Feature Suggestion - Password Generator - Special Character Mix in Diceware Passwords

nhDOBsfc
nhDOBsfc
Community Member
edited April 2023 in 1Password 7 for Windows

Currently, when generating a "diceware" / "words" password, the password-generator offers a limited set of special characters to use to separate the words: (1) Hyphen, (2) Space, (3) Period, (4) Comma, (5) Underscore. I suggest a sixth option: (6) Mixed.

The concept is that our eyes-and-brains are really good at parsing/noticing special characters in a string of words and can easily handle a mix of special characters. Said another way, the special characters used in the English language have evolved over time (since like 550 AD/CE) to be things that human readers can easily pick out from a string-of-words in casual reading; or arguably evolved since the dawn of literacy--for these special characters are not unique to the English language. So, little is lost in human readability by using a mix of special characters to delimit words, and a random mix of special characters makes the password stronger.

I further suggest that the mix of special characters be more diverse than the five currently used (i.e., (1) Hyphen, (2) Space, (3) Period, (4) Comma, (5) Underscore). Use all the special characters on the QWERTY keyboard, except certain cases detailed below.

Don't use the special characters that are supposed to occur in matched-pairs. Specifically, these should be avoided because our brains are not trained to expect them to occur stand-alone:

[ ] { } ( ) "

Similarly, I suggest avoiding the special characters that websites frequently don't allow for passwords, perhaps because they are used as special-delimiters in some computer codes.

/ \ |

These should also be avoided because they are easily confused with other characters in small type:

` ,

That's it. A suggestion for stronger diceware passwords that sacrifices little in human readability. Those that use diceware passwords for memorization purposes can select another option. The use case I have in mind is when one has to read a password off of their cellphone's screen/1Password program to type into a friend's or employer's computer.

P.S. See also my write-up in https://discussions.agilebits.com/discussion/68956/how-do-you-remember-your-master-password#latest


1Password Version: 6.0.252d
Extension Version: 4.6.2-BETA-1
OS Version: Win 10 Pro with all patches
Sync Type: 1Password Subscription

Comments

  • AlexHoffmann
    edited October 2016

    Hi @nhDOBsfc,

    Thank you for your excellent feedback! We really appreciate when users love 1Password as much as we do and participate in the forums to help others.

    The reason why we chose the existing characters as separators is because they're common and depending on the user's habits, the ones they would use to separate words. They're also easy to type on most hardware keyboards, software keyboards on mobile devices, and they're standard characters across almost all keyboard layouts.

    I find your argument about the use of special characters in a language compelling. I can see that some people will have no issues remembering a password that uses random separators in the wordlist sentence.
    From my experience, though, both in terms of writing for communication purposes and my background in philology, using unexpected characters can also throw the brain off by fixating on one particular character and forgetting the bigger picture.
    Unfortunately, I can't quote sources right now, so instead I'm going to point to an article written by our security expert Jeff Goldberg:
    Better Master Passwords: The geek edition

    It discusses replacing parts of words or separators using random characters and the security benefits it has. The gist is that doing what you propose does indeed increase the entropy of a passphrase but adding even one randomly chosen character to the end of a given passphrase and thus has a greater security benefit. Adding an entire randomly chosen word keeps the passphrase memorable and adds many more bits of entropy.

    That is not to discourage you from using random special characters as separators, though: you can edit a generated passphrase in the password generator to your liking. Anything that works for you and that helps increase the randomness and thus the security of your password is great in our books.

    Please let us know if you have more comments on this.

    Cheers,

    Alex

  • nhDOBsfc
    nhDOBsfc
    Community Member

    @AlexHoffmann,

    Thanks for the meaningful reply. I enjoyed the link about Master Passwords: Better Master Passwords: The geek edition.

    The use case I have in mind has nothing to do with memorization, but instead has to do with manual transcription as mentioned above: "The use case I have in mind is when one has to read a password off of their cellphone's screen/1Password program to type into a friend's or employer's computer." I only use diceware when I expect manual transcription will be needed in the future. Otherwise, I prefer the higher entropy pseudorandom passwords that are pleasantly generated by 1Password.

    Thanks again. Love the program.

