Request: Control over special characters

Jasper

This discussion was created from comments split from: Feature Request: Diceware Password Generator.

doctormo

I also would like some control over special characters (short list?) as most websites that require them limit which ones can be used. I also keep hitting the generator until one comes up that will work. Seems that they do not like the odd special characters.

Jasper

Hi @doctormo,

Thanks for the feedback! I'll pass it along to the developers. :)

Also, I've split your post into a new discussion, since it is not related to a diceware password generator.

doctormo

No problem, it was mentioned a few posts above mine so I thought to second the opinion.

sjk

We appreciate your opinion, @doctormo, no matter where it's posted. :)

jpgoldberg

Slightly related to this, we've actually removed "<" from the list of possible symbols. Not because some systems will say "you can't use '<'" but for a reason far more worrying. There is a relatively popular "shopping cart" system for websites that will actually truncate a password at "<". That is, if you give it the password, ej<uVv7GeGiZCfb)lk it will treat it as ej. It will do so silently.

What would be really nice, however, to address the problem @doctormo‌ reported (and we've all experienced one time or another), would be if we somehow knew exactly what the requirements were for each website and could automatically tune the Strong Password Generator to the requirements of the particular site. We've got some data, but not enough to make this work well enough to make the added complexity of the system pay off.

That issue of added complexity is part of what goes into whether or not we allow people to pick the symbol set. We've been trying to simplify the password recipe settings for a while now. If you have an ideas about how you would like the symbol set selection to look like, that might help get things started. The best I can imagine is string of symbols that we allow and people can click on which ones to exclude. So you would be presented with something like

!@#$%^&*()_-+=|[]{}'";.,>?/~`

and then could click on the ones you don't want to be used.

doctormo

I searched the web and found the following from Penn State of symbols not to use:

Space
Double Quote: "
Single Quote: '
Backtick: `
Ampersand: &
Left Paren: (
Right Paren: )
Bar: |
Less Than: <
Greater Than: >

I have no idea what their logic is but it is a list.

I was thinking of just having a choice for "safe" special characters which would reduce the list to the basics that seem to work with most restrictive systems ( =, +, $, ~,?, !, ...) I would not spend a lot of time trying to map site requirements but a simple selection box would cover it.

I am surprised how many times I have to click the password generator to get one to work with some of these sites. I just click until I get one with = or $ that always works. It is a pain pasting them in and getting rejected trying to figure their scheme out.

sjk

Hi @doctormo,

I was thinking of just having a choice for "safe" special characters which would reduce the list to the basics that seem to work with most restrictive systems ( =, +, $, ~,?, !, ...) I would not spend a lot of time trying to map site requirements but a simple selection box would cover it.

Maybe that can be combined with @jpgoldberg‌'s idea:

So you would be presented with something like

!@#$%^&*()_-+=|[]{}'";.,>?/~`

and then could click on the ones you don't want to be used.

Would you prefer a simpler, and customizable/resettable, default list than the current builtin?

doctormo

Hello sjk,

A fully customizable list is nice but not very simple and elegant for most users which I think 1Password tries to be for the most part.

I was just thinking of a check box in the password generator recipe that says "Use Short Symbol List" or "Use Safe Symbol List" so you could check it if you have some sites that require special characters and have their own restricted list. It is similar to the other constraints like password length when you have sites that limit the password length to 10 characters that you find out after you insert your newly generated 13 character password and get bounced. I think 6-8 universal symbols would be fine for this short list.

I only have run into a few site like this but it came up with the Heartbleed issue where I had a number of passwords to change at one time and ran into a couple that now require one special character and kept rejecting my symbol input. Of course, the sites never tell you what their special character list is so it is just try and error until an = or $ comes up that you know should work.

Seems pretty easy to program and implement to me without going all the way to a fully customizable selection like @jpgoldberg's idea. The choice would be the full list or a short list. Simple is good when it can be done.

sjk

Thanks for your additional thoughts about this, @doctormo.

Maybe there could be both easily selectable builtin/preset password recipes and symbol lists, plus advanced/customizable ones for folks who want fancier variations. With the option of making new presets from the latter.

I've also encountered more trial-and-error to get acceptable passwords for certain sites during post-Heartbleed changes, as many of us surely have. At least a few presets to choose from would make it more convenient. :)

doctormo

There is a balancing act in that there are some that want the most flexible and complicated password systems possible to thwart the NSA while most of us just want to follow basic security rules of random passwords of sufficient length for every site that 1Password allows us to manage effectively.

I really do not need symbols in my password world but there are some sites that require it and make it difficult with their limitations. For me, a simple solution is best as I noted above. For others, a more complicated solution might be better with custom recipes, etc. Maybe you do both, just make sure I have a simple option for special characters.

Megan

Hi @doctormo‌

You're exactly right. Security software is very much a balancing act between security and convenience. Your feedback here will help us to strike the right balance. :)

DavidB

I just had to update passwords for several sites that each had its own short list of special characters. Often the list was not particularly short, just different from the 1Password one, and presented in a different order. With the current setup, it requires editing the generated password by looking at each special character and comparing it to the short list, then making substitutions--very tedious, especially with a long password, and not entirely random.

My suggestion would be to have a special-character short-list field where you could paste in the particular list for a given site, then choose to have that list used in the recipe.

Megan

Hi @DavidB,

Thanks so much for adding your thoughts here, I've passed them along to our developers. :)

.

hawkmoth

@DavidB said,

My suggestion would be to have a special-character short-list field where you could paste in the particular list for a given site, then choose to have that list used in the recipe.

That might work. But I also don't object to having a list like the one suggested @jpgoldberg where a user would click to eliminate unwanted characters or, alternatively, click to pick the ones to use. My experience with changing passwords tells me that the when special characters are encouraged by a site, but limited to only some of them, there is little way to predict which ones will be acceptable and which will not. Moreover, I am still often surprised to discover that special symbols aren't accepted at all, even though the site never mentions that in their rules for creating a password.

I short, I doubt there is one list of "safe" symbols that we could rely on to work everywhere.