Feature Request: Increased Password Complexity Options

eldrumo
eldrumo
Community Member

I have a couple hundred stored passwords, and thus far, the changes I detail below will address all issues that I currently have with the 1Password product.

I would love to see a couple of password complexity options added for auto generated passwords:
-Upper Case and number of upper required
-Lower Case and number of lower case required
-The type of symbols allowed, in addition to the symbol on/off button that already exists. (I envision a free form box where you can enter symbols to include. Also a check box for "Not" which configures the freeform text box to exclude the symbols entered. No symbols entered means all symbols are allowed.)

I ask for these enhancements because we have all seen instances where there are a set number of required upper/lower case characters for any given password. The symbol type ask is due to a very common instance where all symbols are not allowed. (Certain symbols not being allowed for a password is my biggest issue with using the auto generated passwords...) I truly believe that continued password complexity requirement additions, as password security practices evolve over time, will be crucial to keeping the product current and viable in the marketplace.

Thank you!

--Joe


1Password Version: Not Provided
Extension Version: 1.22.3
_OS Version: Windows 10 1903
_Sync Type:
Not Provided

Comments

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @eldrumo! Thanks for the suggestions. In fact, some of the ideas of what you're suggesting are how it worked for some time here at 1Password. Those finer-grained controls were removed for reasons of improving randomness in password generation (and thus overall security), as well as some other reasons. You can read more about the decisions that were made in this post from our Security Team lead, last year. Feel free to let us know if you have any questions. And again, welcome! :)

  • druker
    druker
    Community Member

    I read this post and linked thread. I don't think your answer meets business or user requirements.

    For reasons known only to them, multiple service providers (web sites and other types of logins) support only specific sets of special characters (symbols) and restricted lengths. When I need to change passwords on those sites, I do not waste my time by regenerating and hoping. This is obviously dangerous too, as too many attempts may even lock accounts. What I do now is simply edit generated passwords to meet the site requirements. Reduces randomness, but has to be done. But even this is a waste of time and not optimal.

    I have over 1000 passwords in 4 vaults on 10 MacOS, Windows and IOS devices. 1Password is a great tool and I have recommended it many times. That said, we need just a little more flexibility and your notion of reducing complexity is specious.

  • eldrumo
    eldrumo
    Community Member

    Lars,
    Thank you for the reply. I understand that things were changed to the way that they are now, but I'm requesting that you reevaluate that decision. I bet that if you poll the community, you will find that every single user has the same issues that I am posting about. There is clearly a business need for what I am suggesting because valuable features of the application have unneeded limitations that effects make those features unusable in many situations.

    Thank you,

  • Lars
    Lars
    1Password Alumni

    @eldrumo - we are pretty much always re-evaluating our decisions, because very little stays fixed in this world. Features we once spent time and effort adding and maintaining become obsoleted by changes in OSes or sync methods, other things we considered doing but decided against for various reasons become more possible - or even urgent - by similar changes. So we try rarely to say "never" to ideas about how to improve 1Password. So while I can't promise you that things will change to the way you would like them to be, I'm happy to add your thoughts about the current state of things. Thanks for taking the time to share them.

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @druker! There are certainly a near-limitless number of password requirements at various websites out there, that's definitely true. As a whole, the average of them have been moving toward better password requirements over time, as we (all of us) learn more about what makes a good password, and what does not. Nevertheless, you're quite correct that there are still sites out there that have very specific password requirements. Enough so that it would be difficult to create a generator that allowed users to satisfy any/all of them.

    What we're aiming at with the password generator is to enable users to be able to generate a password that will be as secure as possible while also being acceptable to the greatest number of websites on the first try, without editing. Sliders for length and the presence of symbols and digits remain, as a result. And, as you mentioned you already are doing, any generated password can be relatively easily manually adjusted to meet the requirements of the minority of sites which have more-specific requirements than can be met by those options.

    As someone who spends all day doing this as well as a fair amount of free time on the internet, and who has well over a thousand saved Login items myself, I'm curious: do you find yourself changing passwords at various sites often, and if so, why?

  • eldrumo
    eldrumo
    Community Member

    @Lars Thank you for the feedback and for allowing my suggestions to be heard.

    While I am not druker, I can say that I cycle a lot of passwords (my high risk groups) on a monthly cadence. It would not be shocking if he does something similar. I know that thought patterns are starting to shift and extend the duration between best practice password changes, but I'm internally stuck on monthly.

