Why is this a weak password too easy to guess, since your app generated it??

I needed to change my password for a website after a phising attack that I had previously sent to the security e-mail at the website. Their receipt of the phish apparently generated a message from the website that I needed to change my password as a precaution. Probably a good idea and the message was legitimate.

1Password generated something like this: At9@3dfgw (NOT the real password, as I substituted random characters in this example, but the generated password is the same length and type.)

AFTER generating the password, submitting it to the website, and logging in using the new password, your program announces THIS IS A WEAK PASSWORD & TOO EASY TO GUESS. Really? Too easy to guess? So now I am being prompted by 1Password to change the password again that 1Password just generated and I submitted to the website less than a minute prior.

My question: Why does 1Password even allow generating passwords that, AFTER THE FACT, it labels as weak, FORCING ME TO RESET MY SETTINGS AND RESET THE PASSWORD A SECOND TIME, raising suspicions at the website? ("This user just changed their password, and is now changing it again a few minutes later? Suspicious!")

PLEASE STOP THIS PRACTICE IMMEDIATELY IN THE NEXT UPDATE. DO NOT ALLOW USERS TO SET UP A PASSWORD FORMAT THAT YOU WILL LATER LABEL AS WEAK AFTER IT HAS BEEN USED AND SUBMITTED TO THE WEBSITE.

IF, AFTER PRIOR NOTIFICATION OF A WEAK PASSWORD FROM 1 PASSWORD UPON PRESSING THE GENERATE PASSWORD BUTTON, THE USER INSISTS THAT THEY WANT A WEAK FORMAT PASSWORD, ALLOW IT WITH THE USERS APPROVAL.

BUT IT IS IMPERATIVE TO NOTIFY THE USER WHEN THEY SET THE PREFERENCE TO WHAT YOU BELIEVE TO BE A WEAK PASSWORD AND WHEN THEY PRESS THE GENERATE PASSWORD BUTTON AND MAKE THE USER EXPLICITLY REQUEST THAT 1PASSWORD CREATE WEAK PASSWORDS BEFORE THEY ARE USED.

The rest of this post is just a warning of what hackers are doing to steal your accounts. It is not 1Password specific. I am still a huge fan of 1Password, but this does seem like a good forum to share my experiences and the consequences that flow from hacking and phishing. If the Admins think this belongs in another category, please feel free to edit this part and post it in a different topic forum.

I just lost my entire 5-year-old Instagram account to a hacker who sent me the same kind of message I got from this website. This message showed up after days of not being able to log into Instagram. Instagram had a major worldwide system outage for 90 minutes on March 19, 2021.

The quality of phishing e-mails has improved dramatically. The logos are vector graphics and the PMS colors are perfect. There are no misspellings or grammatical errors. The tiny disclaimers and copyrights at the bottom are spot on. The use of English is perfect. They are now very hard to detect.

Since users have been conditioned to NEVER, EVER click on a link in a message from a company, the hackers have started buying and using 800 Toll Free Phone numbers. After the Instagram hack, I got an order confirmation from a different website for a $965 order I never placed with instructions that if there was a problem, to call their 800 number printed in the e-mail.

Calling that number is just like clicking on a fake link in their phishing e-mail. I would be connected to the hackers, that could pretend to be the legitimate website and ask me for more personal data. DO NOT TRUST ANY TOLL-FREE NUMBERS YOU GET IN ANY e-MAIL. Again, go to the website and find the official number there.

After having my Instagram stolen, I am certain that my data is being sold on the dark web on a "sucker's list" of people who fell for a phishing attack. This time, I did NOT click on anything in the phishing message or calling any phone numbers. Instead, I went directly to the website of the site and followed their outdated and now technically incorrect instructions on how to change my password. (The procedure is somewhat the same but does not actually match their instructions.)

Trying to recover my Instagram account, I received the 2FA 6-digit code via SMS to my phone and entered it and every time instead of letting me in, it told me they would investigate "unusual activity" and restore my account within 24 hours if I was the legitimate account holder.

Instead, they did NOTHING. Eventually, my Instagram account simply ceased to exist. I was told my account had been deactivated. Then my e-mail addess generated NO SUCH USER. None of my friends or followers could find my account anymore. Since Facebook / Instagram has decided as their company policy NOT to provide any end user support for any of their properties, I don't see getting my deactivated account back as a likely outcome.

