Password strength meter shows some strong passwords as "terrible"
Some of my passwords are reported as "terrible" strength, when they are actually quite strong.
Below is a redacted example (a login for the IRS) that exhibits this behavior. My current password (which is redacted) is of comparable strength to passwords in my password history (which are in cleartext below). For clarity, I removed some fields that I think are extraneous junk.
{
"sectionName": "I",
"details": {
"fields": [
{
"id": "userID;opid=__1",
"value": "NilsEnevoldsen",
"name": "userID",
"type": "T",
"designation": "username"
},
{
"id": "password;opid=__3",
"value": "REDACTED",
"name": "password",
"type": "P",
"designation": "password"
},
{
"id": "password2;opid=__4",
"value": "REDACTED",
"name": "password2",
"type": "P"
},
{
"id": "email;opid=__5",
"value": "REDACTED",
"name": "email",
"type": "T"
},
{
"id": "site_phrase;opid=__6",
"value": "REDACTED",
"name": "site_phrase",
"type": "T"
},
{
"id": "random_site_image;opid=__7",
"value": "REDACTED.jpg",
"name": "random_site_image",
"type": ""
}
],
"password": "",
"htmlForm": {
"htmlMethod": "LB1"
},
"passwordHistory": [
{
"value": "FtCdihs!%sGpxz#c!!!m",
"time": 1521080999
},
{
"value": "=_]Yb!3~68nec,Yi).qQ",
"time": 1521080691
},
{
"value": "xDusARaWNCAFKNkwxomJ",
"time": 1521080460
}
],
"sections": []
},
"uuid": "v6e2kyl2ifxc2vrlmmfldulkl4",
"updatedAt": 1521081000,
"createdAt": 1521080396,
"categoryUUID": "001",
"overview": {
"ps": 0,
"pbe": 0,
"pgrng": false,
"title": "IRS",
"ainfo": "NilsEnevoldsen",
"tags": [],
"url": "https:\/\/sa.www4.irs.gov\/eauth\/pub\/registration\/profile_create.jsp?actionName=VerifyActivationCodeProxy"
},
"URLs": [
{
"overview": {
"label": "",
"url": "https:\/\/sa.www4.irs.gov\/eauth\/pub\/registration\/profile_create.jsp?actionName=VerifyActivationCodeProxy"
}
}
]
}
1Password Version: 7.0.BETA-6
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
I'm seeing this as well with passwords that I would consider complex - mix of upper, lower, symbols, about 16 digits long!
0 -
I'm wondering if it's related to that
"password": ""… Hmm.0 -
Ah, here's another clue. In words, it says "terrible", but when ordered by password strength, this item is categorized as "none" — below "terrible". Is that the same for you, @twynne?
0 -
My pin is showing as terrible. Many PINs are limited to 4 numbers. Guess what? We don't have an option to make longer. Items in PIN fields should be ignored.
0 -
So from your JSON, it looks like the display is correct. Your password strength is entirely terrible!
ps=0is a saved calculated strength value for manually created or manually edited passwordspbeandpgrngare the entropy value and corresponding flag to indicate that the password generator was used to generate this password.Given that
pgrngis false andpbehas a value of 0, this probably wasn't a password generator last touched password.Also given this JSON it appears the primary password field (which that strength is based on) is possibly empty?
Rudy
0 -
@rudy Yes, I think this was a manually-created password. IRS had some awkward password requirements, so I took a 1Password-generated password and modified it by hand.
What's odd is that even if the "primary password field" is empty (however that happened), 1Password still knows my real password – it is in fact the concealed password beneath the "password" label, next to the "terrible" assessment.
Seems like two issues here:
- Why is my primary password field empty when 1Password knows about my actual password?
- Why is the password strength assessment shown in a field with which it isn't associated?
0 -
@nils_enevoldsen Yes, this particular account shows under 'none' when sorted by password strength. For me the word 'Terrible' is showing beside the (complex) password in the field labeled 'password'. Oddly if I edit the item and click the password generator, it generates a less complex password!
0 -
@nils_enevoldsen and @twynne - with manually-created passwords (or imported ones), you may get that issue. If it bothers you or you'd like to see what kind of general rating our meter would give you, you can click Edit on the item in question, click into the password field and add a character onto the end of the password. Click "Save," and the strength will be calculated, then re-edit the password field to remove the extra character you added, and you'll get our true estimate of the strength of the password.
0 -
Yes, this workaround works for me. Thanks, @Lars. I still think the issues I mentioned apply:
- Why is my primary password field empty when 1Password knows about my actual password?
- Why is the password strength assessment shown in a field with which it isn't associated?
0 -
I prefer the phrases ‘strong’ or ‘weak’ rather than ‘fantastic’ or ‘terrible’. It just sounds a little bit more formal and professional to me, I’m not a fan of software trying to be my friend.
0 -
I’m not a fan of software trying to be my friend.
I apologize if that clashes with how we do things, @steve23094. You'll have to pardon our Canadian-ness.
I prefer the phrases ‘strong’ or ‘weak’ rather than ‘fantastic’ or ‘terrible’. It just sounds a little bit more formal and professional to me
Thanks for the feedback!
Why is my primary password field empty when 1Password knows about my actual password?
Why is the password strength assessment shown in a field with which it isn't associated?I think those are great questions that unfortunately I do not have answers to. I'll pass the feedback along to the team and see if we can figure out what is happening here, and what the intended behavior is.
Ben
0
