password generator in 7.3

Dog
Dog
Community Member

It looks like the generator in the Chrome extension has been changed to "+ New Password". No problem there, but with earlier versions I was able to select the count for numbers and symbols. I see where I can select whether to use them or not I can't find an option to select the count (e.g. 3 numbers and 1 symbol). Has this option gone away? Thanks.


1Password Version: 7.3
Extension Version: 4.7.4.90
OS Version: 10.14.5
Sync Type: WiFi

«13

Comments

  • mark1p
    mark1p
    Community Member

    It’s the same for mini and all browser extensions. Looks like they removed an essential feature to make it more like 1Password-X. I was really disappointed to see this.

  • Localboy
    Localboy
    Community Member

    AgileBits People: Please reinstate the Password Generator in 1Password 7.3. It is an essential part of my workflow. What were you guys thinking taking it out??

  • AirKevin
    AirKevin
    Community Member

    Maybe it is just broken for the update. I can't imagine they would remove that.

  • Luckycrab
    Luckycrab
    Community Member

    I also love the old UI where you can ask it to fill the new password. Now it's Copy and Save or something similar. Has this been changed due to security or something else?

  • Dog
    Dog
    Community Member
    edited May 2019

    Just a follow up on why I think having control of the number/symbol count is important (especially symbols): A number of websites have a restricted list of allowed symbols. Since I prefer using long passwords for my sensitive accounts, I often restrict the symbol count to 1 or 2 in order to produce an acceptable password with a minimum of required refreshes.

    After messing with it a bit, it appears that the symbol library has been significantly reduced...I no longer see items like ^ ; { ] |, etc. Although it might reduce the occurrences of unacceptable passwords mentioned above, I would really like to see these reinstated.

  • Hi folks. I'm sorry for the confusion around the password generator. I wanted to touch on a few points. First off, the password generator is still present in 1Password mini. You can find it by clicking the + New Password button:

    We did make a change in this version of 1Password mini to allow only Save & Copy when creating a new password, but we are considering some changes to bring password filling back for generated passwords.

    Regarding the fine-grained control over the number of characters and symbols, this change was a result of us working to simplify the password generator overall. In general it should create passwords that work for the majority of websites without having to regenerate them.

  • emajima
    emajima
    Community Member

    Thanks for the response MrRooni. It seems that many of us prefer having the option for more control over how we generate these passwords though. Is there a way to go back to version 7.2? If so, please provide instructions here - I would vastly prefer the older version. In particular, I want to be able to generate a new password for an existing login (i.e. when I need to change my password for a site). With the new version, it forces me to create a new login, copy the new password, go back to the old login, click edit, and then copy the new password in... Feels unnecessarily complex for a function that was previously very smooth in version 7.2.

  • mark1p
    mark1p
    Community Member

    Regarding the fine-grained control over the number of characters and symbols, this change was a result of us working to simplify the password generator overall.

    But if I go to edit an existing password using the gear icon next to it, the old style generator is still there where I can specify the number of numbers and symbols. So not only did you remove a useful 10 year old feature, the UI is now inconsistent depending on how you do it. I think moving the numbers and symbols options into the collapsible section was more than enough to "simplify" things for the users who need that. Anyone who is going to expand that section to explore those hidden options doesn't need that type of simplification.

  • Thanks for the feedback, folks. We can't recommend using an older version. As a security focused company we'd always recommend running the latest versions of all of your software, but especially your operating system, web browser(s), and 1Password. If you opt to revert to an earlier version that is your prerogative, but it isn't something we can recommend. We'll continue to evaluate how we can best expose the power of the password generator without being overwhelming. There is may very well still be room for improvement here.

    Ben

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi all!

    I am the person largely responsible for removing some of the fine tuning controls in the SPG. So if I've done wrong, I would like to get a better understanding of why. Note that I am only going to talk about the controls and options for generating passwords. The filling/saving flow is a different issue.

    Just to let you know, we did two things simultaneously with the "new" SPG. The underlying engine is far more powerful, while at the same time we have exposed less of that power to the user. I gather from what I see above that the questions are about the second half of that change. E.g,

    @Dog asked

    I see where I can select whether to use them or not I can't find an option to select the count (e.g. 3 numbers and 1 symbol).

    Yes. In mini we are no longer exposing such controls.
    And @Localboy says,

    It is an essential part of my workflow.

