Auto-generated password at the same time "Excellent" and "Fantastic"

I created 2 entries of the same account, with different website names. One entry was created at account creation and a generated password from 1Password was used.
The second entry was created when I tried to login to that account, but this time the website address was different, so I copy+pasted the previously created account info to the login, and 1Password saved the same credentials, only different website.

However, if I compare both entries, one entry classifies the password as "Excellent", the other entry with 100% the same password "Fantastic".
The password was generated like AAA1bbb2ccc-ddd@eee, where aaa, bbb, ccc, ddd, eee are random characters and 1, 2, -, @ are random digits and punctuation chars.

The entry that was auto-created at account creation with the generated password:

The other entry that was created when I logged in through a different website name and used the copied password from above:

Same username, same password (verified correct; I was able to login to both sites and performed some purchase and got a purchase recipt with an app key successfully)

Funny, isn't it?


1Password Version: 8.4.17 nightly
Extension Version: Not Provided
OS Version: Windows 10

Comments

  • Tertius3
    Tertius3
    Community Member

    I assume you kind of unmasked yourself involuntarily here, because you're good programmers. I just changed the first password to something else, then back to the generated one. The rating changed to "Excellent". So the real rating of the generated password according to your rating algorithm is actually "Excellent" and not "Fantastic".

    My (slightly mean) interpretation is that you declare everything generated by your password generator as "Fantastic" and write this to the generated record. But if you manually paste such a password, your app doesn't know any more that it once generated this, so it applies the generic rating, which tells the truth.

    It's a minor issue, of course, but please do the right thing from a technical point of view and don't manipulate things behind the curtain. If the password generator isn't able to generate a "Fantastic" password due to character set or length restrictions, tell us about this.

    It may also just be some kind of edge case. If I append a simple "a" to that password, its rating is changed to "Fantastic".

  • PeterG_1P
    edited October 2021

    Hi @Tertius3, thanks for taking the time to tell us about this. We have noted some inconsistencies recently in the displayed strength of passwords within the app. We've got an existing issue for our developers to dig into this, and are collecting information from reports like yours here, in order to inform the solution.

    My (slightly mean) interpretation is that you declare everything generated by your password generator as "Fantastic" and write this to the generated record.

    [Edit: I've deleted my original post here due to inaccuracy. My mistake! See jpgoldberg post below for a detailed + accurate account of password-rating]

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @Tertius3, that is an excellent observation.

    The short answer is that human created passwords are much weaker than ones generated from our password generator, and once 1Password doesn't know the specifics of how a password was generated it has to assume that it is human created.

    The longer answer

    The strength of a password is a function of the system from which it was generated. When we know precisely how a password was generated we know its strength even without looking at the password itself. When we don't know how it was generated, we have to look at the password and guess.

    When you generate a password using 1Password, 1Password can compute the strength of the password precisely from the generator settings alone. In particular, any password that can be generated from a particular set of settings is exactly as likely to be generated as any other. Passwords that we generated are created uniformly.

    Knowing that a password was generated by our generator isn't enough to compute its strength precisely. We need to know what instructions were given to the generator. For example, a password generated from rules that requires digits is going to be weaker than rules that merely allows digits with all other things being equal. But there is no way to tell whether digits were allowed or required when we see digits in a password, and there is no way to tell if digits were allowed when we see a password without digits. But when we know the settings given to the generator, we can compute the strength.

    Human created passwords are not generated uniformly. There are simply some combinations that people are more likely to pick than others. Indeed, people are really terrible at being random, especially when they are trying to be. And so we have to use a bunch of heuristics to inspect the password and guess what sort of human processes and patterns were used in creating it. As soon as we are looking at a password that is potentially human generated, it is automatically going to be downgraded in strength.

    Where this leads to unwanted results you observe is that if you copy a 1Password generated password to some other 1Password item, it will be seen as "human created" in that other item. Even if it were known to be or somehow marked as having been generated from our generator, it is our generator that tells us the strength of what it generates. So we can't work backwards from a password alone.

  • Tertius3
    Tertius3
    Community Member
    edited October 2021

    An interesting topic, and thank you for the explanation. I actually understand what you wrote and the math behind it, since I have a bit of math background with my computer science study. I understand a core problem for the rating algorithm is that it cannot know how uniformly the individual characters were chosen by just looking on the password.

    On the other hand, it's still strange to have two competing ratings, and both are correct from their respective point of views.

  • Thanks for your response, @Tertius3, and my apologies that my original reply to this wasn't accurate. Very glad @jpgoldberg weighed in here - and I learned something as well!

    Thanks for raising this question so that this might be profitably discussed. 👍

This discussion has been closed.