1P8 Password Generator Strength Good versus Fantastic
1Password is using different meters for the Password Generator versus once they're made, which is confusing and annoying as I want all my passwords to be Fantastic as long as the site supports it. Please use the same meter for the generator that you're already using once they're made. I have the same issue on the Windows desktop app and Android. The strength meter is important to help users provide stronger passwords, as discussed in https://1password.community/discussion/19507/understanding-password-strength-meters and in https://www.microsoft.com/en-us/research/publication/does-my-password-go-up-to-eleven-the-impact-of-password-meters-on-password-selection/
You can see here the strength meter is full green. I tested increasing characters to 100, and the strength bar stayed full green, no change.
However after the credential has been saved, 1Password tells me it's only Good, not Fantastic.
I'm confused why you have two different rating system UIs in the first place. Imo the generator should show exactly the same info as it'll show once saved, maybe like this:
1Password Version: 8.8.0 / 8.9.2
Extension Version: Not Provided
OS Version: Win10 / Android 12
Browser:_ Not Provided
Referrer: forum-search:generator
Comments
-
Hello @nukmicah,
We appreciate the time you've taken to write in and report this behaviour.
Creating a new Login item in app and using the Create a New Password option with the same preferences, resulted in a Fantastic password for each of my tests. Were you using this same method from with this app itself? If not, could you please provide detailed steps you used so we can try to recreate and report this to the team?
Thanks!
0 -
Those screenshot are directly from my windows app v8.8.0. I have identical behavior in my android app v8.9.2
0 -
I was originally going to submit the feedback from Android, but found I couldn't take any screenshots so I replicated the behavior on Windows where I could take the screenshots to show what I'm talking about.
0 -
Type=random, length=13, with numbers and symbols, shows full green bar in the generator but shows Good after the credential has been saved.
0 -
Hello again @nukmicah,
Thank you for the update and letting me know that these screenshots were from the app. With additional testing, both creating a new item or changing a password on an existing displays the same results with version
80800203
with a Fantastic password.Your screenshots show this is clearly not the case when you attempt to do so. These screenshots also appear to be from a newly created test item. Can you confirm this is the case and if editing this item and creating a newly generated password helps?
0 -
Hi, I edited my test login with the exact password in your screeshot, and it says only Good security.
0 -
Hello again @nukmicah,
Thanks for your reply. Any kind of manual edit to password will reduce the strength of the password. Even adding characters to a generated password changes it from a generated password and will reduce the strength.
When generating a password in 1Password 8 (without making any edits), you are still getting Good passwords instead of Fantastic when the strength meter is full? If so, can you send an email to support+windows@1Password.com with the JSON from an example item? Please do not post these details in the forums:
- Open the 1Password app, open the Settings/Preferences panel, and switch to the Advanced tab.
- Enable
Show Debugging tools
, then close the Settings/Preferences window. - Navigate to the example item, click the overflow menu (three dots) in the top-right corner of the entry window, and click Copy item JSON.
- Paste the contents of your clipboard into a text document.
- Go through the pasted output, and replace your actual username, password, and any previously-used passwords with
Username, Password, or Old-password
. - Save the text document, review it one more time to ensure no sensitive information is still stored there, and then attach it to your email.
If you could also include a link to this thread and your forum handle, this will help us to "connect the dots" when we see your report in our inbox. Thank you!
0 -
Details are not confidential, since I am testing with brand-new logins. I am not able to reproduce the behavior on my Windows work computer (I get Fantastic strength for the autogen passwords), but am able to reproduce on my Android phone and have copy-pasted the JSON below. Again, it's not anything private or sensitive.
If you do have to delete this info just in case due to whatever policies you may have, should I send this to support+android@1Password.com or still support+windows@1Password.com?
I am on my work computer right now, but I originally tested this on my home computer so I'll try to remember to test on that again this weekend. It's quite possible I manually entered the password after taking that screenshot, as I never would have guessed you to automatically rate generated passwords higher than regular passwords.