    There is one technical reason for that, but leaving that aside, I would like to have a better understanding of why you want to be able to specify the exact number of digits and symbols instead of simply "must contain symbols and digits".

    And @emajima says,

    It seems that many of us prefer having the option for more control over how we generate these passwords though

    I am not asking this rhetorically: Why is it useful to you to be able to specify precisely how many digits and symbols are in a generated password?

    Ah, but @Dog has answered (I really need to read the whole thread before responding)

    A number of websites have a restricted list of allowed symbols. Since I prefer using long passwords for my sensitive accounts, I often restrict the symbol count to 1 or 2 in order to produce an acceptable password with a minimum of required refreshes.

    Yep. That is one reason to want fewer symbols, and as you also noted

    it appears that the symbol library has been significantly reduced...I no longer see items like ^ ; { ] |, etc. [...] it might reduce the occurrences of unacceptable passwords mentioned above.

    Yes, again. We dramatically narrowed down the list of symbols to those which are most commonly accepted. At one point we were considering of offering "-" as the only symbol.

    Please do let me know if you encounter sites where you do have to generate multiple times to find things that work in the site. In the long term, we would like to have an inventory of what sites allow or exclude what symbols and then generate with that knowledge. We may end up even further reducing the set of default symbols.

    Some math

    For a generated password, symbols don't really make it stronger in a meaningful sense. A 15 letters only password created with our generator is going to be uncrackable (83.77 bits). So the strength gain of adding in symbols or digits is just take the thing from uncrackable to (more) uncrackable (88.60 bits). Sure the latter is stronger, but nobody on the planet is going to crack an 83 bit password, so the extra strength doesn't give you any extra real security. So in terms actual practical security gain, adding symbols and digits doesn't make a meaningful improvement.1

    Letters-only is more than enough for generated passwords of this sort of length. The requirements about symbols and digits would only matter for generated passwords if the passwords were very short (say under 12 characters). So what we have done is exactly what @Dog noticed. We've reduced the symbol set to those which are most likely to be accepted.

    The hope this that these will fill into more sites on the first shot. But if we've overlooked some need, please help me understand what it is.

    Function over form

    There is actually something slightly more radical going on here, though we have only taken small steps in that radical direction. Users of 1Password X have seen our first experiments.

    Traditionally, password generators have asked the user what the form of the generated password should be. So things like mixed case, digits, etc. That is what we are all used to. But we want to move toward a notion of the user specifying what function of the password is. So here are questions to help think about different functions

    1. Passwords that will never need to be typed or memorized, but do need to work in websites.
    2. Passwords that need to be memorized and frequently typed (including on mobile keyboards). Your 1Password Master Password has those needs.
    3. Passwords that don't need to be memorized, but will occasionally need to be typed or transcribed. Passwords for things like disk encryption fall into that category
    4. Passwords that don't need to be memorized or typed, but may need to be spoken. Fabricated answers to things like your mother's maiden name fall into this sort of category.

    Ideally, we'd like to just find a way to figure out what the role of a password we are generating is going to be and then generate something appropriate for that particular need. This would be a move away from the user specifying the specific form in great detail. It is a change in habit, and there are some difficulties in finding out how to ask the user what sort of password is needed, but it really is a more sensible way to think about this.

    Again, as we don't have a good way of knowing what needs there are for a password we are generating, we haven't taken the radical step of prompting for function over form, but we are trying to reduce the need for people to have to specify the form of generated passwords.


    1. The only reason we generate with symbols and digits is because may sites require it. We would have the generator just do letters only if sites accepted that. For human generated passwords, telling them to include symbols and digits once led to better password creation, which is how the whole symbols and digits things came about. Now it doesn't really even serve that purpose, but over the decades the world has grown convinced that adding a symbol makes a password more secure; so we are stuck with these requirements for the time being. ↩︎

  • emajima
    emajima
    Community Member

    Thank you for this explanation. I think you’ve satisfied me here - the only reason why I previously preferred to specify the number of symbols was to minimize the number of regenerated passwords I would need to create to come up with something that did not contain symbols that weren’t accepted by the site I was using (in situations where they required a symbol but only accepted certain symbols). I haven’t used the new version for long enough to know if this remains an issue but it sounds like you designed the new password generator to address this limitation without requiring the user to specify the password formula.

