Only certain symbols are allowed when creating secure passwords

Ladies and gentlemen, some web pages require certain symbols, which can only be used, for the creation of secure passwords in addition to a certain minimum length, number of digits, as well as uppercase and lowercase letters.
It would be advantageous if you could search, set or activate these specific symbols in a password in the password generator, with a checkmark, which is deactivated when you do not use it.

It would be nice if this proposal could be applied.

Thank you.

Gruber Johann


1Password Version: 6.3.5
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Ladies and gentlemen, some web pages require certain symbols, which can only be used, for the creation of secure passwords in addition to a certain minimum length, number of digits, as well as uppercase and lowercase letters. It would be advantageous if you could search, set or activate these specific symbols in a password in the password generator, with a checkmark, which is deactivated when you do not use it. It would be nice if this proposal could be applied. Thank you. Gruber Johann

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2016

    @Johann_Gruber: We also have some other ideas for how we'd like to improve the password generator, so it's good to know that you'd like to be able to choose individual symbols. Perhaps we can add that feature in a future version. Thanks for the suggestion! :)

    ref: OPM-1378

  • Martok
    Martok
    Community Member

    I came across this yesterday on a small number of sites when I was changing some passwords. These sites allowed some symbols but not all. One in particular is eBay, which only allows the symbols !@#$%^*-_+= (there are other problems with eBay too as they don't allow copying and pasting into their change password fields!). This meant that I had to switch off the symbol option when creating a generated password as invariably any created when it was switched on contained some of the disallowed symbols.

    It would be useful to be more specific about which symbols to include (maybe this can be done with a check box for 'common' symbols only such as those allowed by eBay and deselected chooses from all symbols).

    Ultimately though sites like eBay and others need to be educated (and coded correctly) to allow passwords of any length and using any characters and symbols as well as copy and paste into password fields. I'm sure they want to avoid "Little Bobby Tables" incidents but this really should be done with the good practise of proper coding, not with the bad practise of short passwords with restricted character sets!

  • jxpx777
    jxpx777
    1Password Alumni

    @Martok I think you're absolutely right, and honestly, from our perspective it's not worth cluttering up the user interface of 1Password to accommodate website practices that shouldn't be employed at all and represent a relatively small number of sites overall when they are employed.

    Being unable to handle certain special characters is indeed a hint that the site is possibly vulnerable to SQL injection or other HTTP attacks related to special characters or possibly that that they are not using good hashing practices on the server side. Hashes result in hexadecimal characters and always the same length of string regardless of the size of the input. So, a site that place unreasonable limits on password length (For safety and server defense sake, a high upper limit like 256 characters would still be useful.) or cannot handle certain special characters makes me think they are possibly not properly protecting my password on the server side as well. When you encounter these sites, I would encourage you to voice your concerns and ask those companies to update their practices to allow for better security.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits

  • Martok
    Martok
    Community Member

    Thanks @jxpx777. I have already reported my concerns to one website today that employs this technique of disallowing some special characters (and in this particular website's case, although they stated a minimum no. of characters, they didn't say they had a max no. of characters which I only found out by trial and error and then noticed it in the HTML code when inspecting the web page!!)

    If you are aware of an authoritative document somewhere that I could post a link to for these sites admins to read, that would be useful! It would likely be considered more than just "some customer" telling them that their security isn't good enough.

  • jxpx777
    jxpx777
    1Password Alumni

    I think perhaps NIST's updated password recommendations are about the best you can offer in terms of an authoritative source. Here's a good resource that covers their recently updated recommendations: https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

  • Martok
    Martok
    Community Member

    Thank you, that is very useful. :)

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    I know exactly how you're feeling @Martok. I've had trouble with some sites in the past and all you can do is bounce your head off something solid. One site listed the acceptable symbols except they weren't so I repeatedly locked myself out of the account. When I talked to a customer representative they told me not to use symbols at all. Another account had three points of entry in terms of places to authenticate and they each had different restrictions. I had to keep dumbing down the password until I found something that fit in all three. Don't get me wrong, 1Password is not perfect and we're constantly working to improve it but in general there are some really weird attitudes to passwords out there.

  • Dave_Scocca
    Dave_Scocca
    Community Member

    This is not a Mac-only question, but there didn't seem to be a forum appropriate for general password-generation questions:

    I was just trying to change my password on the Capital One site https://www.capitalonecardservice.com/ and I ran into the following message:

    "Passwords must be between 8-32 characters using letters, numbers and at least one special character @./|$*&-_"

    So 1Password couldn't auto-generate an acceptable password because I needed a symbol but had no way to restrict the list of symbols used to the ones that Capital One accepted.

