When regenerating a password, 1Password does not respect the previous password's length.

If I am not using a 30-character or more password, it's because a site I use limits passwords to a particular length like 10, 15, or 8 characters. When I periodically go to regenerate my password, 1Password does not respect the length of my previous password in effect on that site. Instead, it appears to use whatever length I last used (most typically for some other site, whose length might have allowed longer password). Net net, I frustratingly have to always to remind myself what the length limit was for the current site and manually re-adjust the regenerate password length to match.


1Password Version: 6.5.3
Extension Version: Not Provided
OS Version: 10.12.2
Sync Type: 1Password Account
Referrer: forum-search:password length regenerate

Comments

  • jxpx777
    jxpx777
    1Password Alumni
    edited January 2017

    That's an interesting idea, @steve_muench. The difficulty here is with knowing whether your current password is the strongest the site will allow. For many users that are just getting started with 1Password, they have weak passwords like fuzzycat123 or a single strong-looking password that they were using on multiple sites. In many of those cases, they can and should generate a much longer password there.

    If the site doesn't require you to change your password, frequent password changes aren't really that helpful. If you use the strongest password the site will allow and it's not in use anywhere else, changing this password to a different strong, unique password doesn't add anything to your overall security. If there is a breach or something else that compels you to change your password, that's another thing, but for your day-to-day security, it's not really that helpful. I hope that makes some sense.

    Let us know if you have other questions or concerns.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

    ref: OPM-1530

  • steve_muench
    steve_muench
    Community Member

    Jamie, thanks for the background info on why it doesn't currently work the way I was hoping. I appreciate now why it's the correct default behavior given the extra info you've provided. However, I would still be willing (and excited) to tick an optional box in the password login entry saying that it should maintain my current password length "locked" or whatever to give 1Password that extra bit of information on which to base it's behavior.

  • jxpx777
    jxpx777
    1Password Alumni

    Yes, but then there is also the possibility that someone working on that site could become more sane in the future and remove their arbitrary limits. In that case, how would you know you could be using a much longer password? :)

  • FrancoisD
    FrancoisD
    Community Member

    @jxpx777 "If the site doesn't require you to change your password, frequent password changes aren't really that helpful. If you use the strongest password the site will allow and it's not in use anywhere else, changing this password to a different strong, unique password doesn't add anything to your overall security. If there is a breach or something else that compels you to change your password, that's another thing, but for your day-to-day security, it's not really that helpful."

    Hello. I think a frequent password change make sense. Example: You are a Yahoo-Emailuser (yes I know...). They got breached two times, once in 2013, once in 2014. Not until 2016 the public and probably Yahoo knew about the breaches. In the meantime someone had my login details. Let's say I change my password all 2 monthes, they hackers had only time max. 2 monthes to enter my Yahoo-Account. After that period, I would have another password so my security is better. What do you think? Same thing with the LinkedIn- and Dropbox-breaches. Thanks.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Greetings @FrancoisD,

    You raise an interesting point and running with it a little further shows how messy the whole situation is.

    If the people behind the intrusion are simply selling lists then those that purchase the lists would have a limited period with which to benefit under your approach. If access was a one-off e.g. disgruntled worker at the point of their departure then you've helped limit the window of availability. If the access was via a weakness then until the target are aware and fix the weakness nothing stops those same original people entering again to refresh their data. Maybe they don't tend to on the assumption that people don't change their passwords all that often and multiple attempts are more likely to be noticed. I confess I've never tried to place myself in the head of somebody that does this sort of thing.

    If you have the patience for frequent password changes, even if limited to high value targets, then I applaud you as it does require a certain degree of patience. With Yahoo the admission of the breaches finally answered one of the questions I had which was why was some spam referring to me by name and coming from known contacts? I hadn't entertained the notion that Yahoo had been compromised on a massive scale and that it was the address books of contacts that had been swiped, not when a less complicated answer was my own system had been compromised (although I could never figure out how). So for the spammers continued access doesn't seem to be a concern, they probably got everything they needed straight away and password changes wouldn't have helped. That's one very specific situation though and there must be plenty of scenarios where your approach would be beneficial.

    Password restrictions are a pain in the rear. I tend to add a note to Login items when I stumble upon them. I'm not sure what an ideal answer is.

  • FrancoisD
    FrancoisD
    Community Member

    @littlebobbytables Thanks for your answer! Very intersting points you made.

    Just one thing. You wrote "If you have the patience for frequent password changes, even if limited to high value targets, then I applaud you as it does require a certain degree of patience."

    I only have about 10 high secure passwords, so change the passwords of them all 2 months (lets say 5 minutes per account) makes 50 minutes in 2 months, so this isn't a lot of time.

    Even better than frequent password change is 2FA for the high secure accounts!

    Regards
    FrancoisD

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @FrancoisD,

    Your reply raised an interesting question or at least I think an interesting one. How are sites storing 2FA secrets given both the site and us as the user need to know the same secret. My suspicion is 2FA more helps those that reuse their passwords in multiple places by reducing the damage of a hacked site (or easy password) while in your case it may not offer much additional security due to your strong and unique passwords as well as your regular changing of them. If a site stores the 2FA secret anywhere as accessible as the rest of the account details an intrusion may result in both being readily obtained. It would be very site specific of course and depend on whether the 2FA is in-house or handled by an external service.

    I suppose 10 password changes even once a month isn't too bad and even I should be able to be that patient (I hope).

  • FrancoisD
    FrancoisD
    Community Member

    Thanks for your answer @littlebobbytables

    Yes it helps more the people that reuse their passwords, but also can help me in some worst case scenario. Let's say malware got on my computer and takes all my passwords. So they cannot login in the services with 2FA, a very good thing for me! :-)

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    At the end of the day you've got a very healthy and pro-active stance towards your security which is very sensible. Like insurance, I hope it is something that you never need to be grateful for and that it remains in the category of wise precautions rather than becoming a first hand experience :smile:

  • FrancoisD
    FrancoisD
    Community Member

    @littlebobbytables Thanks! I hope so too :-) Have a good time, regards Francois

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    :smile: :+1:

This discussion has been closed.