    I am still struggling with the aforementioned issues with password generation and filling and would love to hear your thoughts on this if you can comment.

  • Dog
    Dog
    Community Member
    edited May 2019

    Thank you @jpgoldberg! I have definitely been part of "the world has grown convinced that adding a symbol makes a password more secure". Not having done any real analysis of the situation, I figured that by adding 20 or so additional characters to the mix of the 62 available letters and numbers would make my web site access that much safer. Now if web sites start requiring emojis as required parts of passwords, I think I'll just give up on all this!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for your thoughts on this! As Ben mentioned, we're still evaluating to see what further tweaks are needed, so your feedback helps a lot. And, as Goldberg mentioned, knowing the URLs in specific cases where you run into issues can allow us to test and make determinations about how best to proceed -- as well as providing real world data as far as composition rules, etc. :)

    it sounds like you designed the new password generator to address this limitation without requiring the user to specify the password formula.

    That's exactly right. Users shouldn't have to think about it. The ideal is that 1Password would just give you a password that is as strong as it can be within the given constraints right off the bat. We're not there yet, but this is just another step in that direction. Long term, we want to have 1Password be smart enough to determine how to generate the best possible password and/or have specific rules in place for problem sites so it is still at least simple and transparent for the user to do the secure thing, rather than having to try to tweak settings and regenerate. Some people would be perfectly happy to specify precise password formulae themselves (and a CLI app may be a better fit :lol: ), but that doesn't really scale to millions of a wide range of users with varying levels of security expertise -- and, frankly, patience. People shouldn't have to be security experts to use 1Password, only if they want to be. Security and privacy are for everyone. :sunglasses:

  • Dog
    Dog
    Community Member
    edited May 2019

    @jpgoldberg, I noticed the following in your reply:

    "At one point we were considering of offering "-" as the only symbol."

    Just for grins, I checked out about a half dozen secure sites and found that one (a very large financial institution) said the password must include at least one the following characters: ! # $ % + / = @ ~. Note that the "-" is missing as well as "_" and probably ".". So it's probably best if you don't get too restrictive since there would be no way to generate an acceptable password with "-" being the only special character.

    This isn't a huge deal since I'd probably just paste the generated password in to text editor and manually change it. But if simplicity is an important objective, it's something to keep in mind.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Just for grins, I checked out about a half dozen secure sites and found that one (a very large financial institution) said the password must include at least one the following characters: ! # $ % + / = @ ~.

    Yup. One thing that financial sites do to try prevent password reuse on their sites is to set up requirements that are not compatible with what other sites do. I can't really blame them, but it sure can be a pain for those who have found a better way to prevent password reuse.

  • Avid1
    Avid1
    Community Member
    edited June 2019

    OK .. So I found the new version of the password generator in 1Password Mini .. but where the heck is it in the main app? Gosh this is frustrating. I reviewed the release notes and don't recall seeing anything about this being changed. I've wasted 15 minutes trying to understand what is going on.

    I typically use the password generator to create passwords quickly for a number of use cases. In apps, online, etc. Sometimes I add those generated passwords into secure notes to keep track of them. So now that tool is gone, unless I open the 1Password Mini doodad.

    I have to say, I'm not enthralled with this change. Maybe (probably) I'm missing something obvious.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Avid1: The password generator is available in all password fields:

    That's not something we've changed. And even if you're intent on using a Secure Note, you can create a password field there too if you want. :)

  • mkoerber
    mkoerber
    Community Member

    I completely agree. Assigning new passwords (to external accounts, which I don'f have to keep the passwords for in 1P myself) is one part of what I do regularly. 1P's 'password generator' was the quickest way to generate good temprary passwords for this. Now doing this creates an incomplete entry in 1P and I have to cancel again, which is not a problem per se but less convenient than the old password generator function was. Please reinstate that

  • mkoerber
    mkoerber
    Community Member

    Further, I agree that restricting the number of symbols available is a big step back. Different websites etc have different ideas of what valid symbols are, and being limited by the generator means that I'dhave to try different generators after failing on each. I want one generator I can use for my different use cases, not be limited. If that happened I'd go and find one generator and use that (not 1P) exclusively?

