Feature request for password generator

brettlin

Hi,
I have been using your product for a while. Good stuff. Worth every agilebit of money I paid (see what I did there?). I have a request for future versions.

Can the diceware generator have a character length slider and/or word length slider?

Why?
I've always been happy with using the random digit party generator, but I've read a few articles lately about how the diceware style passwords are actually harder to crack with a brute force attack. I turn on 2-step verification where possible, so I'm not worried with this type of attack for the most part. However, when I try to use the diceware generator, many sites have a digit length requirement and so I have to keep guessing how many words to generate, then I have to count the digits in the words, then the spaces.... I mean, I'm lazy - that's why I use 1password - so having the option of still being able to set the max length of my generated password (even with words) would be super keen.

Thanks for your thoughts,

• Brett

---

1Password Version: 4.6.0.592
Extension Version: 4.4.3
OS Version: Windows 7 (work)
Sync Type: Dropbox

MikeT

Hi @brettlin,

I've always been happy with using the random digit party generator, but I've read a few articles lately about how the diceware style passwords are actually harder to crack with a brute force attack.

That's not accurate in most situations, especially when you consider that many sites have length limitations like what you saw. For passwords that have length constraints, random generator almost always remains stronger than Diceware unless you include random characters including symbols and digits alongside words to fit but you get more benefit from a random password. something like stuff is much faster to crack than tZf87QqPsDxLazxWMoPm despite the fact that they're both 20 characters long. There's only so much a Diceware can do but it will not beat a random string when there's a limitation on the length.

Diceware is tougher to crack is when it is compared to normal human common phrases that many people tend to use, like I like cats. However, both random and Diceware are tougher to crack than that phrase alone.

The reason Diceware is tougher to crack is because fitness cats cup doe makes no sense, no human would utter that sentence (except me just now), thus it is harder to test against than cat likes toys. However, it is much easier to remember that phrase than a random string, which is why Diceware is recommended for situations when you do need to remember the password without a password manager, like your master password for 1Password for an example. :smile:

Crackers would use any of the common human phrases available online but random string of words that makes no sense slows them down, just like random string of characters.

You're actually weakening the strength of the password when you limit the length of a Diceware password because there's not many words that can fit within a 20 character limit and because of that, once a cracker knows it is 20 characters, it can eliminate any words that would exceed 20 characters, something it cannot do with a random string.

That's why we have no plans to include such an option in the wordlist/Diceware generator and recommend you use the random generator for length-limited passwords, which does in fact include the options you're looking for.

brettlin

Beautiful explanation. Thank you for your time, comments, and having a well thought out response. I'm glad people who understand this stuff more than have already tackled the question I had.

MikeT

You're absolutely welcome and we're always happy to answer any questions you have about 1Password and security topics.

We have a few folks on our team whose jobs are to think about this stuff all the time, so we can stay ahead with our products and come up with better approaches.