Password Generator: Web interface logic differs compared to macOS app
I noticed that login passwords generated using the web interface (my.1password.com) use a larger character set pool compared to passwords generated using the macOS application.
I found this reddit post where Matthew_1P from the 1Password Social Team indicates passwords are generated from a set of 61 characters (48 letters, 7 numbers, and 6 symbols to avoid ambiguous characters):
https://reddit.com/r/1Password/comments/zzwgfq/password_generator_doesnt_use_hardly_any_numbers/
That article references this GitHub link that specifies which ambiguous characters are excluded, and which symbols are only included:
https://github.com/1Password/spg/blob/master/char_gen.go#L17
- Excluded ambiguous characters: 0O1Il5S
- Symbols included: !@.-_*
If I'm doing the math correctly a 61 character set pool is ~5.93 bits of entropy per character. Expanding the character set pool to 92 (52 letters, 10 numbers, 30 symbols on EN keyboards) increases this to ~6.52 bits of entropy per character.
It is understood that the possibility of having symbols contributes to a stronger password. However, if it is known that passwords generated by 1Password only include certain characters/symbols that reduces the search space for brute force attacks. This can be mitigated by longer passwords, but some websites still have restrictions that only allow 12-16 character passwords (which is insane).
The password generator on your website includes ambiguous characters and more symbols, so why not allow your apps to generate them as well?
https://1password.com/password-generator/
Have you considered the following potential changes?
- Adding a toggle to enable including ambiguous characters, and additional symbols (the full 30 symbols on a EN keyboard would be great) when generating passwords.
- The web interface only allows generating up to a 64 character password, whereas the macOS app allows generating up to a 100 character password. Can these be aligned?
Setting aside all the math theory regarding password strength based on entropy, please consider making the web interface and app interfaces align.
1Password Version: Mac 8.9.13 (80913040)
Extension Version: Not Provided
OS Version: macOS 10.15.7
Browser:_ Firefox 109.0
Comments
-
Hello @TurtleCurse7! 👋
A few years ago we changed the set of symbols that the password generator in the 1Password app uses so that generated passwords were compatible with the majority of websites. A lot of websites don't support the expanded set of symbols and users were running into an issue where the passwords generated by 1Password were being rejected because of an included symbol. The symbols that are now included in the generated passwords are supported by most websites which lessens the risk of a generated password being rejected by a website.
The website password generator uses a version of our code that does yet include the new reduced set of symbols which explains why you're still seeing the symbols there.
The smaller set of symbols doesn't reduce the entropy of the generated passwords by that much as long as you're generating a long password. And if you'd like to add additional symbols then you can do so manually after you've generated the password using the app.
please consider making the web interface and app interfaces align.
Now that 1Password 8 has aligned the 1Password app on all platforms I have my fingers crossed that we can align 1Password.com with 1Password 8 next. Stay tuned! 🙂
-Dave
0