Password Generator: Web interface logic differs compared to macOS app

TurtleCurse7
TurtleCurse7
Community Member
in 1Password in the Browser

I noticed that login passwords generated using the web interface (my.1password.com) uses a larger character set pool compared to passwords generated using the macOS application.

I found this reddit post where Matthew_1P from the 1Password Social Team indicates passwords are generated from a set of 61 characters (48 letters, 7 numbers, and 6 symbols to avoid ambiguous characters):

https://reddit.com/r/1Password/comments/zzwgfq/password_generator_doesnt_use_hardly_any_numbers/

That article references this GitHub link that specifies which ambiguous characters are excluded, and which symbols are only included:

https://github.com/1Password/spg/blob/master/char_gen.go#L17

  • Excluded ambiguous characters: 0O1Il5S
  • Symbols included: !@.-_*

If I'm doing the math correctly a 61 character set pool is ~5.93 bits of entropy per character. Expanding the character set pool to 92 (52 letters, 10 numbers, 30 symbols on EN keyboards) increases this to ~6.52 bits of entropy per character.

It is understood that the possibility of having symbols is what makes a stronger password. However, if it is known that passwords generated by 1Password only include certain characters/symbols that reduces the search space for brute force attacks. This can be mitigated by longer passwords, but some websites still have restrictions that only allow 12-16 character passwords (which is insane).

The password generator on your website seems to also include ambiguous characters and more symbols, so why not allow your apps to generate them as well?

https://1password.com/password-generator/

Have you considered the following potential changes?

  • Adding a toggle to enable including ambiguous characters, and additional symbols (the full 30 symbols on a EN keyboard would be great) when generating passwords.
  • The web interface only allows generating up to a 64 character password, whereas the macOS app allows generating up to a 100 character password. Can these be aligned?

Setting aside all the math theory regarding password strength based on entropy, please consider making the web interface and app interfaces align.

1Password Version: 8.9.13 (80913040)
Extension Version: Not Provided
OS Version: macOS 10.15.7
Browser:_ Firefox 108.0.1

Comments

  • andrew.l_1P
    andrew.l_1P

    Hi @TurtleCurse7,

    Apologies for the delay here. Thanks so much for sharing your feedback in such detail! I can certainly recognize the benefits you've outlined and agree that we should aim for consistency across our web and app features. I've recorded your post here for our Product team to review. I can't make any promises either way, but I do appreciate you taking the time to share these insights!

    Let me know if you have any questions and thanks for helping us make 1Password great. 😊

    ref: PB-30765324

This discussion has been closed.