Need to put back functionality in pass generator in Mini
Need to put back the functionality stripped out of the password generator in Mini. Removing number of digits and symbols is an issue. As is the option to avoid ambiguous characters. There also should be an option to avoid repeating characters.
The first password I was updating after installing the update would not allow multiple numbers. No way to avoid it unless I went into the full program to choose number of numbers. Many sites won't accept repeatable characters in a row (That should be an option). Some websites only allow specific symbols and thus not being able to reduce the number of symbols to 1, makes it impossible to let 1pass generate a password in the mini since its virtually;y impossible to get a password that will contain symbols that are acceptable since the password will contain multiple symbols every time you try a new one.
Also, I though maybe the mini would retain the last used settings from the main program, when setting the password options using the number of symbols and/or numbers slide. But nope. So no way to limit the number or symbols. But.... that is a temp solution if it did work and the real fix is to put it back in the mini.
I also think that the "+ New Password" wording should be changed to "+Generate New Password". I am very good with computers and I was confused. I also think the drop down needs to be more clear. That maybe should have some text to the right "<-------Click for categories". My parents will never remember or know where to find these things.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @imt
Thanks for taking the time to write in about the changes to the password generator in 7.3. While I don't think it is likely we'll put these options back exactly as we had them we would like to better understand what difficulties folks are having as a result of the changes so we can best evaluate what changes might still be appropriate.
My colleague jpgoldberg has written a couple of posts on this subject I'd like to direct you to:
- https://discussions.agilebits.com/discussion/comment/508546/#Comment_508546
- https://discussions.agilebits.com/discussion/comment/508624/#Comment_508624
In short we really need to know _specifically _where things are breaking down. To best evaluate how to move forward to address the issues folks are having it would be incredibly helpful to know:
- The URL of the site where the problem occurs
- What about the password the generator created was unacceptable (e.g. "the
!
symbol was included in the generated password but the site only accepts@ # $ * _ -
) - How many attempts it took to generate a password that was accepted
Thus far very little of this kind of feedback has been provided and without it we're going to have trouble justifying any changes. Thanks for your consideration.
Ben
0 -
I agree with @imt, and with the hundreds of comments on the thread to which you link, @Ben. In one of the messages that you reference, @jpgoldberg says, "I do appreciate the irony in the fact that we have actually made our underlying generator far more powerful than the previous version, while exposing less of that power to users. This was deliberate choice." This comment, and others from jp and the 1Password staff, say that you made a deliberate choice to screw your a portion of your users. You do what you want to give us what we want and explicitly ask for, and you state multiple times in that thread, and here, that it doesn't matter what many of your users need and desire, you aren't going to give it to us, unless we can prove to you that we deserve it. It really, really sounds, in the section above, that there is some remaining irony that jpgoldberg doesn't yet appreciate. If you say 'screw you' to your users, and say that you have no intention of giving us back features that some of us really like, that is frustrating, aggravating, and alienating. The irony is that when you tell us to fork off, many of us will. We will choose a different fork, and follow a different path. We will try to find a company with a different approach to its customers. When you make your product worse for us, and say you don't care about us, just about other hypothetical users, you are asking us to leave.
I still have several pages of negative comments to read in that other thread, but I have yet to read a comment by a staff member that says something other than, "We made this deliberate choice, and we won't change it for any of you that want it.' Ben, you say you "we really need to know _specifically _where things are breaking down." Well, very specifically, they break down right here, in this discussion, and in the other thread, when you tell all of us that we are not allowed to have control over our password generation, and our desires will have minimal influence on your choices and changes. That we are not allowed to want what we want, and are requests are not respected.
You say that without people sending you broken URLs, "we're going to have trouble justifying any changes." Hundreds of requests from users aren't any justification, apparently. So how many hours, days, or updates will we have to wait, after sending you a broken URL, before you provide a fix? With the previous system, I could usually solve my own problem in a few seconds. But you are telling me our preferences and the ability to solve my password problems quickly by myself, don't amount to sufficient justification for giving us back what we had.
It bothers me that every time I come to 1Password with a problem, I get answers that amount to "We can't or won't do anything about that." I think you care, and I think you try to make things better for your users. Yet most of the threads that I read give the opposite impression. Many, many of the people who comment on these threads are very frustrated. Many are angry. And the answer is so often, "the thing that you care about or want will probably never be supplied." Surely customer satisfaction must have some importance to your business. Surely it is better for your staff, as well as your customers, if most people end up happy after interacting with these forums. If I end up angry and frustrated every time I visit the support site, it strongly increases the chances that I will leave your company and work with someone else. It is very much less likely that I will recommend 1Password to anyone else.
You have different kinds of customers. Some want more control, some want less. Trying to make everyone the same, and cater to the lowest common denominator, is a race to the bottom. I have yet to hear a customer say, "Thank god you took away those useful features." Simplicity and power are always in tension, and successful companies build good defaults, and offer more sophisticated users a way to see more choices when they want them. But you haven't done that. You have said that NONE of us can use features that many of us often used in dozens of previous versions of 1Password, and still want to use. Even jpgoldberg said that he often misses the feature that he and 1Password removed. But that doesn't matter. None of us can have it. He says that he "gets it", but he doesn't seem to get that this, and many decisions like it, are driving many of us away from your company. Comments like his, which promise to ignore our user requests, because 1Password's staff has made a 'deliberate choice', make the problem worse, and increase the chance that I will seek a company that demonstrates a positive response to user preferences, rather than spurning them.
