password generator in 7.3

AGAlumB

@vr8ce: Yes, but you're not the only user. We've got to design 1Password so that it does the most good for the greatest number of people. As @hawkmoth rightly points out, we still have work to do. "Control" isn't in and of itself a good though. Randomness is the absence of control, and since the strongest passwords are random ones, in this case, less control makes sense for 1Password's core function. If all you want is control over password creation, you don't need an app for that. Anyone can make weaker passwords with their own brain.

But to answer your question directly,

Why is it we have to justify how we generate passwords?

You absolutely don't have to justify anything to us. But -- let's be realistic -- by the same token, if you're not willing to have a dialogue with us to help us understand your specific use case, the chances of us making any tweaks to help are almost nonexistent. I think what Goldberg said is very reasonable:

I would like to have a better understanding of why you want to be able to specify the exact number of digits and symbols instead of simply "must contain symbols and digits".

If you have dietary restrictions due to medical issues or food allergies, it's generally a good idea to make sure that the people preparing your meal are aware of that beforehand. Likewise, if there are things like that or other considerations we need to take into account which we aren't at present, it would be beneficial to know them so they can be weighed against all the other considerations which need to be balanced.

vr8ce

I didn't say I was the only user. In fact, I didn't mention me at all. I said, "We're the users." Please don't mis-quote me.

Your implication is that specifying the number of uppercase, or numbers, or special characters automatically means weaker passwords. That is nonsense.

Yes, we do have to justify something. That's exactly what your "let's be realistic" sentence says — justify what you want, or we're not making any changes.

Bad analogies don't do anything for your argument, either. Again, you're the one that made the change. An unnecessary change. A change that negatively impacted your users, who came here telling you so. If you want a food analogy, you're a restaurant who has changed a beloved recipe for no reason, and then demanded your customers justify why they liked the old recipe better.

What usually happens in that case is the people start going to a different restaurant.

Ben

Thanks for taking the time to share your point of view @vr8ce. We'd still like to hear about any specific cases:

I would like to have a better understanding of why you want to be able to specify the exact number of digits and symbols instead of simply "must contain symbols and digits".

Ben

vr8ce

My use case is I want to specify how many special characters and numbers are in my passwords. Just like I have for the past umpteen years.

But that's not what you (collectively) want. You want us to prove to you that we need to be able to specify it. And I'm not doing that. You're the ones that screwed up the functionality, you're the ones that should be justifying the change. And you haven't, because you can't. There is no reason to remove that control from the users, regardless of what underlying changes you made to the algorithms.

OAW

@vr8ce The functionality you seek still exists in the main app. I'm not sure if there are plans to switch it over to the simplified functionality that now exists in the mini or not. But for now you can access it there.

Lars

@vr8ce

...you're the ones that should be justifying the change.

Respectfully, we've already laid out our reasoning for making the changes to the Password Generator in 1Password's mini in more than one previous post. If you have any questions about those reasons, we'd be happy to answer. Similarly, if you'd like to share with us your own reasoning, we'd be happy to listen. Beyond that, I'm not sure what else we can offer you.

You want us to prove to you that we need to be able to specify it.

Again, respectfully, to reiterate what brenty said earlier, we truly don't.

What we most definitely are doing is asking those who would like to share their use-case and reasoning with us to please do so, so that we can understand what's motivating people and potentially gain a wider perspective on the issue -- or potentially even learn something we didn't previously know. Sharing your reasoning/use-case also may indeed result in changes - at least, it's more likely to if we understand why people want what they want, or how they use 1Password.

But to be as clear with you as possible - doing so also may not (result in changes). Earlier you said something similar: that we're trying to force you and others to "...justify what you want, or we're not making any changes." I want to emphasize that one of the main reasons it's not the case that we're trying to force you (or anyone else) "to 'justify' themselves" isn't just because you're right that it's your business to share or not as you see fit, but also because it simply is not the case that if if you did choose to explain your use-case/reasoning/preferences to us, we'd make changes. That's just not how it works around here; our user base is now large enough at this point that nearly any change we make will result in delighting some users and enraging (or at least disappointing) others. Since there will be users themselves whose wishes are in 180° opposition to the wishes of other users, it has become literally impossible to make changes to 1Password just because someone articulates their reasoning/use-case. So we don't try, because that way lies frustration and aggravation for both us and you. Instead, we do what it may have been less clear in the past that we've always tried to do: take feedback (even criticism) into account and combine it with our own best judgment about the best way forward. We'd be the first to admit we don't always get it right the first time, and that we don't have every good idea in existence. But sharing with us your reasoning, use-case and preferences remains the most-likely way for changes of the sort you want to actually happen. To paraphrase what brenty and Ben have already said, if we don't understand what people want as well as why they want it, we're much less likely to make any changes.

jpgoldberg

My use case is I want to specify how many special characters and numbers are in my passwords.

