Advanced password generator
I LOVE 1PW, but the password generator really needs work. Frequently it creates passwords that do not match website complexity rules. I'd like more control over it, such as the attached screenshot from an enterprise product I use. There you can choose upper-case, lower-case, digits, and a variety of special characters.
Today, the "allow digits" and "allow symbols" does NOT force the use of them. I've had passwords generated that were only letters and symbols, and sites reject it because of no numbers. Or they are picky about some symbols and not others.
1Password Version: 6.6.423
Extension Version: Not Provided
OS Version: Windows 10 x64
Sync Type: Not Provided
Comments
-
@TravelSD: I can promise you that we're never going to make something like that. It's unsightly, and overly complex for most users. Our goal is for 1Password to be approachable, easy to use, and also not make it easy for people to be less secure due to confusing/incomprehensible UI. "High ANSI characters" and "XML compliant" are the poster children for this.
Additionally, I think it's also worth pointing out that sites that restrict password composition are making their users less secure (not only by making them choose weaker passwords, but often doing so because they're storing users' passwords!) They're doing it wrong.
That said, we recognize that while many sites have improved in this area over time, we can't exactly count on others doing the right thing, either now or in the future. And you're right that there's room for improvement with 1Password in this regard as well, and an opportunity for us to help users on our end as well (without simply hoping that website developers turn over a new leaf). I can't say for certain if or when we'll be able to do something in this area, but something like the "include" and "exclude" fields, while largely redundant in that UI, could allow for more customization in 1Password without junking things up, and could be ignored by users unless (or until) they need them. Thanks for pushing us on this. :)
0 -
"Enterprise" is the cue here. To me, products are called Enterprise when they are very complicated and have a lot of bells and whistles. ;)
But I think @TravelSD has a point here. The password generator should really make sure that the settings I chose are actually enforced. It sounds to me that this would solve his problem. And I would appreciate that too btw0 -
@TravelSD There has to be a happy medium here: the standard pw generator is fine but often I have to click 4-5 times to get something that can match the website rules.
I don't like the rules and they definitely reduce security, but pragmatism rules here: for example, I would really like a way of restricting special chars to the peculiar subset a bunch of places use.
I do agree that "High ANSI" and the other esoteric options are not useful for 99.9%, but I would argue (and I'm sure analytics would show) that people run into issues where the current PW generator is not precise enough.
0 -
And the example image is really a straw man; there's no need for whatever 1password comes up with to be as poorly designed. A progressive reveal of advanced options would hide a lot of useless complexity.
Thoughtful design is why I pay for 1password and not its competitors.
0 -
"Enterprise" is the cue here. To me, products are called Enterprise when they are very complicated and have a lot of bells and whistles. ;)
@Manaburner: Good point. :lol:
But I think @TravelSD has a point here. The password generator should really make sure that the settings I chose are actually enforced. It sounds to me that this would solve his problem. And I would appreciate that too btw
Totally. There are some other things we'd like to do with the password generator as well, but it's not something we're working on right now. Personally, I'd love it if we could remember per-site settings for the generator. We definitely want to do more.
@TravelSD There has to be a happy medium here: the standard pw generator is fine but often I have to click 4-5 times to get something that can match the website rules.
@Nimish Telang: That's a really good point. It totally depends on which sites you frequent. When I initially read that, I thought, "Really?!" as I just don't run into this often nowadays. But the website each of us interact with regularly will differ, and that's why this feedback is beneficial. More on that below. :)
I don't like the rules and they definitely reduce security, but pragmatism rules here: for example, I would really like a way of restricting special chars to the peculiar subset a bunch of places use.
You're absolutely right.
I do agree that "High ANSI" and the other esoteric options are not useful for 99.9%, but I would argue (and I'm sure analytics would show) that people run into issues where the current PW generator is not precise enough.
Indeed, we do get some feedback on this, but not as much as you might think based on your own experience. We also don't collect customer usage data for privacy reasons. It's likely that some users are just much more prolific when it comes to signing up for new accounts for which they have to generate passwords. I have about 1200 items saved in 1Password, and based on interacting with others this seems to be typical for many "power users", but most of the less-geeky users I talk to are more in the 100-or-less range...and in that case they'll run into these issues less based on just numbers alone.
So while we want to make the password generator better, this isn't at the top of our list right now. By far, most of our effort in this area goes into login filling, as that's what everyone uses 1Password for the the most. In most cases, a password only needs to be generated once for any given website. But we'll be revamping this in the future as well.
And the example image is really a straw man; there's no need for whatever 1password comes up with to be as poorly designed. A progressive reveal of advanced options would hide a lot of useless complexity. Thoughtful design is why I pay for 1password and not its competitors.
Thanks for the kind words, and your support. And you're right: We need to make sure that whatever we do, it's pleasant for all 1Password users to interact with. Cheers! :)
0 -
I 100% agree some of the options in the screenshot are NOT needed for 1PW (e.g. XML, high ANSI, etc.). But, being able to force a password to have certain characteristics such as lower case, upper case, number, and special character would be good. Some sites don't like special characters, so having a check box approach to the password characters (like you do today but a bit more choice) is what I'm looking for. I wasn't implying to copy that GUI exactly....I agree it's not consumer friendly.
0 -
Hi guys,
We are looking into improving our generator for sure, it will get some additional settings to help with various sites along with the idea of storing known password requirements like the way we do Watchtower. We have some internal work we're doing to make the generator more consistent across all 1Password apps first and then we'll start progressing to make sure they all get the same settings at the same time.
0 -
Cool! My thought is a checkbox for: Upper Case, Lower case, number, special character. If the box is checked, the generated password WILL have that character. Biggest issue I have now, is generated passwords may not contain a character that I currently check a box for, like symbols. "Allow" is the operative word here..."force" would be great.
0 -
I agree that would help in some situations. The tough thing is that some sites also have specific positional and numerical requirements for some things, so there's no one-size-fits-all solution, so I think we need to focus on a 90% option with good usability. Cheers! :)
0
