Tweak password generator recipe

I recently came across a website which in addition to requiring the password to be long enough also put an extra restriction that only lower case letters and numbers could be used. I know that the recipes can be modified to take some restrictions into account but is there a way to fine tune which characters are allowed so that these arbitrary restrictions can be satisfied? Some sites have not only restrictions on what character classes may be used but may list specific characters which are allowed (for example letters, digits, or any of "@ ", "-", ".").

I tried to work around it by choosing the memorable password recipe with digits as separators but then I ran into the password length restriction of the site.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_yaronag_yaron

    Team Member

    Hey @kuriboshi ,

    You didn't mention which 1Password version are you using, but there's no option to use only lowercase or only specific symbols when generating passwords because that's just messing with the entropy of the password and making it weaker.

    My suggestion to you is to edit the generated password while you're in the generator:
    1. Get to the generator.
    2. Generate a new password.
    3. Click on the password itself while in the generator and edit it as you see fit.
    4. When you're done, click on Autofill or copy-paste it into the website.

    Hopefully we will see less and less of these weird requirements on websites as time goes by :)

  • Thanks @ag_yaron, I ended up doing something similar. Copying the password to somewhere where it was easier to edit and then copy and paste back to 1Password.

    It can be especially frustrating when a site doesn't specify the limitations of a password until you actually generate and enter one, sometimes requiring multiple roundtrips before successfully entering a password.

    And for completeness: 1Password 7.7 (70700016), macOS 11.2, Safari 14.0.3.

  • ag_yaronag_yaron

    Team Member

    Thanks for the additional details.

    In that case, no need to copy the password somewhere else and edit it - just edit it directly in the password generator.
    I hope that will do for now.

    And I agree that websites should specify requirements before a failed attempt, unless they have no requirements (except for minimum length) which is the best case scenario!

  • What about implementing something like Keepass? It will make our lives much more easier.

  • ag_yaronag_yaron

    Team Member

    Hey @Naxterra ,

    We used to have something like this long ago, but it was so darn confusing for most of our customers (as they are mostly not as tech-savvy as you) and therefor we have simplified things as much as possible.

    We've also learned that the more rules and restrictions you apply on a password recipe, the more it affects the password's entropy and randomness, which eventually results in weaker passwords. Any human intervention in a truly randomly generated password reduces entropy. However, I might agree with the argument that from a certain length (e.g. 18 characters and higher) this might be negligible.

    Thanks for the suggestion and feedback! As always we will stay tuned and if many users asks for such features we will consider them if possible. :+1:

  • williakzwilliakz
    edited February 17

    @ag_yaron, the way to approach this problem, IMO, is to default to (more or less) random generation to produce the most robust passwords but with a user-selectable option to go "Manual" when needed and as @Naxterra showed above. I would also suggest that any entries with such user-restricted or modified passwords be clearly indicated so users can periodically recheck site restrictions with a view to going "full Auto" (random) to restore password robustness if and when site restrictions are eased.

  • ag_yaronag_yaron

    Team Member

    Thanks for the suggestions here @williakz .

    1Password already shows you how strong a password is (e.g. Terrible, Bad, Good, Strong, Excellent etc). If a password is marked bad and below, Watchtower will notify you that it is bad whenever you look in Watchtower or when you open that login item.

    Is that more or less what you are expecting to happen?

  • Hi @ag_yaron,

    I suppose I'm asking for an indicator of how a password was generated in addition to the measure of its robustness that Watchtower currently provides.

    In my case, I was given 30 days to come up with a new password for a financial site (I know, I know — I already sent them your "Bad Bank" letter). I figured I'd just let 1Password's password generator do its thing (I haven't used it much other than for "don't care" sites, I know, I know—that's backwards). Problem was I was site-restricted to a maximum password length of 15 characters. I received guidance here on how to conform the generator to produce password(s) of shorter length than the default. Everything from that point worked fine.

    However, in reviewing that length-limited password, Watchtower shows it as "Fantastic" (I like my own cooking as well!) with no indication that the password is shorter than the default length the password generator "wanted" to use. My assumption here is that the longer 1Password-generated password would be to some degree "Fantastic-er" than the shorter one. Therefore, the shorter one should carry an indication that it was produced with limitations relative to what the 1Password generator would've come up with on its own. Such an indication would permit me to periodically review site-restrictions with a view to creating new, unrestricted passwords when and if possible.

    Hope that helps explain my earlier message.

  • ag_yaronag_yaron

    Team Member

    Hey @williakz .
    Thanks for clarifying further.

    I think in this particular instance, your concerns might be misplaced. A 15 characters long random password is extremely strong. If the password is completely random, even a 12 characters long password is wonderful and will be considered uncrackable unless someone would be willing to invest a ton of money and resources on cracking it - and that only happens if you're someone super important or have access to very sensitive and wanted data.

    We've had bounties in the past where we paid the community to try and crack such passwords, and even though the prizes were in tens of thousands of dollars, most of them weren't cracked without us having to give out some clues as to what the passwords may or may not contain. So again - to put things in perspective, a password that was generated by our generator is super strong even when it is short. If it is too short or if you mess with the password manually in a way that hurts the entropy (e.g. only letters and some letters repeat themselves more than twice in a row etc...), then 1Password will let you know that the password's strength is less than fantastic.

    If you are a very important person or if you have data that is extremely sensitive, then you should use the generator to generate longer passwords, but for the vast majority of users, the suggested passwords are way more than enough, and even passwords that are a bit shorter are :)

    There are a lot of calculators out there that will demonstrate how weak/strong a password is that you can find and play with. Here's one from the top of Google's search results. Feel free to generate passwords in the generator and test them there. Do not use real passwords that you actually use though!

    I hope that clarifies why most passwords you generate will show as fantastic, while some passwords you create manually might be weaker :)

  • Thanks for the explanation (and new toys to play with), @ag_yaron. You folks are the greatest!

  • ag_yaronag_yaron

    Team Member

    Glad I could help :chuffed:

  • I've noticed that the passwords generated by 1Password tend to get a "Very Good" rating within 1Password, whereas all of the passwords I had previously generated using Keychain in Safari are all rated as "Excellent" or even "Fantastic" in 1Password. I'd love to be able to edit the password generator recipe in 1Password so that all of those passwords would also rate as excellent or fantastic, too.

  • @upupcreative If you are using the latest version of 1Password in the browser, formerly known as 1Password X, then you can choose the default recipe for suggested passwords. Click on the 1Password extension icon then the '+' symbol then Password Generator. Here you can generate passwords according to a number of pre-defined recipes, adjust the recipe, manually edit the resultant password and choose the default recipe for suggestions.

  • ag_michaelcag_michaelc

    Team Member

    Thanks for helping out, @missingbits. Let us know if you need further assistance on this, @upupcreative. :smile:

  • ag_anaag_ana

    Team Member

    :)

  • I miss the now-deprecated password recipe feature! Specifically, modifying the recipe to specify the exact amount of special characters or digits in the password. Is there any way this feature can make a comeback?

  • ag_yaronag_yaron

    Team Member

    Hey @CCAAG ,

    We don't encourage manually messing with the recipes, since that often hurts the entropy and randomness of the password generated.
    However, if the password generator is not creating a very specific kind of password you're trying to generate, simply click the generated password with your mouse and edit it with your keyboard as you see fit.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file