I want to understand why that is valuable to you. You can chose to help me understand that or not.

Just like I have for the past umpteen years.

Here are some other changes we have made over the years:

• We used to have a check box for "allow repeated characters". We removed that some years ago, when we found that fewer sites were banning passwords with repeated characters.
• We used to have "<" among the default symbol sets, until we learned that some sites silently truncate passwords at that character.
• We didn't used to have the word list generator. Now we do.

We have always made changes. We try to be cautious when doing so. And if the changes cause problems, we like to understand why. You are under no obligation to help us better understand why this change causes problems for you, but I hope that you will.

mrabinormal

Feels like I'm beating a dead horse here, but I'm going to chime in anyway.
The random password generator (without needing to create a login) for Throw away passwords was/is invaluable to me.
It was a huge quick and easy time saver. I work as a systems administrator and need to create one off passwords that I do not need recorded in 1password. Set it and forget it style stuff here. I like it to be complicated so that's why I relied on 1Passwords quick random generator. Now it's a huge pain to create a random password. Frankly the entire new Interface is off-putting and I'm seriously considering finding a new alternative to 1Password.

I get wanting to end the confusion of customers possibly locking themselves out of a site because they created a one time password and didn't save it. That said, did no one think of the advanced users? Put it as a feature you can enable in the advanced tab and give us back our random generator... Doesn't seem like rocket science to me and clearly it's something people are upset about. I know I am.. :-/

Ben

@mrabinormal

Now it's a huge pain to create a random password.

What specifically are you finding difficult?

I get wanting to end the confusion of customers possibly locking themselves out of a site because they created a one time password and didn't save it. That said, did no one think of the advanced users? Put it as a feature you can enable in the advanced tab and give us back our random generator... Doesn't seem like rocket science to me and clearly it's something people are upset about. I know I am.. :-/

If you want to generate passwords without saving them that is possible here:

Strong Password Generator | Best Password Strength

(update: I'm being told this web-based generator should be considered "for demo purposes" and while ours is safe it is a good idea to avoid web-based generators in general, so please ignore this recommendation)

For quite some time we've saved generated passwords within the 1Password for Mac application. This is not a new feature. It is more evident that it is happening now, but it has been happening for a long time.

Ben

mrabinormal

@Ben
This is absolutely not a solution to what the application provided with ease. This is an excuse attempt to bypass the fact that you removed a valuable feature of the application that didn't involve opening a website. I can do that from multiple sites.... :-(
Nice try.

AGAlumB

We didn't remove anything. You can still generate passwords entirely outside of the browser:

And, as Ben pointed out, saving Password items is not a new feature either. I've been telling people about this important safety net for years (even the support article for it was last updated nearly a year ago, and it's just the most recent in a long line).

jpgoldberg

The random password generator (without needing to create a login) for Throw away passwords was/is invaluable to me. It was a huge quick and easy time saver. I work as a systems administrator and need to create one off passwords that I do not need recorded in 1password.

Thank you for that @mrabinormal! That is the kind of feedback we are looking for.

I know that what I'm about to suggest isn't ready for prime time yet, and requires compiling code, but we have published the source of our underlying generator. There is a proof of concept command line interface for it.

Speaking personally, I would like to see that turned into a stand-alone generator which exposes all of its power to the user. But it's not something that I have the time to work on.

Nekoninda

@jpgoldberg I haven't read through all of the comments here, only several dozen. There are several more pages to go in this thread. Perhaps the conversation will go in a different direction, but what I have read here so far from the 1Password staff is 'We made a change that hundreds of you don't like, and we won't give you back the options that you had, unless you can prove to us that you have reasons that we like and approve of. We don't care what you want or prefer. That isn't good enough.' This sort of action and communication makes it seem like 1Password has no respect for its users. Why should the comments of a few hundred users NOT be sufficient for you to give us back the features that we want? Why should we have to prove anything to you? Are you building your application only to please yourselves? Do the preferences of hundreds of users not matter to you at all? In fact, I think you really do care about us, but for some reason, your actions and messages here give me the opposite impression. You have removed features that we want, and are refusing to honor our expressed desires for the functionality that was part of the reason that I and others purchased 1Password. Why is there this gulf between support insistence on your unilateral actions and your scorning of user's desires.

