Two feature requests: Custom password recipes and password expiration notification.

roboknight
roboknight
Community Member

Hey to AgileBits. Before someone says, "There is already an ability to set custom password recipes!", hold on. What I'm actually talking about here is the ability to choose not JUST whether or not something has symbols or numbers, but about being able to possibly choose what is NOT chosen from, say, the symbols group. If asked a month or even a week ago whether or not the password recipe setup was good, I would have said, "Yeah, its GREAT!". However, I've now run into YetAnotherPoorPasswordImplementation that I'm required to use (before someone suggests, "hey you shouldn't use that"), and unfortunately, it appears that while they have strong password requirements (symbols are required), they limit the symbol set. Normally, in a situation like this, I would just eliminate symbols all together, or not use the login, but as I'm going to have to change this password every so often, I'd like to be able to generate passwords with a chosen symbol set (or an allowed symbol set). Now, I know that I can already replace symbols I can't use with ones I can, but it would actually be nice if I could flag that account (or any given account) with a particular recipe so that when the password needs to be changed, I change just hit the "dial" and get a new valid password. Currently, it appears I'd have to make a note of things not to use, check for those, then change them to an allowed symbol. At any rate, I do run into websites and other places where passwords are required and they all have different requirements and usually 1Password is there to save me from the insanity. But in cases where things are "mostly done right" but not completely, 1Password then goes from hero to zero. If I had my way, I'd always produce a password with the entire keyboard, but for many varying reasons, not everyone seems to agree. At any rate, that would certainly be extremely useful. The second thing, is that same password expires every so often. It isn't one I actually "log into" regularly, if at all (its related to other things), and so password expiration can come and go and before I know it, I'm locked out of my account because my passwords expired. If I could mark in 1Password when I changed it last and have 1Password notify me that I should "check it soon, before it expires" I'd be able to prevent calls to the help desk every time it expires. Both of these seem like simple features, but maybe they aren't. Anyway, thought they were worth considering. I hope to see them both soon, but I don't know how much traction either will get. Finally, what happened to the list of "formerly" generated passwords? I needed that today, and had to reset a password twice because I didn't have access to that list! That was embarassing. Anyway, looking forward to seeing if my feature requests end up being implemented.

Comments

  • Megan
    Megan
    1Password Alumni

    Hi @roboknight,

    Both these features you mention are quite popular requests.

    What I'm actually talking about here is the ability to choose not JUST whether or not something has symbols or numbers, but about being able to possibly choose what is NOT chosen from, say, the symbols group.

    You're right, there are many sites out there that have some pretty strict requirements on what can and cannot be in your password. While, as a security company, we would prefer that these sites would understand that password restrictions actually limit the potential randomness of a password and do away with such things, for now they are something that must be dealt with, and it really would be great if 1Password could help users out a bit more here.

    Now, I know that I can already replace symbols I can't use with ones I can, but it would actually be nice if I could flag that account (or any given account) with a particular recipe so that when the password needs to be changed, I change just hit the "dial" and get a new valid password.

    I'm glad to hear that you're aware that passwords can be edited after creation - this is a handy feature that has saved me on numerous occasions when dealing with these more 'particular' sites.

    I'll add your thoughts to the feature request in our internal tracker.

    ref: OPM-1378, OPM-1530

    If I could mark in 1Password when I changed it last and have 1Password notify me that I should "check it soon, before it expires" I'd be able to prevent calls to the help desk every time it expires.

    You're right! This would be really handy. We've also got this one on our list and I'll let our developers know you're excited to see this.

    ref: OPM-1645

    Finally, what happened to the list of "formerly" generated passwords?

    Whenever you use the 'Fill' button in 1Password's password generator to fill in a freshly generated password, that password is saved into 1Password's 'Passwords' category (until it is saved into a Login.) If 1Password doesn't helpfully pop up and ask you to update your existing Login, you can simply look in the Passwords category to locate your most recently created password.

