Start with number is a good idea?

hylq76
hylq76
Community Member

Hello, I have a question about password strength(or entropy).
1. It is possible to generate a random password with 1Password that start with number? If yes, it's a good idea?
2. And which custom password generator is better and safer in matter of password strength(or entropy)?

Length: 20
Number of symbols: 3
Start with alphabet, includes Numbers and Mixed Case
Length: 24
Number of symbols: 4
Start with alphabet, includes Numbers and Mixed Case

Kind regards,
h.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @hylq76!

    I have send both your questions to our security team. We will post back here as soon as possible :+1:

  • Lars
    Lars
    1Password Alumni

    Welcome to the 1Password Support Community, @hylq76! Can I ask what you're trying to achieve? This seems like a very specific case.

  • hylq76
    hylq76
    Community Member

    Hello @ag_ana and @Lars :)
    Thank you and so sorry for my delay!

    I read old blog posts at 1Password.com about password entropy and just being curious to how to improve my passwords that I used for GPG, Internet Bank and crypto-wallet. Until now I used Safari's built-in password manager without iCloud Keychain.

    Some websites won't let me using symbols or more than 20 characters so I decided to combines all possible things and ask you a recommendation.

    Thank you so much that give me your time :chuffed:

  • ag_ana
    ag_ana
    1Password Alumni

    @hylq76:

    Some websites won't let me using symbols or more than 20 characters so I decided to combines all possible things and ask you a recommendation.

    Couldn't you use the password generator with a maximum length of 20, and with symbols and numbers enabled?

    The password won't start with a number, but it will contain a number, so at least you don't have to add it manually :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited May 2021

    I'd like to jump in an use the original question to lecture on a few things. Because that is the kind of thing I do.

    1. It is possible to generate a random password with 1Password that start with number?

    Unless you set for a digits-only password (eg, a PIN) then there is no way to guarantee that it will start with a digit. But of course any random setting that allows digits could start with one. But it looks like you are trying to require that it starts with a digit.

    If yes, it's a good idea?

    Short answer is "no". The longer answer is longer. Some of what I say is covered in A Smart(er) password generator, but below I dive into some broader and deeper points.

    More contraints, fewer passwords

    A password generating scheme that places more restrictions on the result is going to allow for fewer generated passwords than one without that scheme. Let's look at an extreme case to keep the numbers small.

    Suppose you are generating a password with only upper and lower case letters and digits.

    And suppose you are generating a password of length 3. With no additional restrictions there are 238328 possibilities. Some of those will start with a digit and some will start with a letter. There are ten digits and 52 letters. And so there is a 10/62 chance that a randomly generated password would start with a digit and a 52/62 chance that it would start with a digit. By requiring that you start with a digit, you are tossing out 199888 possible generated passwords.

    In fact, irrespective of length, you are tossing out 52/62 of possible passwords with such a requirement.

    Humans v machines

    A well designed password generator generates using a uniform distribution. Each password that it could generate is exactly as likely as any other password it could generate. This notion of uniform distribution of generated passwords is important.

    People are really bad at picking things randomly and uniformly. And so the kinds of things that we tell to humans to encourage them to create better passwords are very different than the kinds of things we should tell machines. Telling a human to make the first character of a password be a digit might help them create better passwords (for now), but it is very counter-productive to give such instructions to a machine.

    This has led to a great deal of confusion because of what people have been told over the decades. People have been told that a password with three symbols in it is stronger than a password with at least one symbol in it. But, if that was ever justified, it was because telling people that got them to pick better passwords. Telling a machine, which can create passwords uniformly, has the opposite effect.

    People also don't see just how much strength a picking passwords uniformly gets them. A letters only 10 character password is going to be near unbreakable by the likes of the NSA, but a 10 character human created password is not.

    The point here is to not apply the beliefs you've learned about what makes a password strong to what requirements you want on a properly generated one.

    We Kant count on present practice

    Above I said "Telling a human to make the first character of a password be a digit might help them create better passwords." And that would be because most passwords are human created and most human created passwords don't do that. So in general, telling a human to do that would lead them to pick less common passwords.

    But the advice would only be good to follow if attackers didn't know that that was part of your password creation scheme. If they knew you were likely to follow such a practice, they could easily tune their attacks to it and turn it against you. In general, you want security schemes that remain strong even when the attacker knows the system.

    If lots of people followed a rule like "start with a digit", then attackers would know that, too. What might be a good strategy for an individual to follow in secret would be very bad of everyone followed it.
    This is what brings me to what I call a Kantian principle of password creation scheme.

    A good password creation scheme must remain good even if everyone uses it.

    This, again, is the beauty of a something like 1Password's password generator. We can make every detail of how it works public, and everyone on the planet can use it without weakening it. And because we have a uniform distribution over a well-defined set we can know precisely how strong the password is from the settings themselves.

    Which is stronger?

    Which is stronger

    Length: 20
    Number of symbols: 3
    Start with alphabet, includes Numbers and Mixed Case

    Length: 24
    Number of symbols: 4
    Start with alphabet, includes Numbers and Mixed Case

    The length 24 one. But the length 20 one is already enormously stronger than anything you will ever need if generated from a decent password generator even without the symbols. The symbol requirements weaken each of those, but given how strong 20 or 24 letters and digits are, the damage from the symbols requirements is going to be tiny.

    Losing control

    You may have noticed that in more and more places we have been giving users less control of password generator settings. The knobs and adjustments that people want are typically things – like requiring a certain number of symbols – that make generated passwords weaker instead of stronger.

    The only time you should really need the finer control is if what 1Password generates by default doesn't meet a site's requirement. We've actually built in knowledge of requirements for different sites into our generator, but even for the large majority of sites for which we have no specific knowledge, our new, smart, default is designed to satisfy the kinds of requirements that researchers have found to be most common. This isn't perfect, and sometimes you will need to tweak things to get things to be accepted by a site, but that is the only time it is useful to adjust finer settings.

  • hylq76
    hylq76
    Community Member
    edited May 2021

    Hello @jpgoldberg Thank you so much for your detailed answers! it was and is so so useful :)

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of jpgoldberg, you are welcome @hylq76! Let us know if you have any other questions :)

This discussion has been closed.