  • AGAlumB
    AGAlumB
    1Password Alumni

    I completely agree. Assigning new passwords (to external accounts, which I don'f have to keep the passwords for in 1P myself) is one part of what I do regularly. 1P's 'password generator' was the quickest way to generate good temprary passwords for this. Now doing this creates an incomplete entry in 1P and I have to cancel again, which is not a problem per se but less convenient than the old password generator function was. Please reinstate that

    @mkoerber: 1Password is a password manager. Its purpose isn't to create passwords and then throw them away, but to remember them for us so we don't have to -- especially since a strong password will not be easy to remember at all, if not impossible. If you happen to want to create passwords and then dispose of them, that's certainly your prerogative. And I can see how it would be an inconvenience to now have to intentionally delete the saved Password. But we've got to consider millions of other people who are much more inconvenienced by getting locked out of things because they'd used a strong password 1Password generated for them and it wasn't saved.

    Further, I agree that restricting the number of symbols available is a big step back. Different websites etc have different ideas of what valid symbols are, and being limited by the generator means that I'dhave to try different generators after failing on each. I want one generator I can use for my different use cases, not be limited. If that happened I'd go and find one generator and use that (not 1P) exclusively?

    Please read Goldberg's comments above. I can't really say it better than he did. :)

  • mscwebmaster
    mscwebmaster
    Community Member
    edited June 2019

    I've been using 1PW for about a decade. Each revamp has been more confusing than the last. You get so excited about your changes. I've come to absolutely dread them. Yours is not the only software I use by a long shot. If I have to relearn how to use the software, I will learn different password manager software.
    You are not the only ones changing things up, for the sake of change.

    As a web designer, I have to set up a bunch of logins across various sites for each client. I'm doing this in a production environment. Yes, I use throwaway passwords too. I don't need you to remember 2FA codes, which you insist on asking to remember.

    I don't have time to relearn your interface (and there have been A LOT of changes over the last decade) all the time, and I use the PW generator A LOT. I no longer recommend 1PW to clients as I strongly recommend they get a password manager. Seems kind of cruel to put them through this.

  • Johann_Gruber
    Johann_Gruber
    Community Member

    Hello Brenty,
    I follow the debate about the newly generated password generator in version 7.3 with interest. Since only a few special characters are offered. But what do I do if a web page requires exactly one or more special characters that are no longer included in this version? It can not be so difficult to offer a grid in the generator where you can activate the individual special characters required for this website, while the rest of all possible special characters remain disabled.
    I look forward to your reply!

    Greetings from Gruber Johann.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    On the SPG as an independent password generator

    Several people here (@mkoerber, @mscwebmaster) have indicated that they liked to use 1Password's Strong Password Generator (SPG) independently of creating an item in 1Password. And I have to acknowledge that I often do the same (though I do so mostly when I am writing about passwords and need to create samples). And so I've missed it too over the months that I have been using the Beta version leading up to the release of 7.3.

    So I do get that. But please keep in mind another side of the issue. If you generate passwords and they are not saved some place then you can end up being locked out of whatever that password was used for. We really do need to save some sort of item for every password that we generate to prevent cases where people end up using generated passwords but then have no record of them. So we are going to work hard to save each generated password in 1Password somehow.

    That fact doesn't necessarily mean that the flow we have for getting to the SPG is necessarily the right one, but it is very suggestive of more tightly integrating the the SPG with item creation. It is possible to get to the kind of generation you are after by creating a new Password item, but indeed, that generator is not there at the very quick touch of ⌘-\ and a click.

    The makings of a stand-alone generator

    For those who are comfortable compiling from source (Go) and using a proof of concept command line interface, the underlying generation engine is available on github. The underlying engine is fairly stable, but the CLI is pre-alpha, wonky, and subject to radical change. Still it gives you much more power and better fills that sort of role. (It's what I've been using over the past half year for generating samples.)

    I'd love to see that underlying engine used to build a nice stand-alone password generator, but it just isn't something that we have the time to do ourselves. I know that this isn't a solution for many of the people here, but it is a way to look at the question of stand-alone generator versus password generation within 1Password.

    Sensible irony

    I do appreciate the irony in the fact that we have actually made our underlying generator far more powerful than the previous version, while exposing less of that power to users. This was deliberate choice. We wanted a clear separation of what the engine can do from what is exposed to users so that we have the flexibility to adapt what is exposed. So this was a deliberate choice. Our generator now produces a fully uniform passwords even if the face of things like "require digits, require symbols". And we are able to calculate the exactly strength of passwords generated under such requirements as a result of some clever math due largely to my colleague @rob.

