1Password - Intelligent password same pattern and length
Hello :)
I recently started using the password manager 1Password. Here I see in Windows 10 and Firefox in the browser add-on at the password generator (in each case the current version) the option that is also active by default, Intelligent Password. In addition, the additional info that 1Password suggests a password that meets the requirements of the page. Is actually a really great feature, which I have also used so far on all sites (where it was just possible).
However, last night I noticed that these passwords all have the same length of 19 digits and follow the same pattern:
bke5YVR*pjb3nmz7duf
mwb@djr.MVN4cjh9wda
GBX4kbe3mvw.cnf9akh
3 letters, a number/special character, 3 letters, a number/special character, etc.
And since I once read that just randomness is very important in passwords and the entropy must also be high, I seriously wonder to what extent these smart passwords are really secure. After all, in my mind, pattern and random/entropy contradict each other. But I'm also a layman. But can hardly believe that one the company behind 1Password would recommend worse and insecure passwords.
Is that supposed to be the case?
And how secure are these passwords then?
1Password Version: 7.7.810
Extension Version: 2.0.5
OS Version: Windows 10 Pro, 21H1
Comments
-
Hey @element ,
Great question :)When the entropy is strong enough, patterns are not as important. You can have a predetermined pattern in 16-18 characters long passwords and it will be uncrackable if the passwords are randomly generated with strong entropy in mind, it would take hundreds/thousands of years to crack with current day technology.
We update our smart passwords recipe from time to time according to how well they're being accepted on most websites. Up until recently, it was around 20-21 characters long, and we've reduced it to comply with even more websites, when we can't read the specific requirements of the website, we fall back on our default which is now a 19 characters long password.
You are correct that patterns in passwords could weaken them, but that is only of they were not randomly generated, short and do not contain a mix of lowercase+uppercase+digits+symbols. For example, if you generate passwords that are 12 characters long and contain 4 lower case letters, 4 digits and 4 lower case letters, that would be considerably weaker due to it being shorter and with lesser entropy. You can strengthen Entropy by adding other types of characters (mix uppercase/lowercase, add symbols etc).
You can also find password strength calculators online and paste some of these smart passwords in it to see how the passwords perform there, just make sure not to use these passwords for real later on :)
0 -
@ag_yaron, I'm also interested in the reasoning behind the pattern detected by the OP. My question (and I suspect the OP's) is:
Why is there such a pattern in the first place which lessens (to some extent) the strength of the password? From casual viewing, both a random (or non-patterned as I'm told truly random doesn't exist in the computer world) string and a patterned string appear as gobbledygook. Therefore it can't be due to user convenience so why not go fully random to secure the maximum strength instead of using a weaker patterned code? Is it a programming convenience and, if so, how much harder to code, or slower to decrypt, or more resource intensive would fully random string generation be in comparison to the patterned algorithm currently used? Thanks in advance for any light you can shed on this fascinating (to me, at least) topic.
0 -
Cracking randomly generated passwords is all about time, specifically the time it would take to try every possible value. Lucky for us we can calculate how long it would take to crack a password through brute force by counting all the possible passwords and dividing that number by the time it takes to crack 1 password. As I read it, your question is essentially, since there is a pattern in the generated password, does it reduce the security of the password? Let's find out.
The intelligent passwords are generated from four character sets, uppercase letters (26), lowercase letters (26), numbers (10), and a subset of symbols (6) that we have found to be safe for most sites, which is a total of 68 unique characters. For a 1-character password we have 68 possible passwords and for a 2-character password we have 68 * 68 possible passwords. Following that pattern we see that to calculate the number of passwords of length 19, we need to multiply 68 by itself 19 times (68^19), which is approximately 6.57 * 10^34.
Now, to calculate the number of passwords of length 19 that match our pattern we use a similar technique. For the first three values of our pattern we choose from only 52 characters, the total number of uppercase and lowercase letters. For the fourth value we choose from one of 16 characters, the total number of digits and safe symbols. So for a password of length 4 we would multiply 52 * 52 * 52 * 16 to get the number of possible passwords. Following this pattern, our 19 character password would end up with 15 letters and 4 numbers/symbols so to calculate the total number of passwords we would multiply 52 by itself 15 times (52^15), multiply 16 by itself 4 (16^4) times, and then multiply those two numbers. This comes out to be approximately 3.6 * 10^30.
All we have to do now is figure out how many passwords can be cracked in a second and we can estimate the strength of our two passwords. A really good password cracking rig can bruteforce approximately 500 billion passwords each second. Let's assume our attacker has nation-state resources and has 1000 of these cracking rigs to dedicate to our password. Now, we are talking 500 trillion (5 * 10^13) passwords per second or 1.58 * 10^21 passwords per year. To crack our truly random password it would take approximately 41.6 trillion years and to crack our patterned password it would take approximately 2.28 billion years. While it would take significantly less time to crack the patterned password, it is still essentially impossible.
This is a long winded way of saying the generated password, even though it has a pattern, is still very strong but has the added convenience of matching the common password requirements for many sites.
P.S Keep in mind the password cracking speed assumes the site storing your password is using a simple hash called MD5. If the site is using a proper password hashing algorithm like scrypt, bcrypt, or Argon2, with a sane configuration, the number of hashes per second is a billions of times fewer, yes billions with a B.
0 -
Thanks for the explanation @shaywood. With the huge numbers involved, intuition is of little use—you've got to do the math. So the patterned password is about 20,000 times easier to crack than the truly random one, if my math is correct.
I now understand (I hope) that the patterned password is intended to pass muster with sites/apps requiring a minimum length (maximum length limits can still present a problem), at least 1 lowercase letter, at least 1 uppercase letter, at least 1 number, and at least 1 symbol. Seems like the generator could still strike out by chance if it produced all lowercase (or all uppercase) letters or if it produced only numbers and no symbols or vice versa. Not likely but possible.
0 -
Large numbers are often not easily comprehensible for us, but yeah, we're talking about astronomical numbers here so even with a certain pattern it is still not feasible to crack a password like our smart passwords generator suggests.
Seems like the generator could still strike out by chance if it produced all lowercase (or all uppercase) letters or if it produced only numbers and no symbols or vice versa. Not likely but possible.
The pattern in the smart passwords generator dictates there has to be a mix of lowercase and uppercase letters, digits and symbols, so it will not generate one without all of these requirements.
Furthermore, the smart passwords generator will attempt to read the website's requirements, if such exists in the HTML code of the password field, and will adjust the smart password accordingly.
Not only that, but the smart passwords generator also relies on open databases of websites passwords requirements such as Apple's password manager resources and our own database to tell whether a website has unique requirements, what they are and how to adjust the suggested password accordingly.So if you get to a website that does not provide 1Password information from any of the sources above, 1Password will fall back to the default pattern you initially wrote here. But you will probably encounter some websites where it offers a completely different random password without that pattern if that website is affected by the above resources. That is why it is called the smart passwords generator :)
0 -
Thanks to all. That explains it and makes sense. Now I understand it :)
0 -
Glad we could help :)
0