Restrictions in the password generator: why a specific number of numbers and symbols by default?

I have been changing many of my passwords this week, and I noticed something odd in your password generator. I generated many passwords for different sites, using the same parameters (16 characters, with 2 numbers and 1 symbol), and the strength meter was showing a progressive decrease in security. How could that be? And then it hit me: by having a fixed amount of numbers and symbols every time, my passwords became similar to one another, and indeed not as random as they could be. Of course, I could fiddle with the sliders and manually change the amount of numbers and symbols each time, but why would I have to do that? Why is such a behavior, significantly detrimental to entropy, the default? I understand some websites specifically ask for a fixed number of symbols and such, but having changed my passwords to all major services this week (Facebook, Twitter, Google, Microsoft, etc) I can confirm this is most often not the case. Why not add the option "at least 1 number" and "at least 1 symbol" to your generator and put it as the default? Isn't it better for passwords to have different amounts of numbers and symbols among themselves? I resorted to copy-pasting passwords generated in Password Safe, where the password generation options make much more sense (see attached image). And indeed, the 1Password strength meter seemed to recognize the superior quality of those new passwords, as for the very same length they suddenly achieved a full green bar.

Another detail: could you please make the font of the passwords bigger when you click on the padlock to "reveal" them in the vault? Similar to the way passwords are shown in the mobile app, in big letters and different colors for numbers and symbols? Also, I think it would generally be a good idea to have the option somewhere of increasing the font size for the whole app, surprisingly I could not find that option anywhere.

Thanks!


1Password Version: 4.6.1.616
Extension Version: Not Provided
OS Version: Win 10
Sync Type: Not Provided

Comments

  • Hi @lmelancon,

    Thanks for writing in.

    I’d suggest giving our article a read here: https://support.1password.com/password-strength/

    Why not add the option "at least 1 number" and "at least 1 symbol" to your generator and put it as the default? Isn't it better for passwords to have different amounts of numbers and symbols among themselves?

    It is on by default but it retains your previously used settings. So if you’ve told 1Password not to use digits, it will not use such digit for the next time. 1Password is not adjusting it for you at all.

    In the future, we have a plan to dynamically shift the settings based on a password profile, meaning to generate the strongest possible password based on its purpose. For an example, you select website, it would generate a 30-char password with 2-3 symbols/1-2 digits and so on. If you select for Wi-Fi, it would select a 64-char password.

    and I noticed something odd in your password generator. I generated many passwords for different sites, using the same parameters (16 characters, with 2 numbers and 1 symbol), and the strength meter was showing a progressive decrease in security.

    I’m not sure I understand how it would show progressive decrease, it would be almost identical consistently unless you’re using a different strength meter not in 1Password?

    It is possible some of the passwords it has chosen has lower number of mixed characters, which would lower the entropy a bit, which makes it weaker but it is random, it would alternate in strength.

    One thing to keep in mind is that 1Password is retaining your setting, it does not dynamically shift based on the site because we have no way of knowing what restrictions the site has.

    Of course, I could fiddle with the sliders and manually change the amount of numbers and symbols each time, but why would I have to do that?

    Each site has a different level of requirements and they're not laid out in the site's source code, which means 1Password has no way of knowing what is acceptable.

    In addition, changing the amount of numbers and symbols will not change much. Although, digits does have lower entropy than symbols and characters (0123456789 vs abcdef…zABCDEF…Z and far more for symbols), it would be better to use 2 symbols than 2 digits.

    However, the single most important factor is the length. Just adding another 1-2 characters could mean a factor of hundred times slower to guess the password. It doesn’t really take up more time just by changing the symbols or digits in the same password length.

    Similar to the way passwords are shown in the mobile app, in big letters and different colors for numbers and symbols? Also, I think it would generally be a good idea to have the option somewhere of increasing the font size for the whole app, surprisingly I could not find that option anywhere.

    This is available in 1Password 6 for Windows as the Large Type option for the password field and we also have an updated password standards in 1Password 6, where it defaults to 24 character with symbol/digit on by default.

    1Password 6 is not yet available as an upgrade to 1Password 4, it only has read-only support for local vaults. Hopefully, it won't be a while before 1Password 6 is complete for everyone to use.

This discussion has been closed.