Improved password requirements and usability in Password Generator

JohannesMP
JohannesMP
Community Member
edited March 2017 in Lounge

Password Requirement Options

It is not uncommon for a website's password requirements to have some arbitrary limitation on what you can and cannot have in your passwords:


Generally these limitations fall into the following categories:

  1. Must be of X-Y length
  2. Must contain at least one number
  3. Must contain at least one Uppercase and Lowercase letter
  4. Must contain at least one symbol
  5. Must contain at least one of a given set of characters
  6. May not contain any of a given set of characters

Of this list, the current Password Generator really only covers category 1. and partially covers 2. and 4. (Allow is not the same as Require, so a randomly generated password still has a chance to fail if short enough. For example: https://i.imgur.com/vPPvBzZ.png).


Proposed additions

It would be nice if we could have an 'advanced options' section that expands the Password Generator with the following:

  • Require upper and lower case.
  • Consider changing 'Allow digit/symbols' to 'Require at least one'. The differentiation between Allow and Require could be a global preference so it wouldn't need to take up additional space in the generator.
  • A whitelist of characters that at least one must be included from (would be a text field).
  • A blacklist of characters that should never be included (would be a text field).

Black and whitelisting will be useful for matching arbitrary limitations such as the one in the screenshot above, and allow you to avoid potential issues.

For example, while working in Finland for a while I had to use a Finnish keyboard, and some symbols are in drastically different locations than my US muscle memory was used to, so I'd have preferred if I could exclude certain troublesome characters from my passwords if at all possible.





Password Delimiters

On a semi-related note, It would be useful to have the option of defining a delimiter that is used to separate longer passwords into more readable chunks. So for example, if I generate a 16 character password: ABCDEFGHIJKLMNOP

I would like to be able to check an 'Add delimiter' option and specify a character, for example an underscore, which is then inserted every 4-6 characters. So the above example might instead be: ABCD_EFGH_IJKL_MNOP which is far more readable and easier to enter by hand.

I see the 'Words' option as being an attempt at addressing the readability issue, but of course many password schemes (see above) don't allow only words. I think the best approach would be to simply add 'Delimited' as a new selectable option in addition to 'Characters' and 'Words'.


Password strength

In the above example the user would have manually increased the length from 16 to 20, since in practice, this does reduce the overall entropy (20 pseudorandom characters vs 16 pseudorandom and 4 more predictable) but the the readability benefit would definitely make up for that

While the argument could be made that ideally you would always either use a browser extension to automatically enter passwords for you, I myself still often find myself having to look up a password on my phone and manually entering it somewhere where I don't have the ability to customize the machine.


1Password Version: 6.4.377d
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1

Comments

  • prime
    prime
    Community Member

    I agree with this. The other day I changed my one password (hahaha 1Password) for an account, and it let me use numbers, letters, and dashes only. I wanted to use the dashes to make it easier if I typed it in, and I feel a symbol helps with strength of the password.

    How I worked around this was make a password with numbers and letters, copied it to the note section for that login, replaced some of the letters with a dash (-), and copied it back to the password area.

  • jeffreydwalter
    jeffreydwalter
    Community Member

    I would also like to see this. The main thing I encounter is the list of symbols allowed. It would be trivial, and I would be satisfied, to have the option to type in a list of the symbols that I want to allow, as opposed to the originally proposed request of having a black/white list of characters.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jeffreydwalter, @prime: Thanks for letting us know! :)

    @JohannesMP: And thank you so much for taking the time to share your suggestions for improvements to 1Password's strong password generator! Even though it's pretty gross that websites make us use weaker passwords by doing this, we really want to do something in this area to give more control over the process. It isn't something we're working on now, but I'll share all of this with the team. I'm not sure frankly what a manifestation of all of this wold look like in practice, or that it's feasible to include all of this and still keep it user-friendly, but there's definitely room for improvement, and some great ideas here. Cheers! :)

    ref: OPM-1378

  • Sorastro
    Sorastro
    Community Member

    +1

    Just ran across this list of password requirements - and I need to edit the generated password to fulfill them - What A PAIN!

    In particular the "words" method (which I like) doesn't have a way to change case, add a number or use any of the listed special characters!

    Password Creation Guidelines

    Must be 8 to 16 characters long
    Must contain at least one letter
    Must contain at least one number
    Must also contain one or more of the following special characters: @ ! $ % ^ * ( )

  • Hi @Sorastro,

    Thanks for the feedback. If you have any suggestions on how we could make the words recipe work within these types of requirements, without having an "options" section that is huge, we'd definitely be interested in hearing that.

    In the mean time the characters recipe may be more suited for sites that set these sorts of requirements.