I lost all my hundreds of followers, all the messages we exchanged, all the descriptions and keywords used with my photos and postings, and all the people I followed and whose posts I saved. All gone, with no recourse. Not even sure I will be able to set up a new account and start over. I do still have the original and edited travel photos. But that was maybe 30% of the content on Instagram.

My only recourse would seem to be a request for one-to-one arbitration, which is what is in their T&C's. Facebook doesn't really want to talk to end users. This request cannot be faxed or e-mailed. It must be MAILED via USPS Snail Mail. They will receive my Certified Mail Dispute Notification and Request for Arbitration this afternoon, 3/26/21.

Who knows if they will respond? Their Terms and Conditions say if I submit the data they request, they will respond. I'm doubtful of course. It is Facebook after all, and Zuckerberg doesn’t really care about anything but power and money. (BTW, if the Facebook or Instagram user has a business on their platform and loses that business due to the capricious nature of Instagram and Facebook's bad behavior, the user's compensation is capped at $100 according to the arbitration clause.)

I have become one angry, enraged end user, and I am now on a mission to get the Federal Government and Congress to start anti-trust proceedings against Big Tech, with the goal of breaking up these greedy, arrogant monopolistic companies.


1Password Version: 7.8.1. BETA 0
Extension Version: 1.24.6
OS Version: OS X 10.15.7
Sync Type: 1Password
Referrer: forum-search:Why is this a weak password too easy to guess, since your app generated it??

Comments

  • ag_ana
    ag_ana
    1Password Alumni
    edited March 2021

    Hi @FogCityNative!

    I think it's a problem of password length: a password like the one you generated is not a very strong one because it doesn't have many characters. 1Password can create passwords much longer and stronger than that, up to 100 characters:

    However, if the website has weaker password requirements for example, 1Password cannot stop you from creating a shorter password of course, but it will warn you that it's not a secure password overall.

    You can also use 1Password to generate a one character password, for example, but the app will then tell you it's not a secure one, even if you are free to create one that short of course. In your case, I recommend using the password generator options to make the password longer, if the website accepts it, as that is certainly under your control :+1:

  • FogCityNative
    FogCityNative
    Community Member

    I think it's a problem of password length: a password like the one you generated, without symbols, is not a very strong one. However, if the website has weaker password requirements for example, 1Password cannot stop you from creating a password of course, but it will warn you that it's not a secure password overall.

    Thanks for the quick reply, but I don't think you are fully understanding my issue.

    The generated password has ONE symbol. And, 1Password WILL NOT WARN ME THAT IT IS NOT A SECURE PASSWORD OVERALL until AFTER I have used it and submitted it to the website.

    The warning needs to come BEFORE any weak password is generated or submitted. THAT IS THE BAD DESIGN IN 1PASSWORD I AM REQUESTING YOU FIX. Most website owners today encourage long, complex passwords. That is the norm. It is the outlier website that won't accept these highly secure passowrds.

    For example, say I changed my PW length because my normal 12 characters and lots of symbols isn't being accepted by a specific website. So, as a long time (10 years plus) user, I know how to change the preferences to something shorter or simpler.

    But obviously, I forgot to reset the preference and 1Password DID NOT WARN ME UNTIL AFTER THE SHORTER SIMPLIER LESS SECURE PASSWORD WAS USED A SECOND TIME ON A DIFFERENT WEBSITE, doubling my work to resolve the problem and perhaps raising red flags at the website.

  • ag_ana
    ag_ana
    1Password Alumni

    @FogCityNative:

    Indeed, I noticed later on that your example had a symbol, so I have edited my comment :) The password length is indeed the biggest issue.

    Depending on how you are generating a password, I don't know if 1Password can tell you the strength of a password before you save it. And 1Password typically does not save your password until after you submit it to the website (which is when the extension prompts you to save those credentials in 1Password). If you are concerned about this, and don't want to default to longer passwords in the settings, I think the alternative is to save the password in the app first, so if you are not happy with it, you can update it and approve it before you change it on the website.

    Personally, I just set my password generator options to create longer passwords by default. Unless I am working with a website with weak password requirements, I must say I have not seen this message in a while :)

  • FogCityNative
    FogCityNative
    Community Member

    Exactly. So if shorter password are the exception and not the rule and are in fact now rare, why not make it harder to set and keep insecure passwords or preferences?

