Feature Request - Increase Max Length for Password Generator

MorgothSauron
MorgothSauron
Community Member

Hi,
Sorry if it's not the right place to post, but I couldn't find a better place.

Anytime I create a new account or update an existing one, I use the password generator. However it is "limited" to 64 characters. Some website accept longer password (100 characters on World Community Grid). It would be nice to increase the length of the generated password.

From what I can see a password field can store more than 64 characters: I could paste 64 char at least 3 times in a single password field in 1Password Web. So it doesn't seem to be a "storage" issue.

It would be nice to increase the maximum length for the password generator, maybe up to 128 characters.

Thanks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Linux Fedora 31
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni
    edited January 2020

    @MorgothSauron - it's something we can consider as we move forward. For the present, if you want to generate passwords longer than 64 characters for your online accounts, you can generate more than one using 1Password and then paste each into the password-change (or password-creation) field in the site in question, then allow 1Password to save the result.

    However, keep in mind that any truly randomly generated password that's 23 characters or more (depending on character-set used and assuming basic symbols, numerals, etc as well as upper and lower case letters) is already equivalent to at least 128 bits of entropy. That's a level which is for all intents and purposes unguessable already, assuming 1) it's truly randomly-generated, 2) it's not used for more than one password/account and 3) it's not shared with anyone else. Adding a single extra character doubles this. At 64 characters, you're over 350 bits of entropy, which is far, far larger than current computing resources have the ability to brute-force.

    For comparison's sake (and because it's just fun - though we don't normally spell this out because it can seem overly math-y and boring), a "mere" 128 bits of entropy (which would be 23 or more characters) is 2^128, which, when written out in English words is:

    three hundred forty undecillion, two hundred eighty-two decillion, three hundred sixty-six nonillion, nine hundred twenty octillion, nine hundred thirty-eight septillion, four hundred sixty-three sextillion, four hundred sixty-three quintillion, three hundred seventy-four quadrillion, six hundred seven trillion, four hundred thirty-one billion, seven hundred sixty-eight million, two hundred eleven thousand, four hundred fifty-six.

    If a proper hashing function is used, that's going to be for all intents and purposes unguessable with current technological limitations (computing power, cost).

  • MorgothSauron
    MorgothSauron
    Community Member

    Thanks @Lars for the detailed explanations. Honestly I never tried to do the math: I just put in the longest password supported by the remote system. Based on your input I guess that 64 characters are more than enough ;) If I really want to go crazy I'll use the method you suggested. Thanks again.

  • Lars
    Lars
    1Password Alumni

    @MorgothSauron - it's better to be on the safer side of things, as a general rule. But it's also good to realistically assess your own threat model and not make things overly complicated or onerous for yourself, because one aspect of good security is usability. If you were to create a system so secure not even YOU could access, what good would it be? ;)

    I'm kind of joking, but it gets serious when (for example) people use Master Passwords so long and complicated even they can't remember them, so they write it down in a text file...but then they have to encrypt that file so it's not available in plaintext on their device...so they use a really strong password for THAT, and then they forget THAT password...you get the idea. Anything over 23 or so (given full character set and a good hashing function), should be plenty for now -- but we're always keeping an eye on the attacker-to-defender balance, and we'll continue refining 1Password as necessary as threats change. Thanks for bringing it up! :)

  • MorgothSauron
    MorgothSauron
    Community Member

    @Lars You are correct and it's even something I used to say at work: you don't notice it when good security is in place. If it gets in your way, slows you down or makes thing are to use it means something is "not correct" or too complicated. It's always good to have a balance between security and usability. If security is too complex users will use "shortcuts" that may compromise the efforts made to secure a system.

    Back to my > 64 character password. I understand your point that in 23 characters provides enough entropy to be safe. I don't remember when, but when I saw that 1Password could generate 64 characters passwords I started to use that without questioning this "choice". It's so convenient to have 1Password remember and fill in those passwords for me ;)

    Of course I'm really careful with my master password. It is long enough to be safe AND easy to remember for me. And if I remember the amount of entropy is a comprised of the master key AND the secret key.

    Have a nice weekend :)

  • Lars
    Lars
    1Password Alumni

    Thanks for the great topic and conversation. :) :+1:

This discussion has been closed.