Random Password and Symbols
Hello,
When I use Random Password and Symbols toggle turned on, 1Password generates some limited set of symbols (see video). I've never seen symbols like # [ ] / \ { } ^ < > $ % for example. I've seen only _ @ * - ! .. Am I missing something? Or is it a normal behaviour?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hey @vadimm ,
We try to generate passwords that will most likely be accepted by the majority of websites, even if the websites have crazy requirements. These symbols are the most commonly accepted ones, while the others are often rejected by websites that accept only a specific set of symbols.
That is why we only generate a specific set of symbols. If you'd like to add other symbols, just click the password at the top of the generator and edit it with your keyboard as you see fit :)
0 -
Hi @ag_yaron,
Thank you for a fast response. I anticipated and feared this answer. I understand the motivation, of course. The problem really comes down to the following trade-off: either one user adds extra symbols or another user removes symbols because of crazy website requirements. Personally, I'm a user who adds extra symbols to make it stronger. Is it possible to make this trade-off more configurable? I mean having a setting for adding custom symbols to the symbol set would be great.0 -
Hey @vadimm ,
When you want to create stronger passwords, you'll actually want to avoid manually editing the generated password. Human intervention in auto-generated passwords often hurt the entropy and randomness of the password.
The only time you should manually intervene is if the website actually requires one of the symbols that the generator does not offer, but that sounds like an extremely rare edge case.
If you want stronger passwords, make sure they are long (and are randomly generated by our generator). A 14-16 characters long randomly generated password will be an overkill for most users. Cracking such a password would require an unbelievable amount of resources and is virtually impossible to crack with today's technology. The attacker might as well invest the money in physically catching you and forcing you to reveal the password - that would be cheaper and easier than cracking a 16 characters random password :lol:
At the end of the day, it doesn't matter if the generator added the
!symbol or the%symbol - the entropy will remain almost the same entropy, and the difficulty of cracking that password will remain the same difficulty.Length, randomness and entropy are the name of the (encryption) game here :)
There are plenty of passwords cracking calculators online, you can try and test some randomly generated passwords in them and see how long it would take to actually crack them (if possible at all).Thanks for the feedback and suggestions though! We can definitely see why users might feel safer if we show more symbols in the generator, but again - that would be a completely visual gimmick that won't actually add strength to passwords. The downside is that our passwords will be rejected by websites more often, which is something we try to avoid as best we can.
0 -
On behalf of Yaron, you're very welcome, @vadimm. By the way, in case you're interested, you can take a look at the pull request where we updated the default symbols a couple years ago:
https://github.com/1Password/spg/pull/22
You'll see that the reduction in entropy is very small, while the passwords are much more usable as a consequence. :smile:
0 -
Hi @ag_michaelc,
Thanks for the details. What I learned from this PR is the reduction of the strength of a generated password is covered by adding one character to a password length. Ok, fine by me :) Thanks for the explanations guys.0 -
You're most welcome. :smile:
0