    It would be good if there were a way to specify symbols that should be either included or excluded when generating a password that includes symbols.

    (As a work-around, I generated a PW with exactly one symbol and then replaced that symbol with one of the permissible ones. But that was an extra step.)

    Any chance an improvement like this is in the works?


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @Dave_Scocca,

    Thank you for writing in with your request/suggestion! I hope you don't mind, but I've merged your post with another recent/similar discussion in our "Saving and Filling in Browsers" forum.

    As you can see, we've received similar requests from other customers. I'll gladly forward your comments to our developers so they know you'd be interested in an option like that for the password generator. However, I can't promise if or when we might add something like that. As Jamie pointed out in an earlier post, websites really shouldn't be placing these sorts of limitations on their customers' passwords in the first place. We want to encourage those sites to remove those restrictions and allow people to use more secure passwords. But adding an option in the password generator to limit which symbols are used would encourage those websites to continue with their current practices.

    Of course, that means customers like you are forced to take extra steps to generate a password that is compatible with a certain site, and that's not an ideal situation either. So it's possible we'll add additional options to customize the password generator in the future, but I also wanted to explain a bit about why we haven't already added a feature like that.

    Thanks again, and if you need anything else, please don't hesitate to let us know! :)

    ref: OPM-1378

  • rsstorey
    rsstorey
    Community Member

    I fully understand you response but it is not always sites. I'm connected with the government for IT development and deal with many government websites and the restriction on systems are policy and on guided by in Information Assurance departments. With that said, I think that the apt should allow the user to be able to select the symbols (special characters) that the password generator used. This could be done within the system settings or even provide an input field in the password generator that will allow a user to cut and paste from the website. I don't want to come off as being rude but I believe you first responsibility is to the users (stakeholders) who pay for your product and then try to influence external entities.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @rsstorey,

    I've added your comment to the filed feature request and because I do genuinely understand where you're coming from I even emphasised the final sentence to highlight your point. I apologise that I can't promise anything but I will see this raised again.

    ref: OPM-1378

  • nastav
    nastav
    Community Member

    I would echo @rsstorey's remarks. Special character restrictions are a fact of life, and account creation usually can not be delayed until advocacy for better password rules happens.

    The main problem with advocacy for better password rules is that it is often unclear how to go about it. I just tried creating a CenturyLink account, and it has restrictions on special characters. I'm not sure whom to contact on their end that would be an effective mode engagement - I'm quite certain that the regular folks at their Customer Service wouldn't care, and if they did care, then wouldn't be empowered to assist or escalate appropriately.

    I also have a Capital One account, and it has a similar problem. I've tried using Twitter in the past to call out this probelm, to no effect (if I had a 100k followers, I suppose someone would notice, but I'm not a celebrity).

    In fact, I think it would be very appropriate for Agile Bits to take on the mantle of advocacy. Perhaps you can create a forum that accumulates reports of bad password rules, and take the time (and allocate the resources) to go after CIO's or admins of various websites and educate them, and try to influence them to change. Even better, perhaps Agile Bits can try to create a consortium with its competitors and join together to pursue this sort of advocacy. I believe that this approach would be far more effective that your users doing our own (largely ineffective) advocacy.

  • @nastav:

    Perhaps you can create a forum that accumulates reports of bad password rules, and take the time (and allocate the resources) to go after CIO's or admins of various websites and educate them, and try to influence them to change.

    I would simply love if we had the clout necessary to change the hearts and minds of top executives, but the reality is that these companies have no motivation to change. Look at what Equifax is going through right now and consider whether you truly believe their business will suffer or policies will change as a result. I try to be optimistic, but I see no concrete evidence of change and the Equifax breach was much more egregious than illogical and unhelpful password rules. :frown:

    I recently encountered the single most frustrating password creation experience ever when trying to set up online banking with my new mortgage servicer. The password form didn't even tell you which symbols were disallowed until you tried to use them and I think I went through 30+ generated passwords before I found one that worked. It was horrendous and I was all fired up to write a strongly worded letter to every C-level I could find. What's worse is that specifically in the case of a mortgage servicer, they know that my only choice is to deal with their horrid password rules or pay money to refinance (at which point my mortgage may get sold right back to them). I still wrote letters and while it's likely nothing will come of it, it's better than griping on facebook, which is all I used to do.

