1P4 allows characters to repeat when the box is unchecked

Ayara Nidajat

Hi.
Noticed more than once, when creating a new password there are characters that repeat themselves although the "Allow characters to repeat" box in the "recipe" is empty (unchecked).

s861.photobucket.com/user/Arkanbel/library/

Also, was wondering, many times have seen characters repeating, not both capital or letter case but one capital and one letter case. Isn't that a better/safer password if the character wouldn't repeat at all?

Thanks and Happy New Year.

AN

Megan

Hi Ayara,

Thanks for bringing this issue to our attention! This is something that is certainly on our list of things to improve.

In the meantime though, repeating characters do not necessarily make for a weak password. I'm not quite qualified to discuss the specifics here, so I'll ask our security expert, @jpgoldberg to weigh in with his thoughts. :)

jpgoldberg

Hello Ayara!

I'm sorry for the confusion but the restriction on repeating characters is about consecutive characters. There can be two "m"s in the password, but they cannot be next to each other if "allow characters to repeat" is unchecked. Some websites try to prevent people from setting up passwords that looks like aaaaa123, and so reject consecutive_ repeating characters in password. This is why 1Password makes it possible for you to disallow such things.

Isn't that a better/safer password if the character wouldn't repeat at all?

You also ask a great question about how these affect the strength of the passwords. It turns out that the fewer restrictions you have on the generated password, the stronger it is. So checking "allow characters to repeat" will get you (slightly) stronger passwords. So unless a website registration rejects a new password for that reason, you are (slightly) better off just checking "allow" there.

Note that once you are generating passwords that are 22 characters long as in your example, the generated passwords are already ridiculously strong no matter which boxes are checked.

I hope that this helps clarify things. Please let me know if you have more questions about this or anything else.

Ayara Nidajat

Thank you both, Megan and JP for your answers.
A.N.

jpgoldberg

I should add that this is a relatively recent change. Earlier versions of the 1Password Strong Password Generator did treat "Disallow repeating characters" as banning two instances of the same character anywhere within a password. However, no website or service ever put that kind of restriction on a password, and such a restriction can reduce the strength of a generated password unnecessarily, so we changed it to just preventing consecutive repeats.

But now we are left with people who are quite rightly baffled by what 1Password is doing. Its behavior changed without notice.

I'm not putting things up to a vote, but I would be curious how and why people use the "disallow repeats" restriction on generated passwords. That is, could we do away with the feature altogether, or should we just try to make it clearer what is does (and doesn't) do?

oshloel

I have "allow characters to repeat" checked, under the impression that it worked as in V3 and the function was not limited to consecutive repeats. Knowing that, I may uncheck it (to prevent consecutive repeats) so if I'm ever required by a site to have a short password, I'm not at risk of having the generator create one with consecutive repeating characters such as your 1111 or aaaa, which while probably remote, is still a possibility if the generator is truly random.

One option is to leave the feature but change its description in the generator to "Allow characters to repeat consecutively" if you can fit all that in to the mini version of the generator.

jpgoldberg

Thanks for letting me know why you used the feature, @oshloel.

There is nothing preventing a random generator from producing something that doesn't look random. As they say, if you were able to set a length long enough, and run the generator enough times, you would eventually get the complete works of Shakespeare. But the nature of randomness means that we don't really have to put in an option of "Disallow quotes from Shakespeare". The same, I think, applies to repeating characters.

By setting no repetitions are are (slightly, in the new case) reducing the strength of every password generated. You are doing so to prevent the extremely unlikely case of the password generator randomly creating something that could be guessed quickly. You may very well not have made the choice had you known that any restriction reduces the strength.

Also two people isn't a very large sample, so far both you and Araya have wanted to "disallow repeating characters" because they were under the false impression that this made for stronger passwords. I find this a fairly compelling reason to remove the "disallow" option all together.

Again, this isn't a big issue. The Strong Password Generator is so strong that this kind of "weakening" it, don't make it weak. It remains strong.

Ayara Nidajat

Well, I use to check "Avoid ambiguous characters" and don't check "Allow characters to repeat", all for a "stronger" harder to hack password, but if you say that a 22 characters password is strong enough without any other check or uncheck, for me those additional steps are unnecessary.
So, if you decide to omit those from the recipe, I won't miss them.

jpgoldberg

Thanks, Ayara.

The "allow" (likewise "don't avoid") variants provides slightly stronger passwords. The purpose of "Avoid ambiguous characters" is for passwords that you think you might need to read at some point (perhaps to manually type them elsewhere). Pairs like "1" and "l" or "O" and "0" or "5" and "S" are hard for humans to distinguish. Now that 1Password 4 displays non-letters in a different color, this isn't so much of a problem.

And I can assure you again that any 22 character password generated by our Strong Password Generator, no matter what the other settings are, will be mind bogglingly strong.