    This separation does give us greater flexibility. We can expose more controls without having to change the underlying engine1, or we can expose fewer. This puts us into a position to explore what should be available to the user, and so the sorts of conversations now are extremely useful.


    1. As it happens, the new engine would need to be modified to be able to do things like requiring "exactly N digits" in a generated password. So while it is more powerful in most respects that what it replaces, there are some things that we gave up to be able to maintain uniform and knowable distributions. ↩︎

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @Johann_Gruber,

    As you've noticed the generator uses a much smaller set of symbols. As I described in my earlier comments. The aim here is to make each generated password more likely to be accepted by sites. This should reduce the number of times you have to generate a password to get something that works for the site.

    But even as it makes things easier for many sites, it can make things harder for some. As I said in https://discussions.agilebits.com/discussion/comment/508251/#Comment_508251

    One thing that financial sites do to try prevent password reuse on their sites is to set up requirements that are not compatible with what other sites do. I can't really blame them, but it sure can be a pain for those who have found a better way to prevent password reuse.

    So there may still be times when you need to hand edit a generated password to meet some site's requirements, but I very much believe that we have reduced the number of cases where that will have to happen. Some of our discussion on this is here: https://github.com/1Password/spg/pull/22

  • rb9
    rb9
    Community Member

    I feel that 1Password has been made LESS attractive by the changes to password generation. The old generator used to be a delight to use -- it was quick and it gave you a lot of choices. The current offering is a retrograde step. Give us back our old generator!! Also, it should be much more obvious how to reach the generator from the main 1Password screen (rather than 1Password Mini).

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Johann_Gruber: Thanks for chiming in! If you'll let me know the URLs in cases like that (i.e. special character required by website which our new password generator does not use), I'll be happy to look into it. As Goldberg intimated earlier, this is not set in stone. There are good reasons (compatibility, website bugs) that we've whittled the list down over time. We need 1Password to give a strong, usable password to millions of people in the context of billions of websites, and in the vast majority of cases what we have now is an improvement in that regard over previous efforts. But One of the things we're looking at is having some additional logic or "rules" to help with sites that are problematic. In a perfect world, 1Password could spit out any random string of characters (double-byte Unicode, emoji, woohoo!) and websites would hash it and store the hash for later comparison, so that the length and composition would not matter. But until that day we'll keep making changes as needed. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    As a web designer, I have to set up a bunch of logins across various sites for each client. I'm doing this in a production environment. Yes, I use throwaway passwords too. I don't need you to remember 2FA codes, which you insist on asking to remember.

    @mscwebmaster: Thanks for sharing your thoughts! If you're encountering misfires as far as 1Password offering to save when it should not (or vice versa), please let us know the details. Maybe there's something we can do to improve that. :)

    Regarding the "throwaway passwords" debate, I'd love for you to try 1Password X and let me know what you think of its new take on this, with "generator history" at the bottom of the Password Generator itself, rather than saving individual Password items. That way it's there when (not if!) you need it, but out of your way when you don't. Let me know. :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @rb9

    I'm only going to comment on one point, not because it is the most important, but because it is where I need the most help in understanding.

    [the old generator] gave you a lot of choices

    Can you let me know how those choices were useful to you? Again, I realize that this might be a rather peripheral to what you are saying, but I get the rest.

    As you may see from the above discussion, we are trying to get the generator to produce passwords that are more likely to be acceptable on more sites. And so we removed certain choices from the user interface. If those choices are needed, I would like to get a better sense of why.

  • rb9
    rb9
    Community Member

    Sometimes 1Password is not to hand and it is very useful to have a password (say a 3-word string of random words separated by spaces or dashes) that one can easily remember. The old p/w generator could spew out such random-word passwords for you until eventually one would be found that could be memorised ok, and you could select that one.

  • Johann_Gruber
    Johann_Gruber
    Community Member

    Hello Brenty,

    Thank you for your reply. So far I like 1Password X very well. I will deal with my modest knowledge of it. It is very appealing and interesting to work with the new look.
     They put a photograph of a password manager in another version with explanations of the debate that I have never seen before.
    Can you please tell me where to find this password manager in this version?

    Thank you.

    Greetings from Gruber Johann

This discussion has been closed.