Feature Request: custom template(s) for proposed new password

iOSMacPCUser
iOSMacPCUser
Community Member

1Password offers a password proposal for new accounts, especially when beeing in the browser in a whatever-service register-a-new-account form.
While this feature in general is highly appreciated, the passwords it offer, sometimes not match the websites requirements or my personal preferences (eg. length, and they are absolutly impossible to remember).

1Password does already have a customizable password generator in the editing when creating new login data records.

I want to propose to build this pw generator feature into the browser plugin to the right of the existing menuitem "generate password" - see attached screenshot.

That would really helpful.


1Password Version: 7.3.712
Extension Version: 1.17.0
OS Version: Windows, MacOS
Sync Type: Not Provided

Comments

  • Hi @iOSMacPCUser

    Thanks for the suggestion. The password generator is an area that we are currently evaluating and hope to make more uniform going forward.

    Ben

  • Authority
    Authority
    Community Member

    I too would be interested in such a feature. Just tonight, I opened a new back account and the special characters accepted by the banking login were limited to a subset of what 1Password uses to generate passwords. I kept regenerating the password, hoping one would eventually meet the requirements of the bank, but it never did. I had to use another password generator where I could specify exactly which special characters I wanted to be available.

    Even better would be to make it part of the password entry itself. Not every login system is going to accept the same special characters and I'm certainly not going to remember which special characters I can use for each system when the time comes to rotate the password. Having to twiddle the password generator settings each time would not be particularly fun. I should just be able to set the password policy one time and then every password I generate -- for that login -- should meet the requirements for that system.

    I don't know if such a limitation is technical or UI related -- I suspect both. If you need some UI inspiration, maybe check out how Password Safe (pwsafe.org) implemented this feature. I always found it both effective and easy to use.

  • Hi @Authority

    Just tonight, I opened a new back account and the special characters accepted by the banking login were limited to a subset of what 1Password uses to generate passwords. I kept regenerating the password, hoping one would eventually meet the requirements of the bank, but it never did.

    This is a struggle that we're aware of. In an effort to combat password re-use some banks have intentionally limited allowable special characters to a subset that typically isn't allowed elsewhere.

    I had to use another password generator where I could specify exactly which special characters I wanted to be available.

    Perhaps this will have to be the answer for us as well. I'll be happy to share the thought with our security team for further consideration. I know they've done a lot of behind the scenes work on the password generator in the last few months, so we may see some relief here soon.

    Even better would be to make it part of the password entry itself. Not every login system is going to accept the same special characters and I'm certainly not going to remember which special characters I can use for each system when the time comes to rotate the password. Having to twiddle the password generator settings each time would not be particularly fun. I should just be able to set the password policy one time and then every password I generate -- for that login -- should meet the requirements for that system.

    We've discussed that idea. I don't think it has been completely ruled out, but there is a lot of hesitation, for two reasons:

    1. There is nothing saying that the allowable characters will remain the same. Remembering them could do as much harm as it does good. Particularly in the event that a system is updated to allow more characters limiting them in that circumstance would be a downgrade in security.
    2. No standard exists for conveying what characters will be accepted in a password. Many systems won't even show this information until you've tried to set a password using characters that are not accepted. Ideally there would be a standard defined such that this information would be available to password managers and we could act on it accordingly.

    I don't know if such a limitation is technical or UI related -- I suspect both.

    I don't think it is so much a technical limitation. Under the hood the password generator has an enormous amount of capability. Only a fraction of that is exposed. That's intentional. It is always going to be a balancing act.

    If you need some UI inspiration, maybe check out how Password Safe (pwsafe.org) implemented this feature. I always found it both effective and easy to use.

    Thanks for the tip. :+1:

    Ben

  • cmroanirgo
    cmroanirgo
    Community Member

    I have a similar request, but perhaps my request might assist in providing a direction (or a curve-ball) for development...

    What I'd like is to be able to integrate my own custom password generator into 1Password. Here's a little demo of (one of) the generators I wrote and use occasionally: https://cmroanirgo.github.io/wordish/ (source available)

    Obviously, for a custom password generator to occur it must be installed in a manner that agilebits would regard as 'safe'. That is, I wouldn't trust anyone's online password generator, simply because they can record it/ upload it or whatever. This means that the generator needs to be either:

    1. vetted/installed as a service on agilebits (I'm not a real fan of this option), or
    2. it needs to be integrated into the app itself (which could be a security issue, so would always need to be vetted by agilebits), or
    3. an 'untrusted' web api could be used where a) a client requests a password using a specific custom generator b) this request goes to agilebits who then proxies the request for a list of (?say 10-100 passwords) based on user's preferences and sends them back to 1Password c) 1Password then picks (or allows the user to pick) one.

    The reason for a proxied approach should be clear: it means that any online generator wouldn't know who the password was for, nor which of the 10-100 passwords were used.

    I hope my comments haven't been too obtuse...

  • Hi @cmroanirgo,

    While that is a very interesting thought, the work involved in creating such a feature compared with the percentage of 1Password users that would benefit seems to be significantly askew. Our current focus is on making 1Password more accessible to a broader audience, and focusing development efforts on such a feature would take focus off of that goal. That isn't to say that those priorities won't shift in the future, so perhaps it would be worth revisiting this down the line, but I imagine there may be other concerns with this approach as well.

    Ben

This discussion has been closed.