Custom Lists of "Special" Characters

Options
jtk
jtk
Community Member
in Mac

Since it seems that nearly every site has its own list of acceptable "special" characters, it would be nice to be able to set that list on the fly in the strong password generator.

Comments

  • DavidB
    DavidB
    Community Member
    Options

    Yes, seconded.

    In the meantime, what do others do as a workaround?

  • Megan
    Megan
    1Password Alumni
    Options

    Hi @jtk and @DavidB,

    Thanks for the feedback - we are looking into ways to make our password generator more customizable and user-friendly for sites that have very specific password requirements. I'll be sure to pass your suggestion along to our developers!

    In the meantime, the password generator has a 'Avoid Ambiguous Characters' checkbox. You can still create awesomely strong passwords using just a combination of letters and numbers.

  • MaxxD
    MaxxD
    Community Member
    Options

    @jtk @DavidB @Megan

    I ran into this as well a few years ago and was reminded that you can edit the generated password. So, for example, if you set it to 16 characters and generate using only letters/digits, then you can spam in three or four "safe" special characters yourself, then click "Fill" and have your 20 character mixed password.

    I can see the desire by AgileBits to want to avoid "747 syndrome" in the UI, so this is a pretty good workaround. Especially since so many poorly designed websites restrict so many different sets of characters. From the AgileBits perspective, one thing I would look at doing is thinking about a way to make it more obvious that you can tweak the final result (for example, adding an "edit" button next to "fill" would indicate to the user the capability in a subtle manner. Even though the password can already be edited, the fact that the generator is changing and filling the textbox makes it appear to the user that it's being "controlled" by the program instead.)

    An alternative would be to read the special characters allowed (or disallowed, depending on the site), then either have to tell 1Password what they are, and if they are to be avoided or the only ones to be used. Then click generate and repeat the above for each site. I can see where that doesn't flow very well.

    Another idea would be simply a checkbox like "Avoid Troublesome Special Characters" that removes the most problematic ones associated with injection attacks (single tick, semicolon, possibly angle brackets) If AgileBits did a survey of accepted/forbidden characters, they might find a very common set in 90% of cases that would be handled by such a checkbox, and in those rare cases do manual editing of the password before you fill it.

    A riff on that would be a user editable textbox of characters that can be allowed or disallowed. For example, you could pick either:
    In the first case, you have a default set of special characters that will be the only ones used, whereas the second case uses all available except those few that are commonly disallowed. Again, leaving the manual editing that's already there for the edge cases. This would still keep the UI fairly simple (and could be hidden entirely when special characters is set to '0'), while working the vast majority of the time.

  • MartyS
    MartyS
    Community Member
    Options

    Depending on how one looks at it, the sad truth is that any given site can change their password "rules" at any time. So this time around they might allow only 8 uppercase A-Z characters and the next time you visit they're now sporting the idea of anything up to 50 characters made up of anything is cool. If AgileBits were to provide site-by-site password recipes how would it (or you) know the site has now changed the rules?

    To my knowledge there is no standard (informal or via any group's consensus) for HTML itself to provide any clue to what a web page is going to consider "valid" for any given field, let alone a password field. The HTML standard does allow for the site developer to tell the browser the maximum size for the field contents but that's as far as it goes. Without any such standards there's no way the 1Password browser extension could possibly make any suggestions or restrictions when being asked to generate passwords for you.

    And how many of us have landed on a new site, started filling it to the password rules written in text on the screen (when you can find them) and then found only by submitting the form that the web server don't actually honor the written text and requires something else? Yeah, I thought so. It happens A LOT and it's a frustrating process. If our human (we are human, right?) brains can't reliably figure out the rules then software really won't help.

    A reasonably simple interface with the ability to edit the generated suggestion is better. I think AgileBits has achieved that already.

  • jtk
    jtk
    Community Member
    edited April 2014
    Options

    While I agree with most of the comments regarding the arbitrary password policies for many websites, I still think that it would be useful to be able to create a custom set of "special" characters. While there are no firm rules for what will or will not work on a given website, I feel that a small subset of commonly allowed characters can be identified by users who care enough to do so through trial and error. Adding even a couple of characters out of a set of, say, six "safe" characters can greatly increase the security of a random password.

    AgileBits doesn't really need to set up a mechanism for saving site-specific recipes to make this work. Simply giving us the option to change the default set (and reset it to default, as desired) would make a huge difference in the usability of the feature.

This discussion has been closed.