    Ben

  • Sorastro
    Sorastro
    Community Member

    Some possibilities of the top of my head: Since sites have length limitations, add a number of characters slider, (let the app choose the number of words or keep the number of words ine.. Have an "integrated Caps" line with a dropdown menu choice from 0 to x characters and the same for "integrated Numbers". Change the separator to a dropdown list and add the missing ones. That would do it for me.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for the suggestions! We've got a few ideas as well, so it helps to get a sense of what you're looking for as we develop future versions. Cheers! :)

  • joethewrangler
    joethewrangler
    Community Member

    The password generator needs to be able to conform to the websites' requirements. I find it generally useless and use my Keychain generated passwords (unless they also violate the website rules). I find that length and required symbols are the biggest problem. 1Password needs more IQ for site sign-ins, particularly big company ones like American Express, etc.

  • Hi @joethewrangler

    The difficulty with that is that there is no standard for websites to define what their requrements are. The only somewhat reliable way for us to do that would be to manually create and update a database with the requirements of, say, the top 1000 companies. But even then that would only cover a very small percentage of the internet, and could very easily become outdated as websites change their requirements. As such this makes this approach fairly unrealistic and impractical.

    One thing we could try would be to offer different options in the password generator that would make it easier to conform to the requirements defined by the website. We have made some improvements there over the years but there is of course still room to improve.

    Thanks for the feedback. It's something we'll keep thinking on.

    Ben

  • prime
    prime
    Community Member

    What websites should do is tell you the requirements for a password. I don't know how many times I made a password and I couldn't use it. Then the website tells you after it doesn't work. Why couldn't it tell me before. Jerk websites lol

  • Indeed. That makes this problem especially difficult to solve. :(

    Ben

  • prime
    prime
    Community Member

    @Ben I had one site all went well making the password, and I used 30 random numbers, letters, and characters. So I go back in to the site and said the password was wrong. I tried a few times, nothing. So I did the recovery and when I made a new password, then it told me "must be 8-20 characters long". So what happened was, I made it 30 characters, but it only accepted the 1st 20 characters. When I logged in, it then counted the full 30 characters prompt the site telling me it was the wrong password.

    Again if they site told me upfront 8-20 characters, I would have known. Nothing you at AgileBits can do, but I wish the websites would tell us right away.

  • Indeed! That is especially frustrating. I don't recall any first hand experience with something like that but it reminds me of this story:

    Schwab password policies and two factor authentication: a comedy of errors – Jeremy Tunnell

    Sometimes websites just don't handle these things well. We can't fix that for them.

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ha! I don't recall when they changed their password policies, but I do remember Khad being super excited about that. Less enthusiastically, I also changed my password to something stronger at that time. But that's a fantastic case study. Schwab may no longer be an offender, but you can swap in the name of many other financial institutions today and tell similar tale. :angry:

  • prime
    prime
    Community Member
    edited May 2017

    Wow @Ben interesting read! Thanks for that link.
    @brenty I read an article a few weeks ago how some banks don't have any restrictions on a password. The password could be "password" and it will be fine in the banks eyes. I think that's what we were talking about the SMS thread about 2SA I posted. How people have that "security" and use poor passwords, because they think they are safe due to 2SA.

  • That was a super interesting read. Thanks for sharing, Ben. :)

    Rick

  • :+1: :)

    Ben

  • dsovereen
    dsovereen
    Community Member

    One other password requirement I've run into issues with: no repeating characters. I set the Password Generator to the maximum length a web site allows. Seems that at 50+ characters, MOST passwords 1Password generates contain a repeating character. Example (my first try):

    A4voMXTPqB6i+sZJWALKRgxAA{+FKdygRyRJjZWCqmmNyX7TkQ

    Here, I have an AA and an mm.

    Perhaps a checkbox for no repeating characters can also be added when this utility is improved?

    Thanks,

    Dave

  • AGAlumB
    AGAlumB
    1Password Alumni

    @dsovereen: Are you saying you've encountered many websites that forbid repeating characters? That's a new one to me. I'm not sure what the point of that would be. It's an option we can consider, but if we add an option for every little restriction out there that websites come up with, I think you can imagine the result. And disallowing repeating characters means less entropy, which makes generated passwords weaker. So it's not something we'd do on a whim.

  • dsovereen
    dsovereen
    Community Member

    Not many, maybe a half dozen that have complained out of ~300. So maybe 1% of the times where I have wanted 1Password to generate a maximum strength password (as allowed by the site) but could not meet their criteria using the password generation tool.

    The interface that is there now generates maximum strength passwords for maybe about 85% of web sites with ease. It seems to me that maybe an Advanced button or slide could be added that then expands and offers these additional settings for those of us that want the maximum strength password.

