Feature Request: Alert when Password Generator exceeds website capabilities
Summary
Occasionally I use the Password Generator on a website that requires a shorter password than my default generated length and it causes unpredictable problems. Sometimes these problems are not immediately apparent.
Feature Request
It would be nice if 1Password kept an internal database (as part of Watchtower perhaps?) of "top visited sites" that have particularly quirky password rules. Passwords that disallow special characters, or require unusually short lengths. This would show a soft ignorable alert in the Password Generator stating that the Generated Password may not conform to the website's password rules. It would be up to the user to make adjustments to the password to meet the site's rules, this is only an informational alert.
Scenario
This has happened on several sites in various ways but I'll use Wells Fargo Bank (WF) as my example for this feature request since it's the most recent example.
WF allows passwords to be a maximum of 14 characters. My default in the Password Generator is longer than 14 characters. The WF website handles this case by invisibly truncating my password. So, when I set my password and it's longer than 14 characters, the website accepts it, truncates it to 14 chars, and stores my password. Then when I return to login and use 1P to login using my longer-than-14-char-password, the WF website again truncates whatever I put into the login, checks that truncated value against the truncated value int he database, and then validates those first 14 chars. Great! No problem (yet).
So now I go to another online "Financial Service X" that requires the use of my WF login credentials. I give them my username and the longer-than-14-char-password stored in 1P. This financial service uses some other API or some such thing on the backend and the login doesn't work. No real good debugging information is provided. It just does work.
In the end I have to call WF support and they inform me that I need to make my password 14 chars or less to work with "Financial Service X". So, I have to plod back over and change my password again, manually adjusting my password length in the 1P Password Generator.
Is this 1Password's fault? No
Is this Wells Fargo's fault? Yes.
Can 1Password help anyway? Yes.
Thanks for taking the time to consider this feature request.
1Password Version: 6.3.1
Extension Version: 4.5.7.90
OS Version: 10.11.5
Sync Type: Not Provided
Referrer: forum-search:feature request wells fargo
Comments
-
Hi @cameroncf,
Thanks so much for the suggestion!
Because you put so much time into writing such a detailed description of your feature request, I’ll do what I can to share our priorities here.
I can certainly understand how all of the various password restrictions for various sites can be frustrating - I’ve run into several of them myself. And you’re right, it would be possible to build a database of requirements to teach 1Password how to work within all of those constraints. However, it would be no small undertaking. Whether we crowdsource the requirements or dedicate someone’s time to researching them, I don’t think that it’s something that could be automated - there are many sites that have requirements (some of which are hidden within the architecture of the site and not immediately exposed to the users) and these requirements could change at any time.
And, at the end of the day, password restrictions are bad for your passwords. Restricting the length and requiring certain characters can lessen the strength of the password protecting your account, and that’s no good. Instead of working around these restrictions, we would prefer to spend our resources advocating for better password security from these sites. In a perfect world, you would be able to generate a completely random password with no restrictions for every site that you visit. Spreading awareness of true password security would end up benefiting so many more people.
Now, this doesn’t mean that we’ll never do something like you suggest - I’m happy to pass your idea along to our development team, but I think our efforts might be better spent elsewhere. :)
0 -
Agree with all of your points. If this feature were to be implemented I think that it would be with the following restrictions:
- Only include the top N sites.
- The feature would not restrict or enforce anything - it would just be informational.
- AgileBits could make this data public as some sort of "password score" and get some good Karma.
Thanks for the reply!
0 -
Hi @cameroncf,
Great suggestions. :)
0 -
I know you intend for this conversation to be over but I just saw this and thought it would be a nice starting point or potential collaborative project that would help this cause:
https://twofactorauth.org/0 -
Hi @cameroncf,
Thanks for sharing! As I mentioned above, we can’t commit to anything at this time, but it’s great to hear that you’re passionate about this cause.
0