  • Lars
    Lars
    1Password Alumni

    @eldrumo - that's what I suspected. And you're certainly not alone. But it's worth mentioning that the person who originally wrote the 2003 memo at NIST suggesting that regular password changes were good security practice now regrets and has recanted much of that advice. The newest version of NIST Special Publication 800-63B removes the recommendation to change passwords regularly (among other changes to the advice). Like anything, there are exceptions to this rule, and of course you should still change any password you believe to have been disclosed or captured or in any other way breached. The use of 1Password to assist in making new passwords also greatly reduces the tendency for people to just add another digit or symbol on the end of their previous password. But our general advice for years has been that if your existing password is strong and has not been at risk of disclosure, there is little value in changing it regularly.

  • I agree with @eldrumo. I would also like to see again the more random passwords like in the older versions. With 20 character passwords there is very often only 1 or 2 symbols in it. I have to reload it a bunch of times to get the randomness/password I would like to see.

    Compared to the your online password generator https://1password.com/password-generator/ where you have the same options like in the 1Password app, the passwords look much better and it has much more symbols in it.

  • Lars
    Lars
    1Password Alumni

    @Marco Schirrmeister - thanks for weighing in with your wishes, they're appreciated. I do want to point out that one of the very reasons that we expose less of the controls of the generator to users has to do with exactly what you've mentioned: preferring something that "feels/looks random" to you, instead of something that truly IS random. That's not a knock against you specifically, it's a function of human nature: when we know the possibilities of a system, we unconsciously tend to prefer examples that contain a varied mix of possibilities, because it "seems random" to us. But a truly random result is one where there is NO pattern whatsoever.

    I cannot find the source of the quote now (and it may have been lost to history) but I recall an old ad for the California lottery decades ago which asked famous figures (actors, sports stars, other public figures) what their favorite lottery numbers were and why. People had various cute stories about the day they got engaged or kids' birthdays, etc, but the one that stuck with me was Steve Wozniak, co-founder of Apple, who said his were 1-2-3-4-5-6 with a bonus number of 7, because "that's as likely as any other combination."

    I believe Woz's point at the time was to sort of slyly convey to people seeing the ad just how unlikely ANY given set of numbers, no matter how they're chosen, are to actually match the ones that come up in the drawing (and therefore how unlikely you are to win the lottery). But the point I remember taking away from Woz's answer as well as that point was the idea that although a "randomly chosen" sequence of 1-2-3-4-5-6-7 sounds eye-rollingly lame/weak on its face to us (it certainly did to me at the time), it literally is just as likely a result as anything else, out of a truly random generator. (side note: in 1Password, there are indeed constraints which prevent the generator from returning the most-common passwords, despite the fact that disallowing those does indeed reduce randomness slightly, because those most-common ones are among the first passwords that will be tried by automated cracking software because, well, they're frequently used -- see point A about humans not being good at randomness or taking it seriously).

    The point here is that a password that appears to human eyes (not just yours, virtually all of ours) to be appropriately varied and using a good cross-section of available characters...is measurably less random than one that's generated straight out of a properly-built CSPRNG, due to selection bias. You can read more about this from a post on our own blog from a few years back, if you're interested, and again, thanks for sharing your wishes. As has already been stated in this thread multiple times, there aren't currently any plans to change this, but we do appreciate the community feedback and will keep it in mind as things move forward.

  • RAbel1
    RAbel1
    Community Member

    I am all for the randomness, but there needs to be a way to define password policies for each login. Password Safe has a password policy tab for each entry. There is an option to use the default policy or to use a custom policy. This gives you the options to be able to select the password length, use lower case and uppercase, use digits, use symbols, and which symbols are allowed. I'm going to attach a screenshot so you can see what I'm talking about. The ability to choose the symbols is extremely important. Many websites restrict the usage of some symbols. I get really tired of regenerating passwords because I get an error saying you can't use that symbol. I believe that users need to have the ability to customize it as they see fit, instead of a blanket password policy based on what 1Password thinks we need.

  • williakz
    williakz
    Community Member

    Hear, hear! All about choices. In my opinion, it is reasonable to expect users to carry at least SOME responsibility for the level of security they select in exercising those choices.

  • Lars
    Lars
    1Password Alumni

    Thanks for weighing in, @RAbel1 and @williakz! It's much appreciated. :) :+1:

This discussion has been closed.