    An issue that was mentioned above and accounts for the majority of times that 1Password does not generate a maximum strength password meeting the web site's requirements is the symbol whitelist and blacklist. If a web site says it requires one of the following [insert list here] symbols, and I tell 1Password to generate a password with symbols, it inevitably will contain a not allowed symbol. So then its a matter of Regenerating until a permissible symbol is put in, or editing the symbol to one allowed. Being able to paste in a list of allowed or disallowed symbols, which normally appears right on the web site and can easily be copied and pasted, would remedy the vast majority of password generator requirement failures.

    Dave

  • Drew_AG
    Drew_AG
    1Password Alumni

    Thank you for your feedback, @dsovereen! Indeed, although our hope is that more and more websites will stop forcing silly restrictions on their users, there will probably always be some sites that have odd (perhaps even nonsensical) and/or insecure password requirements. The password generator won't be able to conform to the password requirements of every single website out there unless we add so many options that it becomes a confusing, unruly mess. But I think there are certainly some improvements we could make that would help with a large number of sites while still keeping the interface simple and user-friendly, and we'll definitely consider and look into some options for that.

    Thanks again, and have a great weekend! :)

  • genec00000
    genec00000
    Community Member

    If I can hop onto this thread with a comment: My preference is to use the "words" format for the 1Password password generator, but maybe 8 times out of 10 I get rejected for not including a number and/or not including an uppercase letter. Usually I create a "words" password, say "Yes" to 1password saving it, then after being rejected by the website, go to the 1Password entry, edit the password by sticking a digit into a random spot, and resubmitting the form. This makes the whole process much more cumbersome than it should be. A check box for "add complexity" which would uppercase a random letter and insert a random numeral would be really nice.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @genec00000: It's really best not to use the words option unless you specifically need to (for example, if you have to memorize and/or type a certain password regularly). Character-based passwords of the same length will always be much stronger, and you'll also find that it's easier to meet most sites' password requirements this way as well. So I don't think we want to design around that specific scenario, and this can help you avoid trouble in many cases. Cheers! :)

  • Croptop
    Croptop
    Community Member

    I agree wholeheartedly with the need to improve the current iteration of the password generator to make it easier to satisfy the various wants and needs of all websites (regardless of how silly or arbitrary they may be).

    At the very least, I would dearly love to see the current version of the password generator returned to the same functionality that exists in 1Password4 -- that is to say, a slider to set the number of digits and/or special characters rather than a check box that gives me an indeterminate and random number of them.

    When I finally switched from my beloved 1Password4 to 1Password6, this loss of functionality hit me almost immediately and I gnash my teeth every time I have to generate a new password now. I think I like 6 but I've considered reinstalling 1Password4 just to get that old password generator back.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Croptop: It isn't something we're able to work on right now, but it's certainly something we can take into account as we do in the future. We want to improve this and also make it more consistent between platforms. But one thing we don't want is for people to significantly weaken their passwords by setting symbols and/or digits to "1". Having these enabled to produce a password with at least results in much stronger passwords (each character can potentially be one), and it also satisfies common silly password requirements like "must include at least one number and one symbol" without limiting it further.

  • NeckBeardBrad
    NeckBeardBrad
    Community Member

    I just want to reiterate what brenty said in that I upgraded from 1Password 4 to 6 and quickly found that lack of password recipes crippled my workflow, and I am disappointed in a regression of a feature I frequently use.

  • AGAlumB
    AGAlumB
    1Password Alumni

    1Password 6 is a brand new app and we have a lot of stuff in the works. And the password generator is something we're looking at to improve across all platforms to make it more consistent and intuitive. Thanks for the feedback on this! :)

  • DAD
    DAD
    Community Member

    I'd like to see some improvement on password recipes as well. Specifically the symbols. Unfortunately, many sites have support for symbols but limit the set of symbols you can use. Being able to supply a list of symbols for the recipe, and ideally saving the recipe per site, would go a long way to alleviating the workflow for generating passwords. The first password manager I ever used, Password Safe, which was also one of the first ones ever created, had support for this. It saves having to create a password and then manually scanning the symbols to remove / change incompatible ones.

  • Certainly I've run into what you describe before as well. It would be handy to be able to define what symbols can be included. :+1: :)

    Ben

  • tvacula
    tvacula
    Community Member

    Came here to suggest refining the symbols option of the password generator, and glad I found this thread. I, too, would like the option to whitelist/blacklist certain symbols, if the website is kind enough to specify their requirements during password generation. I recently got locked out of a website that did not specify their symbols requirements until I had to resort to the "forgot password" link.

    'JohannesMP' did a commendable job of suggesting possibilities for the password generator.

    I don't see any feasibility for 1Password to try to automatically do this, it would have to be a manual process. But, it would be nice, if it were possible, to copy and paste the symbol requirements from the website into an option field(?), with a toggle to whitelist, or blacklist, those symbols.

    Thank you guys for continuing to improve such an important tool on our devices!

This discussion has been closed.