  • khad
    khad
    1Password Alumni

    On behalf of Alex, you're quite welcome. And thanks for your kind words. :)

    Have a great weekend!

  • nhDOBsfc
    nhDOBsfc
    Community Member
    edited October 2016

    As one who uses Diceware passwords only for that very limited subset of my passwords for which I expect to have to transcribe them off my Android smartphone into a friend's or employer's or very rarely to a Hotel Business Center's computer (which I limit to low-value low-impact accounts like my Hertz-dot-com car-rental account), I am doing a bump-to-top on this feature request. I wrote it up in detail so that someone could just copy-and-paste it to your Jira (or whatever you use). I am thinking the development team might be better psychologically poised to think about new stuff, now that you've gotten past the full-release milestone for 1Password 6 for Windows Desktop. Yeah, I know that I can do it myself manually, and I do so.

    In brief, it is a suggestion for stronger diceware passwords that sacrifices little in human readability. Those that use diceware passwords for memorization purposes can select another option. The use case I have in mind is when one has to read a password off of their cellphone's screen/1Password program to type into (transcribe to) a friend's or employer's computer.

    1Password Version: <latest, subscribed to Beta program for 1Password 6 for Windows Desktop.>
    Extension Version: <latest, subscribed to the Beta via Chrome>
    OS Version: Win 10 Pro with all patches
    Sync Type: 1Password Subscription

  • AGAlumB
    AGAlumB
    1Password Alumni

    I am thinking the development team might be better psychologically poised to think about new stuff, now that you've gotten past the full-release milestone for 1Password 6 for Windows Desktop.

    @nhDOBsfc: I loved this sentence! :lol: (Un)fortunately our work is not nearly done, as there is a still a long list of features and improvements we want to make. This is just the first version "for public consumption", so to speak.

    I think we'll probably do something along these lines in the future...but this is really the sort of thing that we should plan and execute across all platforms. I hate it when one gets and and another doesn't. We've gotten a lot better at this, but we still have a ways to go.

    Thanks for your passion about this! We'll continue to discuss it as we iterate on the password generator going forward. :)

  • SHuntVA
    SHuntVA
    Community Member

    Some websites do NOT allow your set of special characters ... though they seldom show what special characters ARE authorized until they reject the 1Password that was generated .. then you have to dig around to find out what would work.

    As an industry leader in this space ... PLEASE champion the idea of AgileBits having a common set of permissible special characters for all sites that say they support "strong passwords" AND also allow at least 20 characters in a password.

    The current approach of each site being able to pick their own is compromising use of "strong passwords".

  • khad
    khad
    1Password Alumni

    @SHuntVA,

    You raise a very good point. And what you describe certainly aligns with our goals: stronger passwords for everyone.

    But our recommendation is simply: don't restrict characters or length. That's something websites can already (and easily) adhere to, and many do. Regardless of what our recommendation is, it will always be up to the individual sites to follow it or not. And that's the real crux of the problem.

    Keep spreading the good word, though. Maybe one day we'll stop seeing arbitrary limits on characters and length, since — as you and I both know — they make passwords weaker.

    If it helps in the meantime, as soon as I run into problems with symbols in a password on a particular site, I just flat out exclude symbols rather than try to guess which ones the site is balking at. A 23- character alphanumeric password from the generator is already an uncrackable-in-the-age-of-the-known-universe 128 bits, and that's without even a single symbol.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2016

    And just to clarify, the only reason a website needs to care about the length or composition of your password is if they're storing your actual password, which is just a terrible, terrible thing to do. Whereas, if they use a one-way hash function that outputs a uniform length, they can "budget" for storing each user's hash for comparison next time they enter their password to login. And of course that way even if their database is compromised, the attackers still can't get user passwords.

    The reason we all have to suffer the indignities of obtuse password requirements and fall prey to account compromise due to site breaches is that they're not using these measures to protect their users (and, ultimately, themselves). Website breaches will happen as flaws in server setups are discovered, but all companies need to do to guard against account compromise in these instances is not have their users' passwords in the first place. That's more secure and more convenient, so it's a tragedy when companies don't care enough to take these steps. :(

This discussion has been closed.