Feature suggestion: Display character count when generating new passwords

jackbrewster

Also applicable to iOS

It would be useful to see a character count indicator on the new password screen (both Characters and Words). I sometimes have to tweak the generated password and end up having to count characters manually to make sure I still meet min/max password length requirements.

Thanks

---

1Password Version: 6.8.7
Extension Version: 4.6.12
OS Version: macOS 10.13.3
Sync Type: 1Password
Referrer: forum-search:generat

rudy

@jackbrewster,

We'd probably want to do that on all the platforms, possibly when you click on the strength indicator, possibly visible when you're editing a password. I'll forward it on to the design team to see what they think.

Rudy

jackbrewster

I'd love if it was visible when editing. And yeah, I think it would be useful on the other platforms too, but I only use Mac and iOS, so wasn't sure what the experience is like on the others.

Thanks!

AGAlumB

@jackbrewster: Hmm. I'm not sure of the use case there. When you're editing or creating a new login, you can use the password generator, which lets you specify the length. Does that help?

rudy

@brenty,

It doesn't help in his contrived scenario because he's ending up having to edit it post-generation, to meet website password content requirements.

Rudy

jackbrewster

@brenty But there's no string length limitation when using the Words generator, which I sometimes prefer. There's just a minimum number of words, and those words can (and should) vary in length, resulting in varying total string lengths.

And even in the case of the Characters-based generator which provides for a string length, I still may need to edit because so many websites stink at defining their allowed/disallowed characters (or a variety of other reasons).

AGAlumB

It doesn't help in his contrived scenario because he's ending up having to edit it post-generation, to meet website password content requirements.

@rudy: Ah, fair enough.

But there's no string length limitation when using the Words generator, which I sometimes prefer. There's just a minimum number of words, and those words can (and should) vary in length, resulting in varying total string lengths.

@jackbrewster: Good point. I'm rather fond of the Wordlist generator myself as well, and have run into that issue. The problem is that trying to solve for length lowers entropy, as 1Password would then have to try to pick words expressly to fit, rather than completely at random. So two better options are to click "regenerate" until you get one that fits using the same word count, or decrease the word count (by one will usually be more than sufficient). Since the Wordlist is OVER 9000...times two — so 18,000+ — you get over 14 bits of entropy per word, which is what makes even 3 or 4 word passwords effective for most uses. That said, you'll always get the most-bang-for-your-entropy-buck with character-based passwords, so I'd encourage you to use those except when you need a word-based password (to remember and/or type manually) — which also allows you to explicitly specific the length.

And even in the case of the Characters-based generator which provides for a string length, I still may need to edit because so many websites stink at defining their allowed/disallowed characters (or a variety of other reasons).

Yep. That's an unfortunately reality. We'd like to offer more tools for that that type of scenario in the future, but while you can always delete however many characters you need to (you know the website's limit and how long the generated password is, after all) it's much, much better to just generate a brand new password of the maximum allowed length for two reasons: it will be completely random and unmodified by you, and because of that 1Password can better reflect the strength. If you manually edit a password, you're adding a human element, and 1Password will treat it as weaker. It can only calculate entropy accurately for a password which it created entirely itself.

Anyway, definitely an interesting topic. Thanks for bringing this up! :)

jackbrewster

The problem is that trying to solve for length lowers entropy, as 1Password would then have to try to pick words expressly to fit, rather than completely at random. So two better options are to click "regenerate" until you get one that fits using the same word count, or decrease the word count (by one will usually be more than sufficient).

@brenty I'm not asking for 1Password to solve for length, or try to pick words to fit into a fixed length. Just show me what the length is. Setting it to minimum word count doesn't always work as string length will always (correctly) vary. Tapping regenerate also doesn't help because without a character count, I still can't tell at a glance if the new password will fit.

but while you can always delete however many characters you need to (you know the website's limit and how long the generated password is, after all)

Yes, but that still doesn't address the issue. If I can't see what the new generated string length is, editing to fit is still not a great experience. As long as there are bad password forms out there, I'm going to need to make changes to passwords and adding a character count would help with that.

Thanks

Ben

Yep, fair points. Hopefully that is something we can address in the future. :)

Ben

vjnovak

Chiming in now - this is a HUGE issue for me. I only use Words (rather than Characters) when generating passwords because I find strings of random numbers and letters difficult to type in for websites that don't let me copy and paste into them, but often websites have 20-character limitations and so i have to manually count the characters when I'm deleting letters to match the website requirements. Seems like a simple enough feature to show the ongoing character count even while editing.

Ben

Hi @vjnovak

Chiming in now - this is a HUGE issue for me. I only use Words (rather than Characters) when generating passwords because I find strings of random numbers and letters difficult to type in for websites that don't let me copy and paste into them

Do you find that to be a common scenario? Do you not use the 1Password browser extension to fill credentials in? We typically only recommend words based passwords in cases where passwords have to be memorized, typed, given over the phone, etc. But in my experience those are few and far between. Almost all web login forms can be filled by the 1Password extension. If you're finding that isn't the case for the websites you use we'd be very interested to hear more about that.

Ben

vjnovak

It’s true that it’s a pretty rare scenario where I can’t actually paste in the password (maybe 5% of the time), but I prefer using words if I can. If I use, say, four words separated by hyphens and drop in a random character or two and a number, 1Password tells me I have a “fantastic” password with a complete green circle. In those situations where I have a character limit, the character could we be very helpful.

ag_ana

Thank you for the additional information @vjnovak!

vjnovak

Actually, here’s a real-world scenario where I can’t copy and paste from the app, which happens all the time: I store all my passwords, including work passwords, in 1Password. But my work computer has admin restrictions and won’t let me install the app on my work computer, so I have to open my phone and manually enter all passwords into my work computer. Hence it’s always preferable to use actual words rather than a string of random characters.

Ben

Thanks @vjnovak. If you're using a 1Password membership you can access 1Password through the https://my.1password.com/ web interface, no software installation required. Or, if you can install browser extensions, 1Password X may be able to help. :+1:

Ben

vjnovak

Thanks, Ben! Any updates on 1Password’s thinking re character count?

Lars

@vjnovak - nothing to share at this time, no. Keep an eye on release notes, especially the betas, which is where you'd see something like this first. Cheers! :)