Feature Request: Automate Handling of Password Requirements

rhp
rhp
Community Member
edited June 2014 in Lounge

Hello,

Given the recent challenges involving SSL vulnerabilities (heartbleed, CVE-2014-0224, etc)... I find myself increasingly motivated to change all of my passwords on all of my accounts periodically.

With over 100 accounts, each having a unique password, and with many having password characteristics unique to their specific site (length, content, etc), this is becoming very labor intensive.

I have two suggestions that you might bounce around a bit within your developer meetings:

  1. Expand the login records into include: (a) password length, (b) password contents (characters, numbers, symbolics, and (c) a list of the symbolics that are tolerated on that site. Then, at some future time, enhance the password generator to reference that data.

    I am currently maintaining by hand this information in the notes section and then feeding it into pwgen2 (http://pwgen-win.sourceforge.net/). I would prefer to use the 1P generator but so far as I know there is no way to control the password content with regard to symbolics.

  2. Smarten up the browser extensions so that sites which do not allow pasting (grrr, viz. Turbotax and a few others) can be circumvented. Hand typing a 64 characters/numbers/symbols password is not viable. I find myself reverting to far weaker passwords that are easier to type. Security risk via weak passwords far offsets the risk of using the clipboard to paste strong passwords.

You have an excellent product. I have tried others and return to 1P. I hope that you will give the ideas above serious consideration and remain the leader of the pack. Your competitors will get there eventually, you should be first.

Thanks!

Reed (an ancient grey haired linux kernel crypto guy).

Comments

  • RichardPayne
    RichardPayne
    Community Member

    There's one downside to this idea. If the website stops being stupid and allows better passwords then you'd never know.

    I'd suggest a small addition to your idea which is that the password generator should not default to the stored settings. You should have click a button to use them. This is to encourage you to try a full strength password before resorting to the restricted settings.

  • khad
    khad
    1Password Alumni
    edited June 2014

    Hi @rhp‌,

    Thanks for asking about this. :)

    We have a blog post in the works that will discuss CVE-2014-0224 in greater depth. (I'll update this post with the link when it is live.) But our new Watchtower service has indeed been busy lately alerting folks to a number of sites vulnerable to the Heartbleed bug as well as "run-of-the-mill" breaches such as the recent one with eBay.

    It would be great to have password requirements for each site crowd-sourced but there are privacy implications to collect that sort of data. Having each user store it individually seems like a large burden to place on users. (Although, I admit it is not necessarily a greater burden than they are already bearing right now.) This is precisely the sort of thing we have discussed as a team before, and, like you, it became a more important conversation when the Heartbleed vulnerability was discovered. We don't normally discuss future plans, but this is certainly something on our radar.

    One thing that is interesting is that some sites provide bogus restrictions in their UI. For example, when the eBay breach was reported we saw a bunch of folks (rightly) complaining about eBay's limit of 20 characters for a password. However, this is not enforced on eBay's backend. It is only shown to users when creating passwords. My own eBay password works great, and it is a 50-character one generated (with symbols) by 1Password. These sorts of edge cases are not insurmountable. I mention this only to illustrate that it does get a bit more complicated than just noting "the requirements".

    Misleading eBay Password Requirements

    As for sites which do not allow pasting, you should be able to change passwords even without pasting.

    1. Hold down the Option key while selecting your existing Login item from 1Password mini.

      Holding down the Option key will force 1Password to not automatically submit the form after it fills.

    2. If applicable, delete anything filled in the "New password" and "Confirm password" fields.

    3. Generate and fill a new password.

    Of course, an "ancient grey haired linux kernel crypto guy" like yourself is probably savvy enough to force the site to allow paste anyway. :)

    I hope that helps. Please keep the feedback coming!

  • rhp
    rhp
    Community Member
    edited June 2014

    Hi @khad,

    Thanks for the info about overriding onpaste events. I was not aware of the circumvention (I am just learning how to spell "GUI" and outside of "vi" environments I am significantly, um, challenged).

    Also, thanks for giving consideration to carrying password characteristics by site.

    You and your team are very much appreciated.
    Reed

  • khad
    khad
    1Password Alumni

    Always happy to help, Reed! And if I ever delve into the depths of vi I may have to look you up. I'm pretty useless in text-based editors. ;)

This discussion has been closed.