preview software is covered by a non-disclosure agreement. We will accept bug reports (though it may be a technical breach of the NDA on your part), but under the terms of the Developer Agreement the only place we can talk to you about the developer preview release is the Apple Developer Forums website, and that isn’t an appropriate place for us to provide support.