Feature request: Password strength indicator while typing
Sometimes I need to create a password that I can memorize. At the same time, I would like to make sure it is good enough. So it would be nice to see a password strength indicator while typing in a new password. Thanks!
1Password Version: 7.2.5
Extension Version: Not Provided
OS Version: macOS 10.14
Sync Type: Not Provided
Comments
-
Welcome to the forum, @fleupold! I'm not sure what you mean by "good enough" -- how would you measure that? Estimated bits of entropy? Length? Number of special characters and/or numerals used? Something else?
If you want to create a memorable password, then using the wordlist generator (instead of the random character generator) will be your best bet. When you do this in the main 1Password app, there's a visible strength indicator available in the form of the green bar at the top of the password generation window, which moves as you change the number of words, like this:
If you're creating a new password using the mini/extension, it works much the same (though the layout is slightly different).0 -
Lars, thanks for your reply. I thought you were actually gauging a password's strength, and seemed to remember that the indicator bar would change upon regenerating a password with the same settings. (Was that maybe the case in previous versions?) But upon closer inspection you are only rating password strength by some pre-determined algorithm, right?
Well, on many websites one is shown a strength indicator for the password being inserted. I am not a specialist in password theory, but there must be some algorithm to gauge password strength. The results might not be exact or unambiguous, but surely have some meaning.
I would therefore suggest a similar thing for passwords that one enters manually into 1Password.
0 -
I thought you were actually gauging a password's strength...
Again, I'm not sure what you mean here - gauging by what method? There are many, many ways to gauge password strength, some of them more appropriate and more accurate for certain situations than others. The strength meter in my GIF above IS one measure of password strength.
If you're looking for us to opine on the strength of a password you've manually entered or pasted in, we're always going to rate it poorly because we can't know the character set or the system that was used to create it. Algorithms are marvelous things, but they can't read the human mind. As our Chief Defender Against the Dark Arts, jpgoldberg will tell you (at fascinating length, if you let him ;) ):
Let me illustrate this with a ridiculous example. The passwords
F9GndpVkfB44VdvwfUgTxGH7A8tandrE67AjbDCUotaju9H49sMFgYszAeach look like extremely strong passwords. Based on their lengths and the use of upper and lower case and digits, any password strength testing system would say that these are extremely strong passwords. But suppose that the system by which these were generated was the following: Flip a coin. If it comes up heads use F9GndpVkfB44VdvwfUgTxGH7A8t, and if it comes up tails use rE67AjbDCUotaju9H49sMFgYszA.That system produces only two outcomes. And even though the passwords look strong, passwords generated by that system are extremely weak. Of course nobody would recommend a system that only produced two outcomes, but people do recommend systems that produce a far more limited number of outcomes than one might think by inspecting an individual result of the system. This is because humans are far more predictable than we like to believe.
That's why it's doubtful you'll see us rating user-entered passwords: we'd rather offer no opinion on the relative strength of any password for which we don't know the system used to originate it, than give you potentially wrong information that might lead to a false sense of security which might be compromised. Here’s some advice on how to choose a good password (this was specifically put together for Master Password for 1Password, but it's the same anywhere), if that helps. Or, just allow 1Password to generate and remember your passwords for you. That's what it's for, after all. :)
0 -
Lars, thanks again for your detailed reply, and explaining your thinking behind this.
0
