Websites max password length database
Recently, I wrote a script for the 1Password CLI to display the lengths of all my passwords and export them in sorted order (btw all my passwords are "Fantastic", but I couldn't see/or filter by password length)
Then, I began to change the shorter ones. I encountered a problem: not all websites inform you of the maximum password length or whether they accept special characters. For some, you could inspect the "maxLength" of the field. With this in mind, I ran into some issues when generating a password in the app (not in the browser extension). When copying and pasting into the browser field, some characters were cropped. Since the password field is masked, I didn't notice. So, the next time I tried to log in, I received a "wrong password" message.
This led me to an idea. After seeing "https://passkeys.directory/", I thought that 1Password could have a database to inform users of the maxLength of the password and whether it accepts only numbers, special characters, etc. This could be something like the 2FA and passkey, possibly with the help of the community.
What do you think? I know passkeys are just around the corner, but in my humble opinion, not all websites will support it.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @fernandog! 👋
Thanks for the suggestion! 1Password already uses the Password Manager Resources project, compiled in part with Apple, to have our filling brain know password rules for popular websites.
We also respect the
passwordrules
HTML attribute that developers can set for their websites.The best way to change your password is to use 1Password in the browser's Smart Password generator. It uses both the Password Manager Resources project database and the 'passwordrules' HTML attribute to suggest passwords that are compatible for each website. You can learn more here:
- A smart(er) password generator | 1Password
- Use the password generator to change and strengthen your passwords
I hope that helps!
-Dave
0 -
@Dave_1P , thanks for the reply
The problem with the browser’s “Smart Password Generator” is that it updates the 1Password item before you actually update the password on the website. So, if something goes wrong (some websites accept special characters, but not all characters), you must recover the old password from “history” to revert the update. In my humble opinion, the update needs to be done after confirming that the password was accepted by the website. That’s why I don’t use it much.
0 -
Here is an example that happened today. 1password app was updated, but website told me the max length was 18. There was no "maxLength" in the HTML and no javascript or any other type alert to the user that I typed a too long password.
0 -
You're right. The current workflow of generating and saving a new password could lead to confusion like the situation you mentioned. While I can’t make any promises, I’ve filed a feature request on your behalf to add the option to save the updated password after it is registered on the website. Appreciate your feedback.
Can you also share the website with me to test? I can report the website for our developers so that they can improve 1Password’s behavior there.
-Kevin
ref: PB - 382066891 -
https://cliente.extra.com.br/meu-perfil/editar-senha
there is max-lenght in the HTML. Its handle by JavaScript
is there a way to detect the html POST before updating the password?
0