    How about this change? 1Password will allow the user to have any password they want but changes to password preferences that create known insecure style passwords will not have that preference saved.

    Basically the user can create crappy passwords but they will be one time use decisions and cannot be saved as permanent password generation preferences. No more forgetting to set it back to get good secure passwords.

    So crappy passwords are there in the generator in the rare occasions you need one generated but the preference returns to the last used preference that does not trigger an insecure password warning after the crappy one was used one time.

  • Hey @FogCityNative

    It is an interesting thought. I agree that generally we want to encourage more secure behaviors over less secure ones, and we should be "secure by default." Most of the decisions surrounding the password generator come directly from our security team, so I'll be happy to pass this feedback to them for future consideration. :)

    Ben

  • FogCityNative
    FogCityNative
    Community Member

    Thank you Ben.

    I agree it is an interesting thought. Even more interesting when you share your philosophy of "secure by default".

    Please do send this thread to the security team and see if they agree and think it is more than interesting, but a necessity. And then they implement it

  • ag_ana
    ag_ana
    1Password Alumni

    I have sent your question to the security team :+1:

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    A 10 character password from our generator would never be weak (unless it were a digits-only PIN, but it isn’t going to be super strong either.

    Furthermore, if it was a generated password, then the generator will know precisely how strong it is. That is because the strength of a password depends on the system that generated it. For a human created passwords, we have to guess at its strength by looking at the password. Once you manually edit a generated password, the strength meter has to treat it as human created.

    Can you let me know what settings you had for the generator when you generated the password. From your example, it looks like 10 characters with digits and symbols.

    I do like the idea of showing the strength in the generator itself. I can’t promise such a feature, but we will look into it.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited April 2021

    Hello @FogCityNative,

    Some of what I said in my previous comment may not fully apply if you are not using a recent version of 1Password. There have been major changes both in the generator and the strength meter in 1Password 7.

    One of the changes is that 1Password 7 keeps track (as best it can) of whether a password it is storing was the product of the generator or not. And for the product of the generator, it knows precisely how strong the password is. For things that are human created, edited, or manually put in, 1Password 7 uses the zxcvbn strength meter, which is designed to guess the strength of human created passwords.

    What rules make a password stronger?

    Because of what people have been told over the years, it is easy to misunderstand what makes a password strong. Consider two sets of requirements

    Requirement set 1

    • 15 characters long
    • May contain lowercase letters
    • May contain uppercase letters
    • May contain digits
    • May contain symbols

    Requirement set 2

    • 15 characters long
    • Must contain lowercase letters
    • Must contain uppercase letters
    • Must contain digits
    • Must contain symbols

    Which configuration leads to stronger passwords?

    The answer depends on who you give the requirements to. Requirement set 2 may produce stronger passwords when given to a human. Requirement set 1 produces stronger passwords when given to a machine.

    Because us humans have been given things likes requirement set 2 for decades now, we have come to believe that passwords that meet those are inherently stronger than those that don't. It is (or at least, was) true for human created passwords. But it has never been true for machine created ones. The fact of the matter is that set 1 allows for more passwords than set 2. And if the generator selects from the set of allowed passwords uniformly (as any decent generator should, but no human can) then set 1 results in stronger passwords.

    As the world transitions from asking humans to generate passwords to using those that are automatically generated, we will have a period in which the stronger designed generators may not "look right" to people.

  • FogCityNative
    FogCityNative
    Community Member

    Can you let me know what settings you had for the generator when you generated the password. From your example, it looks like 10 characters with digits and symbols.

    It was a while ago, but here's what I think happened. The site would only accept limited special characters, like period, number sign, ampersand, plus sign, etc.

    So, the password 1P generated had in it a symbol that was not permitted by the website. So I changed the password generator to something low, like 8 characters, all letters, and then manually added an explanation point at the end to meet the requirements of the website.

    Then the next time I used 1P password to generate, I got only the 8 characters I had last set in the generator preferences, which may have led to the Weak Password response.

    But it was a while ago, and I have had so many computer nightmares (like having Instagram shut off my account for 12 days for no reason) way worse than this almost cosmetic error, I am not 100% sure about my recollection.

This discussion has been closed.