{ "overview": { "title": "Phone test", "ainfo": "—", "ps": 57 }, "details": { "fields": [ { "value": "@F_X!uc937_@*", "id": "", "name": "password", "type": "P", "designation": "password" } ] }, "createdAt": "2022-09-09T17:40:06Z", "updatedAt": "2022-09-09T17:40:06Z", "faveIndex": 0, "trashed": "N", "templateUuid": "001", "uuid": "6fons7pedkon4d2g6o3ku7gxau" }
0 -
My home computer is working as expected, too. So it's just my phone that has the issue. And then your explanation of the difference between an auto-generated password, and an auto-generated password that's manually copied into another entry.
0 -
Hey @nukmicah, thanks for sending along that JSON file. I was able to reproduce this issue on my Android device and worked with our team to identify the cause. I've filed an internal issue for our developers to investigate further and get this fixed in a future update! We greatly appreciate you bringing this to our attention 😄
Let me know if there's anything else we can help with!
Ali
ref: dev/core/core#17426
0 -
Hooray!
0 -
@AliH1P and @ag_mike_d ... is there still an issue regarding the password strength indicator when using the 1Password Generator vs a user defined password? Example: I use the generator to create the password, save it in the app and it shows as Excellent or Fantastic. Then I edit the password and replace, say an upper case character with a special character and after saving it the strength is downgraded. I am running 1Password v8.9.10 on Windows 10 Pro fully updated
0 -
@BobArch2 I once asked the same question, and this was the answer that explained the behavior of the password rating that appears strange, but is mathematically correct:
https://1password.community/discussion/comment/617005/#Comment_617005
tl;dr:
You don't even need to change some character. You can just copy and paste a generated password verbatim from one entry to the other. The generated password in the original entry is rated fantastic, the copied password (1:1 the same) is rated excellent, and from a mathematical point of view, both ratings are correct!0 -
@Tertius3 Thanks for the link feedback. Too bad a 1:1 copy of the password does not merit the same rating descriptive. I maintain a spreadsheet of all my passwords, current and past for each of my 200+ web accounts. I use the generator to create an appropriate PSW for the web site and store it in the spreadsheet for future reference. I sometimes use it as a backup if I have an issue with the web site. Later on when in 1Password I have noticed that the rating is downgraded. I was thinking that perhaps 1Password have or had modified the rating algorithm.
Thanks again…
0 -
@BobArch2 Storing your credentials in a spreadsheed "for reference" is horrible from a security point of view. And it's tedious, probably unneccessary work. It seems you don't actually trust a password manager to keep your credentials safe.
The reference I posted tells about the rating of a password directly created inline in the password field of the 1Password app. Not a password that was generated inline, copied somewhere, and pasted back. The moment you paste a password into the password field (or edit the password) the password loses its property of being "generated from true random charactes" to "unknown, if generated from random characters", because pasting a password doesn't copy this informating along, and this is what the rating lowers.
If you paste a password, the rating function doesn't know if the pasted password was once created using true randomness, so it cannot give the best rating. If you create the password inline with the integrated generator and directly save this created password, the rating function knows that the integrated generator was used to create this password, the generator uses true randomness, and this is what it enables the function to give a better rating.
0 -
@Tertius3 A bit of background. I have worked in the tech (computer) environment since 1958. I have had PCs since the introduction of the IBM beast in 1985 and have used various spreadsheets since that time. Currently Excel, from the time it was introduced. I use Excel to capture all information about web sites needing passwords. And in a secured home environment behind firewalls to protect from intrusion. This activity started before I subscribed to 1Password.
It was April 2014 when I subscribed to 1Password … 1Password 3 for Windows v1.0.xxx. With my annual subscription, I have upgraded over the years and I am running current versions on my PC, iPad and Android phone … all well protected.
I can fully understand the two rating algorithms but was having difficulty maintaining a “Fantastic” rating with the various passwords I have with my ISP - Bell Canada. Yesterday, I stumbled on the procedure to use in order to maintain the “Fantastic” rating. All is well in my world. :-)
I have full faith in 1Password … best in class in my opinion. Using Excel to keep information handy is a form of backup.
Respectfully,
Bob
0 -
Hi @BobArch2! Thanks for reaching out about this - I'm glad to hear that all is well, and you've been able to figure out a method to maintain a Fantastic rating for your ISP-related passwords. If you have any further questions or concerns, let us know! 😄
Thanks for the assist here in providing the relevant information @Tertius3!
0