0 -
Thank you for taking the time to write this feedback! I believe that when Ben asked where things are breaking down, he meant so in technical terms: if you can let us know where the process itself is causing issues, we will be much better equipped to investigate and try to reproduce this. Answering Ben's questions will help us very much in doing so:
- The URL of the site where the problem occurs
- What about the password the generator created was unacceptable (e.g. "the ! symbol was included in the generated password but the site only accepts @ # $ * _ -)
- How many attempts it took to generate a password that was accepted
Thank you!
0 -
I will get back to you on this in regard to specific web sites. The issue off why maybe this isn't on your radar or affecting existing longer term users, which is the larger base, is that adding additional sites is less frequent. An issue with one site might not be that big of a deal. For example, myself since I have updated every password on every site yes ago with the old mini.
But... my frustration comes with helping a new user(s) with starting with new password. Thus, you are trying to change passwords on multiple sites one after the other and then this becomes real frustrating trying to use the mini and can't adjust parameters. Plus I am very skilled with 1Password and the most technical in my family. Getting my parents to use 1Password and getting the premise is hard enough. Having them remember and deal with frustrations with generating passwords and them not working and the added complexity with trying to make things conform is another level. Thus is a whole other topic on possible improvements of the 1Password experience for non-technical or those whose technical skills have somewhat declined. i.e. learning challenged ;)
In the 4 or 5 sites I had helped change in the one day, there were two I had issues with. I will see if I can go back to those sites and change password screens to see if I can figure out the specific sites. One the issue was a generated password with repeatable characters in a row. i.e. AA in the generated password. The other was a symbols issue in that the symbols generated included symbol(s) which were not allowed. I typically have always set symbols to 1 to help avoid this issue since you can quickly spot the single symbol in a 25 string and quickly regenerate and typically come up with a regenerated password very quickly that then complies. I have on some occasions manually changed the symbol but I avoid doing that. Having like 2-3 symbols in the generated password would lead to at least 1 that does not comply. Maybe if the generated password only contained a single symbol (albeit 1-3 times in that password) then it would be the same as what I am describing, since regenerating will be changing that one symbol.
0 -
@imt - thanks! That's exactly the kind of feedback that will be useful to us -- specific sites, with specific restrictions or requirements that were a problem for the new Strong Password Generator. You can post them here, or if privacy is a concern to you, you're welcome to send them to support@1Password.com and include a link to this thread in your email. :)
0 -
Here was one for Chase.com. The special characters were an issue since I kept getting passwords with the invalid special characters.
Your password can be 8-32 characters long and it must include at least two of these elements:
At least one letter (upper or lowercase)
At least one number
At least one of these special characters: ! # $ % + / = @ ~.A few more guidelines:
It can't be the same as your username or your last 5 passwords.
It can't include any other special characters (&, <, *, etc.).
It can't include more than 2 identical letters or numbers (aaa, 111, etc.), and can't include more than 2 sequential letters or numbers (123, abc, etc.).0 -
@imt: Oh totally. I'm a Chase customer and know just how difficult their system can be to deal with sometimes. ;) However, the old password generator wouldn't help at all in this case. You can easily meet these requirements with the new one:
At least one letter (upper or lowercase) At least one number At least one of these special characters: ! # $ % + / = @ ~.
Just have both Symbols and Numbers checked, and 1Password will always include letters too. These are a bit trickier:
It can't be the same as your username or your last 5 passwords.
But the odds of 1Password randomly choosing your username or previous passwords are astronomical....
It can't include more than 2 identical letters or numbers (aaa, 111, etc.), and can't include more than 2 sequential letters or numbers (123, abc, etc.).
As would be getting more than two of the same characters in a row. More than two of the same number in a 32 character password is more likely, but still not common, and not really something 1Password can "understand" and act on, nor should it artificially limit entropy by trying to play these games when simply generating a new one will work.
It can't include any other special characters (&, <, *, etc.).
While you can get some of the other symbols randomly in a password, regenerating it will get you a new one if you get something unacceptable.
In all of these cases, you'd be in pretty much the same boat with the old generator -- which actually used a few more symbols which aren't allowed. When websites have bizarre password restrictions/requirements, it won't be possible to always get an acceptable one on the first try. But perhaps we can find a way to have 1Password detect this in some cases in the future, if not before the websites themselves start adopting better security/usability practices. There is no reason besides institutional inertia that they can't accept any password and just hash it properly.
0 -
I beg to differ on the symbols. This is the issue mostly with sites and what I started the thread about.
On the old generator in the mini you could limit to 1 symbol. Then less odds of generating a password that doesn’t fit or can easily manually change the one symbol to something else.you could rapid fire refresh since you are looking for only one colored symbol in the list. Now you get a min of 2 and many times 3 for each regeneration. you then have at least one in many cases that doesn’t comply. Trying to look at a 25-30+ string and view and find all and see if they are or are not on the “acceptable” list is not easy. Yes they are a different color but those smaller symbols are not as easily seen when multiple.
0 -
Trying to look at a 25-30+ string and view and find all and see if they are or are not on the “acceptable” list is not easy. Yes they are a different color but those smaller symbols are not as easily seen when multiple.
@imt: I agree with this completely, which is why I just let the site do the work for me. If it's unacceptable, it says so. No need to do that work yourself. :)
At the end of the day, you could just as easily get an unacceptable password with the old generator. Believe me, I deal with Chase a lot, with multiple accounts. :joy: And the old generator actually had more symbols they would not accept.
I just generated 5 passwords in a row, with 3 being acceptable based on that site's criteria, numbers 3 and 4 failed due to
*
. You won't get identical results, but just as a matter of probability they'll be similar.In the future, perhaps we can make a way to specify exclusion. But hopefully we can both agree that arguing about this takes much, much longer than it does to get a suitable password. :)
0