Had you gotten hundreds of comments from users begging you to take away password generation options and controls? I doubt it. Brenty says 'Users shouldn't have to think about it.' However, the secondary message is that 'Users are forbidden from thinking about other options and controls. Of course, that doesn't work at all. As the hundreds of comments show, users are thinking a lot about the features that we have lost and want or need. However, you have made it soe that we just can't do anything about it. Your changes to the app make it so that users have absolutely no choice and no control, over things we used to choose and control. I and others are telling you that we hate these changes. Doesn't this matter at all to you? Why not give us the option to click something or make a change in Preferences, so that those of us who want to can have the options we used to have?

You request above for users to send you the URLs of the websites that give problems, so you can figure out how to change your system to generate passwords that will eventually work for those sites. I don't mind giving you data, but think about what you have done to us. With the previous system, if I generated a password for a site, and it refused it for some reason, I would quickly adjust my password generating parameters, and usually, get something that would work in a few seconds. It appears that you would prefer for me to fail to be able to generate a new password for that site, until after I have reported it to you, and you have perhaps come up with something that will make it happen automatically. How long with that take? A day? A week? Until I download the next update? This is crazy. Why can't you allow me to solve my own problems, as I could before?

You want to make things easier for some hypothetical users (ignoring the expressed desires of the users commenting on this thread). Fine. Make the defaults as simple as you want. But give us the power that we used to have, which lets us deal with problems quickly and easily.

Unknown

This content has been removed.

Unknown

This content has been removed.

Unknown

This content has been removed.

TheDutchGuy

I know there is some discussion about the generator. I feel the same that something is changing my workflow. However I'm not going to downgrade to see what happened before.

What I can do is give some feedback on what could help my workflow:
1. When generating passwords, automatically fill them instead of giving me a save&copy option.
2. When generating passwords, make the Title fields, URL, username and vault editable. Most of the times 1P does not ask to save the new login after I used the generator on a new website. So I have to open 1P, search for the password, convert it to login, edit the record, move it to the correct vault. Which could have been done in one go.
3. Also an extra would be to have the username field give common suggestions. We all use just a few emailaddresses and mostly the same usernames.

Good luck and enjoy the weekend :chuffed:

AGAlumB

@TheDutchGuy: Thanks for the suggestions!

1. When 1Password can find a place to fill on the current webpage, it will offer you that option:
2. Maybe something we could expand on in the future, but some of this is already possible when saving a Login (it isn't applicable when not saving a Login item): (But if you do need to find an item you just saved/edited, sorting by date modified in the main 1Password app makes that easy.)
3. While not everyone uses the same email/username everywhere, and iOS already has a convenient way to suggest the former, maybe it's something we could find a good way to do on the desktop in the future.

Enjoy your weekend as well. Cheers! :)

Demerion

Hey there,

I'd also like to use the opportunity that this feed is still open.

I can see what you mean when you say that controlling the number of symbols, upper/lower case letters etc makes the password less random, which is true.
However, in my case, I'd like to have a high number of symbols to make the password harder to guess (not that it makes a big difference). So I often find myself regenerating passwords until I get one that has at least 5 or 6 symbols. Therefore it would be nice if I could specify that I always want at least X symbols etc, like in the standalone app.

To be honest, I was pretty disappointed in the Firefox Extension of 1Password (no dark mode, can't control the number of symbols,...), but reading the corresponding discussions made it easier for me to accept.
I'd still love to see a way to specify the number of symbols etc though, maybe as an advanced setting, as @mrabinormal suggested.

Cheers!

Lars

@Demerion - thanks for the feedback; I don't have anything to announce regarding developments on this issue in particular, but we'll continue to evaluate it as we move forward.

mbernhardt

I cannot figure out how to unsubscribe from notifications for this discussion. Please tell me.

Lars

@mbernhardt - sorry for the unwanted noise. Click you photo/username at the top of the forum page ^^ then click the little person icon at the top right of the next page and choose "Edit Profile." On the resulting page, choose "Notifications Preferences" from the left sidebar. You can adjust your settings there. Hope that helps. :)

mbernhardt

Not quite. I don't want to end notifications universally. I just want to opt out of this discussion. Often in forums you can leave a discussion, or change notification settings for that particular discussion.

Lars

@mbernhardt - everything you see in those notifications preferences are what you can adjust; we have no special or secret ability to make changes to your forum account here that you can't set yourself in that Notification Preference screen.

mbernhardt

I see, I have to turn off notification for discussions I've participated in, but bookmark the ones I'm interested in. I've done it now.