    Ultimately, companies care much more about what their customers think than what we think. So while I definitely think we have a role to play in education (both of consumers and corporate leaders when we have the opportunity), I think there are organizations and people much better suited to lobbying large corporations than we are. I'd also encourage you to keep whining. There's reason to believe companies care little for consumers these days, but I like to think that we're not alone in giving a hoot about y'all. Even if 99% of the time, your feedback goes into a black hole, it's worth finding those companies who care so you know who to stick with. And, of course, we'd love if you'd share any password rules victories as I, at least, would certainly take my business to a company I know listens. :chuffed:

  • daanvm
    daanvm
    Community Member

    Hi AgileBits, I understand your standpoint that these restrictions are mostly an issue with these specific companies. And your suggestion to reach out to these companies to update their password policies. But shouldn't it be your job in the meanwhile to make the live of your customers easier in dealing with these kind of companies?

    It would be nice if you started collecting all different restrictions for different websites and automatically generate an as secure as possible password for that given site. I run into this issue quite often, also with the larger companies.

  • jxpx777
    jxpx777
    1Password Alumni

    Thanks for the feedback, @daanvm. We definitely want to make our users' lives easier. Security that is inconvenient to use is less effective security because people don't want to use it. That being said, there's currently no way to programmatically identify the characters that a given site will accept for passwords. I have seen sensible things like helpful accessibility elements attached to password fields with aria-described-by or that kind of thing, but I have also seen bonkers things like a table row with a spanning cell that just has some text that describes what is acceptable. I have also seen an image that had text in it describing the allowed characters. The only thing worse than 1Password not supporting this is 1Password attempting to support this and doing it poorly.

  • jasnw
    jasnw
    Community Member

    This is a really annoying problem, and I encounter it often enough that it would help if some mitigation could be found. I agree that trying to identify what sites allow what symbol set would be impossible (actually, more like expletive-deleted impossible), and an interface wherein you allow the user to specify the set allowed might be awkward, but maybe if you just added a restricted symbol set option using a collection of a dozen or so widely-accepted symbols that would help. Even if you have to play reset-the-password in order to get a symbol that works, with fewer symbols to chose from that might make that process go faster (fewer attempts required). Another option might be to make the password user-editable prior to entry. I know the real answer is for sites to clean up their act on this issue, but most of the ones I run into are US Government, and they aren't likely to change anytime soon.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I haven't found that there's much consistency at all in what is and is not allowed. We also don't want to decrease the entropy of the whole password by needlessly excluding characters. We have some ideas we might be able to implement when we revamp the password generator though. Thanks for your feedback on this!

  • rlecour
    rlecour
    Community Member

    @brenty — I don't think most people are suggesting that you decrease the entropy of the whole password by needlessly excluding characters by default, but that should be up to us, the users, who have to suffer through the arcane policies of others. By not allowing the option to specify which symbol characters we need (or wish) to use, many people will just omit symbol characters altogether, resulting in less-effective security.

    You're already allowing users to include 0 symbols through use of the slide control. Doesn't that already decrease the entropy of the whole password? Simply make the "symbols" label clickable to bring up a control to select the characters. That doesn't clutter up the user interface at all...

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited February 2018

    I don't think most people are suggesting that you decrease the entropy of the whole password by needlessly excluding characters by default, but that should be up to us, the users, who have to suffer through the arcane policies of others. By not allowing the option to specify which symbol characters we need (or wish) to use, many people will just omit symbol characters altogether, resulting in less-effective security.

    @rlecour: I think that's asking a lot, not of us, but of your fellow 1Password users. It's important to have reasonable defaults, even if some sites are designed to be unreasonable.

    You're already allowing users to include 0 symbols through use of the slide control. Doesn't that already decrease the entropy of the whole password?

    Yep. Some websites don't allow symbols (or even numbers) at all. We'll be updating the password generator everywhere to match the new Windows app and 1Password X, which have checkboxes for numbers and symbols.

    Simply make the "symbols" label clickable to bring up a control to select the characters. That doesn't clutter up the user interface at all...

    I disagree that it doesn't clutter things, but, as mentioned previously, we're hoping to do something to accommodate this use case in the future as well. Cheers! :)

  • MAscooby
    MAscooby
    Community Member

    Any news on this? While I'm all for aesthetics, I run into these special character limitations more often than not, and it's a serious pain in the butt, especially when using longer passwords.

    I was hoping the 1Password 7 beta would have something to improve on the experience here but, if it does, I'm not seeing it...

    If you're worried about reducing the strength of the default option, you might consider a check-box option to "Use restricted special character set" that's off by default, but accessible (and user-configurable) for sites that won't accept all special characters.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @MAscooby: We haven't yet come up with a good way of offering options for something like this. We need to consider that there are 7 different apps which will need to be updated if and when we do, and we'd like a consistent experience between all of them. In the mean time, even a random 20 character password composed "only" of capital and lowercase letters is not only more than sufficient, security-wise, but also allowed by most websites. And adding a symbol/digit to that will not make it any weaker. Cheers! :)

  • MAscooby
    MAscooby
    Community Member
    edited April 2018

    Understood about the experience factor. That's really why I'm suggesting a "Use limited special character set" option that could be activated via checkbox when the password is generated.

