Feature Request: Security Questions - Allow Me to Generate 1 Word Passwords

invalidptr

My view around security questions has evolved. I used to generate passwords for them but not any more. Why?

1. Voice automated systems are now asking you to say them. E.g. Mother's maiden name? Answer: pronouncing out ARq2GmE (I've done it!) vs saying "Smith"
2. Often times they are asked by humans from humans
3. In a high profile social engineering hack (human to human) the random password security answer was compromised anyway... "I've got a gibberish password for the security question, can we just skip me having to say it?" "Ok" (!!!!)

In light of this, I use a website to pick a single random word for my security questions.
Mother's maiden name? rabbit
First pet? avocado
First car? drifter

My ask could be as simple as allow me to generate a 1 word password (current minimum is 3).
A larger ask would be to create a new field type called Security Answer that would be the subset of Password that would generate 1 word answers and not hide it behind asterisks like passwords are.

Thanks for considering my use case.

p.s. I thought this was this article but it's not. This article got me change my Amazon email address to something random. The relevant paragraph starts "First you call Amazon"

p.s.s. No real passwords or security answers were revealed in the generation of this post ;-)

ag_kevin

Hi @invalidptr ,

Thanks for providing the use case along with the request. I'll raise an issue with the team.

In the meantime, you could generate a three word password, and editing out the second and third word but I must warn that this significantly reduces the odds of guessing. There are approximately 18000 words in the list. So if there is a website you use that asks for security questions to reset a password, it might be trivial to brute force it by an attacker, depending on how it is designed.

Cheers,
Kevin

prime

I get it, but I really don’t think this is needed at all in 1Password. I’ve done this same thing for security questions and I just look around and use that.
City I was born in: paperwirght
1st school: computer tower

And that’s just at my work desk.

invalidptr

Ah, I like the idea of "pick your favorite word" of the three. Prime, I used to go to a news site and scan the page for a word that popped out. Really looking for a random word. Brute force could be an issue (and totally based on their design/inability to lockout after n failed attempts) but I feel like this seems like the lesser threat at the moment.

prime

@invalidptr

Ah, I like the idea of "pick your favorite word" of the three. Prime, I used to go to a news site and scan the page for a word that popped out. Really looking for a random word. Brute force could be an issue (and totally based on their design/inability to lockout after n failed attempts) but I feel like this seems like the lesser threat at the moment.

You’re right about brute force. Most of the times I’ll add a few words together for these using the word generator for passwords. If I actually have to use say it on the phone for verification, I look around and try and get creative, and sometimes I’ll throw 2 things together for a word.

Ben

Unless the site requires it I wouldn’t recommend single word answers. I’ve been using 3-5 word answers for most sites without difficulty.

Ben