Password generator inconsitencies

bogstefan
bogstefan
Community Member
edited August 2020 in 1Password in the Browser

I found some weird inconsistencies with the 1Password X extension for chrome:
1. The password generator which appears when one presses the extension icon, then the plus (+) and then the password generator, does not generate the same types of password as the desktop app or the web app. For example the password from 1Password X never has any types of brackets [ ] { } ( ), which makes the password weaker.
2. When one registers to a site (like this forum) one can let 1Password X automatically generate the password during the signup phase. The generated password does not use the length specified in the extension, but seems to be 17 characters long. For example When i go to the 1Password X generator, I set the slider to 25, because I like my passwords to be 25 characters long. The ones generated from there are indeed 25 long (albeit without the before mentioned brackets []{}(). etc). The auto fill auto generated password seem to be 17 characters long. It would be nice if the auto fill passwords would use the same procedure specified in the 1Password X extension.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:password generator

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @bogstefan! Welcome to the forum!

    The password generator which appears when one presses the extension icon, then the plus (+) and then the password generator, does not generate the same types of password as the desktop app or the web app.

    We are looking at ways to consolidate the password generator experience among all apps, currently you are right that they behave differently :+1:

    For example the password from 1Password X never has any types of brackets [ ] { } ( ), which makes the password weaker.

    I don't believe that using a specific symbol, like a bracket, makes a password stronger. As long as it's a symbol, I don't believe it matters which one it is, but if you need brackets, you can always add one or more manually even if the generator did not pick them.

    When one registers to a site (like this forum) one can let 1Password X automatically generate the password during the signup phase. The generated password does not use the length specified in the extension, but seems to be 17 characters long.

    This is correct: the suggested password uses a different recipe that is tweaked so that as many websites will accept it as possible. It's not too long, for example, and tries to fit the most common password requirements, to make it easier to generate a secure password.

    If you want complete control over the generated password, that's where the full password generator comes in handy :)

  • bogstefan
    bogstefan
    Community Member

    Thank you for the answer.

  • ag_ana
    ag_ana
    1Password Alumni

    You are welcome @bogstefan! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • MoosMas
    MoosMas
    Community Member

    Would like to add to this. When generating a 20 character password, 9/10 times there's only 1 or 2 special characters in it. Mostly - . or *. It would be very handy if we could specify how many special character it should at least contain. Also when signing up for a website and having 1Password generate a password, we can't edit it (only after it has been filled). We can only accept that password or generate a new one (by refocusing on the password field). A slightly more advanced popup generator would be a great addition, with for example a button to generate a new one, a button to fill the password and maybe even settings for the password.

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited August 2020

    Thanks for the feedback here, @MoosMas .

    We're already looking into how we can improve the UI of the (automated) suggested passwords so they can be edited right then and there, but that might take a while longer. In the meantime, keep the following in mind:

    • The automated suggested passwords are using our predetermined recipe and cannot be edited. If you want control over the password that you generate, you'll want to ignore the suggested passwords and go to the generator in the extension.
    • The automated suggested passwords are really strong and will do the job in vast majority of the cases. The entropy of these passwords is great, and will withstand any cracking attempt you can run on it. If you find an entropy calculator somewhere, feel free to check how strong these passwords are :)

    As for the symbols - generating passwords with digits and symbols (with length of 20 characters) will usually generate 1-5 symbols in a password. The symbols are designed to be non ambiguous (which means we don't want a symbol that looks like a letter or a number) and are calculated for strong entropy. That means more symbols do not necessarily create a stronger password.
    For Example, I generated the following 20 characters password in 1Password: g3@h.W4HMcimTxKh@-Tx
    It will definitely be stronger than f$!@&P4Z&$@#$!(x16 which I just made up. Cracking passwords is a form of art, and the artists often knows to try all sorts of formulas, such as trying mainly digits, mainly symbols, mainly capitals etc. That is why it is important to keep the password as random and unpredictable as possible, which is measured by entropy. Entropy is what matters, not how many digits or symbols are in the password. Entropy takes all of the above into account (the length, complexity, variety of characters and randomness).

    I hope that clarifies how this works. Thanks again for chiming in and providing additional feedback!

  • MoosMas
    MoosMas
    Community Member

    Alright, I'll keep my eyes peeled for a new UI sometime in the future. Thanks for the clarification. Is it possible to open the password generator with a keyboard shortcut? It's 3 clicks away and it would be handy to open it with one action.

  • ag_yaron
    ag_yaron
    1Password Alumni

    I personally use the following (on a Mac):

    • CMD+SHIFT+X to bring up 1Password X's popup (CTRL+SHIFT+X if you're on Windows).
    • TAB to reach the PLUS icon, then SPACE to select it.
    • TAB to reach the generator, then SPACE to select it.

    It's quicker than navigating with the mouse for me, but might not be as comfortable for you.
    Hopefully we'll have better UI to reach it in the future. I have filed your feedback in the appropriate channels, so thanks for bringing it up!

This discussion has been closed.