Password generator preferences

The password generator doesn't maintain set preferences


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @HRD: Indeed, definitely something we'll be tweaking as we build the password generator. Thanks for the feedback! :)

    ref: b5x-265

  • Good morning, @HRD! πŸ‘‹

    I'm glad to see you playing with our new password generator. It was a lot of fun to create but seeing folks using it is even more so. πŸ™‚

    You're right, we don't restore password attributes after they have been changed. We made the conscious decision to always default to what we believe is the best possible password for most situations. For the random character based passwords we went with a length of 20 as it was a great balance between security and website compatibility. We've seen many websites silently truncate longer passwords to make them fit within their database, which leads to lots of confusion as passwords that work in one place won't work in others.

    I expect many people will crank the password length up to 50 and if we preserved that we would run the very real risk of passwords being created that would appear to work and then stop working in the future. The opposite is also true. If a website requires a short password, we don't want to remember the attributes required by that site.

    Another way to look at this is there are attributes, not preferences, so we default to what's best for this website.

    By the way, the amount of entropy in a random 20 character password with mixed case and numbers is incredibly high. I recently played with some math for passwords of 16 characters and the exponential nature makes things get crazy big incredibly fast. For just 16 characters you could give every person on earth a billion passwords and still have enough unique passwords left over to do this a billion more times. And with a 20 character we're looking at a universe of passwords about 14 million times (62 x 62 x 62 x 62) larger.

    Now on some websites you might sleep better at night having even more characters, such as a cryptocurrency account. Even though the math behind 20 characters should be more than enough, we never want to get between you and a good night's sleep! πŸ™‚And that's why we allow you to customize the password to your heart's content when needed. We simply revert back to the attributes that are best for most websites afterwards.

    I hope that helps explain where we're coming from and what was in our minds as we designed and implemented the new password generator.

    Take care,

    ++dave;

  • HRD
    HRD
    Community Member

    hi @dteare,

    Thanks for the comprehensive explanation that I note conflicts with @brenty. But there is a further inconsistency in that you can permanently change the preferences within the desktop version. Moreover, it is surely for the end user to determine the password length and complexity?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited February 2018

    Thanks for the comprehensive explanation that I note conflicts with @brenty.

    @HRD: Ah, I see what you mean. Not necessarily though. I agree with Dave in principle...but in practice I'm sure he'll also agree that this isn't written in stone. As the security landscape continues to change, we'll be making changes ourselves to maintain reasonable defaults β€” especially if the technology to crack passwords improves significantly, if and when 20 randomly-chosen characters is no longer enough. Or perhaps the web landscape changes so that a more aggressive default is feasible without having a negative impact on users. Not holding my breath on that last one though. ;)

    But there is a further inconsistency in that you can permanently change the preferences within the desktop version.

    That's a really good point, and definitely something we'll be taking into account as we develop the other apps and specifically make improvements to the password generator in those. Definitely on our radar. :)

    Moreover, it is surely for the end user to determine the password length and complexity?

    It is! That's why you can customize the password composition when using the password generator.

    I get what you're saying, but at the same time what I set for generating one website's password will almost certainly not work for the next if I'm maxing it out; and similarly if I have to weaken it from the default to accommodate the site, I don't want to be generating weak passwords for every subsequent one by default. So each is an opportunity to use the kind of password which is appropriate for that situation.

    For instance, if you set it to "words" for one where you know you'll need to remember and/or type the password yourself sometimes, having 1Password default to that for the next, which probably doesn't have that same need, can result in you getting a weaker password than you could otherwise use there.

    It's just another example of how much has changed since 1Password was first released over a decade ago: Wordlist passwords weren't even an option. And as Dave mentioned, having it remember the last setting can cause problems both with shorter (less secure) and longer (problematic for many sites) passwords, which is why we're sticking with 20 characters, for now. What would really be cool is if 1Password could know the password requirements/restrictions of a website when you're creating a login for it and automatically default to the best password for that specific case. Until then, a global default that's both secure and website- (and user-) friendly is a good alternative. Cheers! :sunglasses:

  • HRD
    HRD
    Community Member

    Hi @brenty,

    Thanks for that and I understand your reasoning. Please be assured I wasn't attempting to be critical but wished to make various points.

    Keep up the good work.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @HRD: Oh, no worries. You made some great points! Thanks for making them! :chuffed:

This discussion has been closed.