Crazy rating of password strength

wfolta
wfolta
Community Member

I got a new laptop and installed 1Password, but it seems to be acting differently now. It's rating of password strength no longer makes sense.

First, 10-character passwords generated by 1Password (alpha and digits, no symbols) now rank anywhere from "Terrible" to "Good". Did you change your criteria?

Second, it's possible to get the same password entered into multiple fields in the record or into multiple records, and the rating for the SAME password can be both "Terrible" and "Good" at the same time.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • wfolta
    wfolta
    Community Member

    As a secondary issue, it says under my posting, above, that my 1Password Version, Extension Version, OS Version, and Sync Type are "Not Provided". But I can't find anywhere in the site to set them. Glad to provide helpful information.

  • wfolta
    wfolta
    Community Member
    edited September 2020

    Please see my other posting. It appears to be more widespread than this. For example, I have a 10-character (including symbols and numbers) 1Password-generated password that's merely "Good", while a 10-character (no symbols) 1Password-generated password is "Very Good", and another 1Password-generated password with one symbol is "Excellent".

    It's possible that I had a Terrible because of 1Password's confusing behavior about creating a key and also a login -- which will of course have the same password -- and I just noticed that things switched from Terrible, perhaps because I threw the key in the trash so it was no longer a "duplicate". Maybe that's just a delay in 1Password realizing it's been thrown away, or maybe there's a bug. I've been using 1Password for a couple of months and this is the first time I've encountered this kind of odd ratings and ratings that are inconsistent for the same password.

    I've never seen "Terrible" before. Even now, I see "Duplicate" on some entries, but I've not seen "Terrible".

    EDIT: I'm looking through all of my passwords now, and I have one 14-character password that has two non-adjacent numbers and upper/lower case letters -- though it hinges on two embedded words -- which is marked "Terrible". I guess it could be terrible, but it strikes me as odd. And one that's 12 characters 1Password-generated with two symbols and upper/lower that's "Terrible". I've stopped counting now -- hit another similar one and finally stopped.

    (I tried emptying the trash, in case there were duplicates there. Didn't help.)

  • This discussion was created from comments split from: Password and login disagree about strength..
  • Hi @wfolta

    Welcome to the 1Password Support Forum. I'd be happy to take a look at the password strength indicator situation for you. There are a few factors that can change the way a password is rated by 1Password:

    1. Does 1Password know the password in question is a generated password? If it does, it stores with that password a value associated with the password's entropy (randomness) that comes from the password generator during the generation process.
    2. If a password is copied using the clipboard, or changed by hand, that entropy data is lost and so we have to switch to a different method of calculating strength which is less reliable.
    3. Duplicate / reused passwords should always be marked as terrible regardless of their length or entropy

    There are definitely some improvements we can and hope to make to this system. For example, going forward, we're looking at copying the entropy value along with the password so if you copy it from the password generator and then paste it into a password field on a record that data will be retained. Unfortunately there would be no way to fix records that have already been saved other than to generate new passwords for them.

    I hope that helps explain some of the current situation, and also gives an idea of where we're headed for improving in this area. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • wfolta
    wfolta
    Community Member

    But I'm seeing "Terrible" for passwords that are not repeated -- most of the randomly generated by 1Password itself. There is more to this than the disagreement if it's there twice. I'd speculate that there's a bug that calls things "Terrible" incorrectly, and that causes certain disagreements where one copy is "Terrible".

  • This discussion was created from comments split from: Password and login disagree about strength..
  • Ben
    Ben
    edited September 2020

    @wfolta

    Thanks for the additional thoughts. For now let's please keep this conversation in the thread you started — I'm not convinced that you and the other customer are seeing the same symptoms. :) I posted a reply above, I'm not sure if you had a chance to read it? Please let me know. Thanks!

    Ben

  • wfolta
    wfolta
    Community Member

    Sorry, I hadn't checked back on mine. Good call!

  • :+1: :)

    Ben

This discussion has been closed.