Generate password does not seem to honour maxlength property of input

Joeri

I've had several occasions where I used 1Password to generate a long passhrase, but upon saving, the passhrase would be limited by the maxlength property of the input element. 1Password would then save/update the item in its database with the original longer passhrase, making it almost impossible to log in again as there the password is now way too long compared to what is stored as credentials at the site.

I would expect 1Password to at least give me a warning in the generate password stage that the password generated is longer then can be filled in the input element.

Thanks in advance,
Joeri van Oostveen

---

1Password Version: 6.3.1
Extension Version: 4.5.6.90
OS Version: 10.11.5
Sync Type: Dropbox

danco

Usually in this situation, copy and paste of the password from 1PW will work even though direct filling does not, so it isn't as impossible to fill in as you may have thought.

I'm not sure whether 1PW could throw up an error message as you suggest. Maybe it could, and it would certainly be nice, but the problem is that the site never rejected the too-long password, it simply cut it short.

AGAlumB

@Joeri: I'm sorry for the trouble! I'm pretty sure that happened to me in the past as well. Why web developers insist on limiting the password length when we have the technology to salt and hash any length password for better security is beyond me! It isn't currently possible for the password generator to detect this, as it has no way of reading the page (and they're not always forthcoming anyway); it simply creates a random password based on your specifications and then fills it when asked. If you can give specific examples of where you're running into this, we can certainly look into it to improve 1Password in the future. Thanks for bringing this up! :)

Joeri

Hmm too bad. I've already sent a message to the site as well that this character limit is not of today :).
Or at least provide a descriptive text right next to the change password field instead of somewhere in the help.
I'll have to stay sharp when generating websites.
An example is Ebay, which has some weird limit on some characters they don't allow. Each time I see this, I get the feeling that it is probably also stored plain text without escaping :).
Ebay also has a character limit using maxlength (it is not the site I had issues with, but as the original site is just a minor player, there is not much to gain there), but when filing in more than the character limit at least before submitting there is a client side warning (and by default 1Password will stay within this limit of 64 characters - it maxes out at 50 characters; unless you have 10 words generated...).

But still, I do recall 1Password used to have the ability to 'know' about the maxlength by suggesting the max length password if the password recipe used to be longer while allowing to manually make it larger. Might be in the 3.x days, I'm not sure, have been using 1Password for ages (currently my oldest password entry is from 2008).

Pilar

Hi @Joeri,

Thank you for giving us the example of eBay.com, this will help us have a better idea of what's going on. Writing to the page is one of the best things you could do. 1Password and the generator helps you be more secure, but it can only go as far as the site will let it. One of my important accounts has a password limit of 14 characters, I wish I could convince them to improve that!

Thank you for your input and for pointing out this behaviour to us :chuffed: