Password generator improvements

juanii
juanii
Community Member
edited October 2016 in 1Password in the Browser

Not sure if this goes here. This is not platform specific and has to do with filling (new) password.

Since I started using 1Password I regularly change my passwords. As you might have experienced, still in 2016 most sites have their own rules for passwords, which is not only very annoying but sometimes it effectively makes the passwords a lot weaker. For the latter there's not much to do, but I think 1Password could help with the former.

Some password change forms are only annoying: they will politely reject passwords which contain symbols, are longer than N chars or do not start with four digits (Yes! the VISA website in my country enforces that policy). Every time you want to change the password in one of these sites you must remember their dumb rules or check your old passwords to generate a similar one.

There are other forms which are somewhat deceitful: they will, without any warning to the user, take input up to a maximum of N chars. Of course 1Password will save the full password and, if you're not paying attention at the lower count of asterisks in the form field, you end up temporarily locked out until you figure out the problem and fix it manually in 1P.

And finally there are forms which are dangerous: they will take all your input and silently trim it to the max length. I came across two sites with this disgusting behavior. So even after knowing what happened, you have to repeatedly try trimming one char at a time until you get your real password and hope the account won't lock after a few tries.

I hope the point was made. My suggestion is that 1P should let the user save password recipes under meaningful names or save the recipes along with login items, so when you're resetting a password you don't need to remember how it should be.

Regards


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • jxpx777
    jxpx777
    1Password Alumni

    This is an interesting idea, @juanii. I definitely think we could do a better job of coping with various vagaries of password requirements. I'm not sure saving these as their own item type or even inside the item itself (Would I need to save the recipe multiple times if I have more than one account on the site?) is the way to go, but I definitely think there are ways we can improve.

    First, we should better cope with the maxLength attribute of the password fields. Right now, we don't consider this when opening the password generator, and since 1Password sets its values with Javascript, the length isn't enforced for us by the browser. So, we could definitely do better on that front and that would go a long way.

    I also want to explore taking into account the pattern attribute of the password field if it is available and try to generate passwords that will satisfy the pattern. Depending on the pattern, though, this might actually prove very tricky. We certainly don't want to get into the business of trying to reverse engineer regular expressions. :)

    The last thing we want to look into is some more advanced features that site creators could opt into by coding in support for 1Password. This is just an idea at this point, but we've been having a lot of fun experimenting with some new techniques and it's starting to open up a world of possibilities. Hopefully we'll have more to say about that before too long.

    Thanks again for your feedback. It's doubly good that you posted it in the forums so that others who might have a similar idea or agree with you can chime in as well. We really do appreciate the suggestions. If you have any other ideas, don't hesitate to share them. It's users like you that help us make 1Password better every day.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits

  • juanii
    juanii
    Community Member

    I'm not sure saving these as their own item type or even inside the item itself is the way to go

    I agree saving the password recipes inside the login items was an awful idea, I wasn't thinking clearly at that moment.

    First, we should better cope with the maxLength attribute of the password fields.

    I wouldn't expect 1Password try to automatically figure out the maximum password length or password rules for each site. I imagined something more like a sub-menu inside the password generator menu item in 1P mini/1P extension containing a list of password recipes previously saved by the user.

    The last thing we want to look into is some more advanced features that site creators could opt into by coding in support for 1Password.

    It would be awesome if there was a way for sites to advertise their password rules, but I sincerely doubt they would implement it massively. The web is such a huge universe full of bad login implementations by people who just don't care... I guess it would be easier to let the users take control.

    I also want to explore taking into account the pattern attribute of the password field if it is available and try to generate passwords that will satisfy the pattern. Depending on the pattern, though, this might actually prove very tricky. We certainly don't want to get into the business of trying to reverse engineer regular expressions. :)

    Actually I had a related suggestion about password generation rules. Of course, as you mentioned, I started thinking about regexes and password definition languages, similar to the ones used by password cracking software. But soon I realized there's no need for such complicated things. Stripping away the idea, it would be enough if we could compose (i.e., concatenate the output of) string generators with different recipes. Imagine generators represented as tokens that can be dragged around in the order you need, and a way to configure each one the same way the current password generator is. Drop a generator configured to output 4 digits and then another that outputs 10 alphabetic characters. Done.

    Since we're dreaming here, in a perfect world I'd add a few more features:

    • More character sets/classes to configure the generators. This might be a very particular case, but many sites allow symbols in the passwords but not just any symbol. They will accept some like -, _ or ~, but not &, % and ? (are they too lazy to percent-encode passwords to send them who-knows-where in a URL?). Probably there's no such thing as a safe symbol set for every site, but maybe one excluding the reserved characters in URIs could solve this one. I really don't have another example, but I'm sure other exist.

    And finally, some validations applied to the whole generated password:

    • Dictionary of forbidden words: some sites will not accept passwords containing your year of birth, name initials or other personal data. This would be impossible for 1P to check, so the user could configure a short black list of words which no password should contain just in case all the randomness in the universe decides to conspire against you.

    • The max number of equal or sequential consecutive characters, to avoid passwords containing strings like yyy, fgh, 789.

    Having this flexibility, I would be able to create recipes for every site I log into. Sure there will be one with weirdest rules (in my country, probably the web site for a state agency) but it would still be great.

    Regards,
    Juan

  • clearbrian
    clearbrian
    Community Member

    The password generator flow is not 100% fluid especially if the site you're signing up to rejects your newly generated password.

    Website: Enter new password.
    1Password extension: Press generate password. "some-password-generated".
    pasted ok into form field.
    Press Register on website.
    1Password creates new login with password "some-password-generated"
    but then website rejects it.
    Usually because it demands 1 upper letter and 1 number/symbol.
    But by now the generate password chrome extension popup has disappeared and already saved the rejected password as a 1P entry.
    The Copy to clipboard first isn't really a fix either as I have to edit it externally in textpad.
    Sometime 1P asks you to update the entry but sometime the login may redirect to a different domain.

    IDEA 1: Needs a check box for common patterns.
    Generate Password with new options:
    1. include at least one Uppercase letter.
    2 include at least one symbol or create our own templates.
    Regular expressions are satanic :)

    I use words mainly for iOS apps.
    Some apps don't let you paste the password
    so I have to use Words so I can remember them in 1password
    then switch back to the app and type in the password manually.
    e.g the UK national lottery app wont let you paste into the password field so having a password like "iuiuy87@^^@0h0weg[][]" is impossible. whereas for orange-paper-water I can remember it easily.

    IDEA 2. ALLOW USER TO A REJECTED PASSWORD BEFORE ITS SAVED
    When I use the Chrome popup to generate a password the rejected password can be saved even if password is rejected.
    when the newly generated password is visible.
    I choose Fill to insert it in registration form
    But if password is rejected
    I've tried to insert a Uppercase letter and number manually in the chrome extension popup
    When 1P generates a word/hyphen pwd in the chrome extension I try and edit the text right after generation
    but before it saves it but popup disappears the minute you copy the text, my changes are lost
    and rejected password is added to the new login entry but rejected on the website
    Maybe make the popup stay and let user and add an INSERT button and a Save button.
    Chrome : press 1P
    press Generate password
    Pop up remains - shows password
    user presses INSERT IN PASSWORD FIELD
    pasted into form
    User presses Register
    Password rejected
    Must add Uppercase letter
    Must add symbol
    Let user edit the generated password in chrome extension popup
    user pastes again till finally submitted.
    then user can press save in chrome popup - only then is an entry for that site added to 1P


    1Password Version: 6.3.3
    Extension Version: 4.6.1.90
    OS Version: mac sierra 10.12
    Sync Type: iCloud

  • AGAlumB
    AGAlumB
    1Password Alumni

    @juanii: Wow! Thank you for the detailed feedback! Honestly, while we can agree that there are huge challenges involved in doing things like determining password prerequisites programmatically or promulgating password practices (heh), I think it's safe to say that if we're able to make inroads in either endeavour it would help a lot of people who wouldn't otherwise fiddle with password generator presets. Thanks again for bringing this up. While 1Password isn't perfect, it's something we'll continue to strive for. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @clearbrian: I hope you don't mind, but I've merged your post into an existing discussion about password generator usability improvements.

    It's certainly a difficult problem to solve, and while there are a lot of obstacles (discussed here in some depth), we'd very much like to find ways of having 1Password help the user more in these cases — for example, your password rejection scenario. I'm not sure what the solution will be, but perhaps we can make 1Password smart enough to anticipate these conflicts and "suggest" a password that is both random and adheres to the site's guidelines. If we throw too much in the user's face, it's likely that a lot of folks will simply give up. I think 1Password can do better. :)

This discussion has been closed.