    Adding a few special characters to the alphanumeric set would be slightly "more secure" than just letters and numbers even if, for the most part, 20 alphanumerics is sufficient. In addition, some sites require special characters (and in some cases more than one).

    And if letting users configure which characters to use is cumbersome from a UI perspective or otherwise, it's pretty clear there are some "common" characters that are acceptable more often than not.

    In any case, I get what you're saying (and I understand there are development priorities to consider) but, at the same time, it doesn't seem like a problem that should take two years to solve. ;)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Understood about the experience factor. That's really why I'm suggesting a "Use limited special character set" option that could be activated via checkbox when the password is generated.

    @MAscooby: Yep! It's one of a number of possibilities. We'll see what works best. :)

    Adding a few special characters to the alphanumeric set would be slightly "more secure" than just letters and numbers even if, for the most part, 20 alphanumerics is sufficient. In addition, some sites require special characters (and in some cases more than one).

    Well...it really doesn't appreciably add entropy, and therefore a security benefit, since there's not really randomness involved. And frankly most people will just tack on an exclamation point.

    And if letting users configure which characters to use is cumbersome from a UI perspective or otherwise, it's pretty clear there are some "common" characters that are acceptable more often than not.

    Yeah, I wish that were the case. Though there is some commonality, it really varies wildly. We see a lot of websites. It's kind of a nightmare. We could use only characters that 80% of sites will accept, but then the entropy sucks, and the user experience still sucks for the other 20%. And 20% on the web is a lot. :dizzy:

    In any case, I get what you're saying (and I understand there are development priorities to consider) but, at the same time, it doesn't seem like a problem that should take two years to solve. ;)

    Fair enough, but we've done a lot of other stuff in the mean time — to the point where I couldn't even list all of it! And likewise, it's great to get feedback like this. You folks have insights and ideas based on experiences that are different from our own, and it also helps to know that this is important to you when it comes to prioritization. Thank you! :)

  • MAscooby
    MAscooby
    Community Member

    Agreed that it's only a slight improvement to add a small set of additional characters... 20 characters > 10 characters but, still, 20 characters from a larger set > 20 characters from a smaller set. ;-)

    My bigger concern is that I'm seeing a lot more sites requiring at least one (and, relatively recently, more than one) special character.

    In any case, thanks for taking the feedback. And to your "other stuff" point, no doubt, and it's definitely appreciated. I'm a LastPass convert and I've brought a number of friends & family with me. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Totally! Thanks for being awesome! Your support is what allows us to even be here in the first place, and your constructive criticism helps us to do better. I agree we can do better in these cases. :)

  • equilaterial
    equilaterial
    Community Member

    I'm also very interested in this, going as far as collecting ~250,000 website's register forms to get password requirements to try to create my own password-requirement-parser (I'm a bit stuck, though.)

    Perhaps you could get some volunteers (me included) to go through the top 100 Alexa site's password requirements (visiting each one individually) and then write them down in a very structured format, so that 1Password could use them. Even just doing it for the Alexa top 10 would help a ton of new users, and would greatly increase the usefulness of the random-password-generator.

    This website https://defuse.ca/password-policy-hall-of-shame.htm has already gone through most of the top 100 and documented the password policies, but I don't know how old it is.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'm also very interested in this, going as far as collecting ~250,000 website's register forms to get password requirements to try to create my own password-requirement-parser (I'm a bit stuck, though.)

    @equilaterial: Wow! :dizzy:

    Perhaps you could get some volunteers (me included) to go through the top 100 Alexa site's password requirements (visiting each one individually) and then write them down in a very structured format, so that 1Password could use them. Even just doing it for the Alexa top 10 would help a ton of new users, and would greatly increase the usefulness of the random-password-generator.

    We've done something along those lines already. That's where we came up with the 20 character capital/lowercase defaults for 1Password X. Unfortunately when you get past more than a dozen or so sites, you end up with no real agreement when it comes to special characters. And many simply don't allow them at all. The good news is that the alphabet on its own gives us a ton of entropy.

    This website https://defuse.ca/password-policy-hall-of-shame.htm has already gone through most of the top 100 and documented the password policies, but I don't know how old it is.

    Thank you for sharing that! It's really interesting to see things like "Probably Plaintext". It illustrates that even though we can use a strong enough password for most sites (20 characters), ultimately we're at their mercy with regard to security. That's why it's so important to use unique passwords for each site. When — not if — a site is breached it will at least not affect any others. :blush:

This discussion has been closed.