    Thanks again for your suggestions here! If you have any further questions or concerns, we're here to help. :)

  • huffalumpy
    huffalumpy
    Community Member

    Adding to this thought (apologies if I missed it) would be the ability to share the recipes and restrictions. Some sites tell you "more than 4 characters". So, I set 1P to 50, and that doesn't work, and 30 doesn't work, and eventually, we find out that it's "between 4 and 18", and there are other unpublished restrictions that aren't in the list. If I could then put those into place in 1P, and share that recipe, then others can use it, tweak it, re-share it, if they choose, and eventually we get it narrowed down to a recipe that is as strong as we can make it.

    Government websites, in particular, are really, really goofy in this way - first character has to be a letter, last one can't be a number, blah, blah, blah. The next time I have to reset my password for that site, I'm going through the same process all over again. I almost have to put a note in my login credentials in 1P for each site on how to set 1P to create a new password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Some sites tell you "more than 4 characters". So, I set 1P to 50, and that doesn't work, and 30 doesn't work, and eventually, we find out that it's "between 4 and 18", and there are other unpublished restrictions that aren't in the list.

    @huffalumpy: Indeed! Welcome to my world. :lol:

    I think you must have posted this just before creating the other discussion. I like the way you think! I wonder though if websites are a bit cagey about this so they aren't giving attackers a way to pare down the range for brute force attacks.

    Personally, I could see 'crowdsourcing' these recipes, as a way to benefit from the pain others have already gone through, but this probably isn't the best idea security- or privacy-wise, I'm afraid. Definitely food for thought, though. Cheers! :)

  • huffalumpy
    huffalumpy
    Community Member

    I posted a number of thoughts on these related topics, yesterday. I started with threads that already existed, and then when I couldn't find something, made another thread, and tried to keep each idea to its own thread.

    The website operators haven't been cagey about telling me what I had to do when I called them, but clearly the developers weren't specific enough.

    Crowdsourcing is a last resort. The password RegEx, or whatever you want to call it, would be a way for the website operator to help encourage the use of both password managers and stronger passwords. I disagree that crowdsourcing would affect either privacy or security for 1P users, because all we're sharing is a "this is what we need to do to build the strongest password we can for this site". Could a hacker get that information and try to use it to exploit weak sites? Sure, if they're a script kiddie that didn't already know that from all the script kiddie forums. Open Source Password Formulas is in the same camp as Open Source Software - either you believe that more eyes and more attention will help the object become tighter, or you believe that only letting more skilled or persistent bad guys attack you is the better option.

    I just want to not scream every time I try to create a strong password for a site that insists that I change it every 60 or 90 days, and find out about this restriction on my strong password, and that one, and this other one. I want to be able to have 1P create the strongest password I can have without all the manual intervention on my part.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I posted a number of thoughts on these related topics, yesterday. I started with threads that already existed, and then when I couldn't find something, made another thread, and tried to keep each idea to its own thread.

    @huffalumpy: Yes! It's good! It just piqued my interest. I didn't mean any insult. By all means, continue to do so! I love these kinds of discussions! :chuffed:

    I disagree that crowdsourcing would affect either privacy or security for 1P users, because all we're sharing is a "this is what we need to do to build the strongest password we can for this site".

    Well, depending on the site's restrictions, it could allow attackers to more easily narrow their search. But it may be that web developers who would bother with a password standard would be likely to do it the right way in the first place: no password restrictions at all, since the most secure way is to simply salt and hash, and then store the hash, not the password itself. So that may be a better overall goal. That and rate limiting. :lol:

    I just want to not scream every time I try to create a strong password for a site that insists that I change it every 60 or 90 days, and find out about this restriction on my strong password, and that one, and this other one. I want to be able to have 1P create the strongest password I can have without all the manual intervention on my part.

    Understood! Perhaps someday we'll be able to make this dream a reality! :)

This discussion has been closed.