Password generator - Random words - Add option for including capitals/numbers

chucksense
chucksense
Community Member
edited May 2018 in Mac

I use the "random word" generator. Unfortunately, I have to modify the password generated much of the time because many sites seem to require capital letters and/or some numbers.

So... I would love if the random word generator could be set to include such things. With the capitals, it would make it much easier if it just capitalized the start of the word, randomly. So, for example, if you have it configured to 5 words + capitals + numbers, you might get something like this: flower-Walkover-Soccer-881-vocation-rascal

This would make it so that I won't need to modify the generated password nearly as often (the remaining constraint being on those stupid site owners that inexplicably put a really low max length on their password field... seriously, wtf?).


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1

Comments

  • Hi @chucksense,

    You may find the ‘characters’ option in the password generator more sutible for sites with such requirements (rather than the ‘words’ option). That said, we appreciate the feedback. :)

    Ben

  • BenFerber
    BenFerber
    Community Member

    I want to echo this sentiment. Your response looks like a dismissal of the problem, and I strongly believe you should reconsider.

    In short: it'd be much better to have dynamic options for your password generator like the ones at https://xkpasswd.net/s/ .

    It's nice to generate a password that's word-based (thus easy to remember) but with words and symbols and multiple cases in it (thus is accepted on the vast majority of websites). The current "words" option you offer is effectively useless for most usage, in an age when most people are using passwords with both words and numbers. If you offered more dynamic options (i.e. checkboxes and number selection for "words" "digits" "symbols" and "separators") it'd be a truly dynamic password generator that I'd actually use, and love!

  • siplhium
    siplhium
    Community Member

    I second this request and sentiment. Right now I have to manually add a couple of numbers or uppercase letters to boost a generated password's strength using the "words" option. It would be a lot easier to have checkboxes to include such characters. Then you get a password that's both readable and very strong.

  • rwakeford
    rwakeford
    Community Member

    I'm the same as siplhium. I prefer word passwords but almost always have to add a couple of numbers or upper case letters to make it acceptable.

  • rlh
    rlh
    Community Member

    I don't think @Ben was being dismissive. Only terse. Many (myself included) look at random, 1Password generated and stored passwords as "passwords I'll never even try to remember". Therefore, I want a random password that has the maximum (reasonable) entropy. The 1Password team could explain this much better than I, but I think a ~14 character password will have as much/more entropy as a 5 word passphrase. And given that so many sites insist on seeing numbers and special characters then why not go with a 20+character truly random password?

    The ONLY time I like to use pass phrases is for things I might need to use without 1Password (e.g., signing into Dropbox so I can gain access to my 1Password vault on a new computer). So, I want it secure but also easy to type; extra characters and capitalization potentially undermine that need.

    I hope @chucksense, @BenFerber, @siplhium, and @rwakeford don't think I'm being dismissive. Maybe I've just totally bought into the 1Password philosophy and therefore think their design approach is exactly what is needed.

  • rwakeford
    rwakeford
    Community Member

    Can't disagree with either Ben or you!

    It's just that, sometimes, you have to type in a password because the site doesn't accept copy and paste and that makes a word password easier to do, although I admit it's a rare occurrence. Besides, I like the look of a word and digits password, even though it's hardly every physically needed, and so the option of words with digits would be good but I can also understand that it would mean more and not very necessary coding to achieve it! So I'll not lose any sleep over it and I love this programme and the way it works, and have done since I first bought it nearly ten years ago.

    It's the first third party programme that I couldn't live without and it just gets better and better.

  • rlh
    rlh
    Community Member

    Quick tip for sites that won't let you paste (at least on my Mac with Safari). If you are on a page (i.e., it is already loaded, waiting for input) that won't let you paste a password, goto Safari, Preferences... and select the Security tab. Simply untick/uncheck the Enable JavaScript box. Now, without even reloading the page in the Safari window, try pasting--it will probably work! Before continuing through the login process, or hitting Submit, etc. go back and tick/check Enable JavaScript and then continue logging in as normal.

    This works for me nearly all the time.

  • BenFerber
    BenFerber
    Community Member

    @rlh you definitely aren't being dismissive! It did feel a bit like @Ben was, though, which is why I posted in this thread in the first place. I imagine, from the tone of his post, that if I hadn't posted here, as well [and all of you, too] this issue would not be considered further.

    Implementing something like this would actually be a security boost to the "words" feature—currently the entropy of passwords it provides is low, and with differing cases and the option to add numbers, suddenly those passwords would be a lot more secure—and actually usable on most websites.

    I very often find myself having to enter passwords on computers and devices without 1Password (work computers; a friend's Apple TV; my dad's computer; etcetera) and so typing out passwords manually is still a requirement. Also, 1Password can't automatically enter passwords into a lot of third party applications, and sometimes password fields on certain websites don't allow pasting (automated or manual)—so even on some devices with 1Password I'll have to type things out. And sure, the Javascript on/off trick works, but that's WAY less convenient (more time consuming, more clicks/sometimes more keystrokes) than just typing out something I can easily remember. (Particularly for passwords I have to enter frequently.)

    For me, and it seems for a number of you, it's a lot easier to remember, and to type out, passwords that have words in them—even if they have more characters than the "robot vomit" completely random character sequences. It's a common preference that I don't think 1Password accommodates enough, and I think changing how the generator works for word-based passwords would be an excellent quality of life upgrade.

    Until then, I personally will not be using the 1Password generator because it doesn't easily create the kinds of passwords (with combinations of words/cases/symbols/numbers) that I personally prefer to create.

  • rwakeford
    rwakeford
    Community Member

    "Quick tip for sites that won't let you paste (at least on my Mac with Safari). If you are on a page (i.e., it is already loaded, waiting for input) that won't let you paste a password, goto Safari, Preferences... and select the Security tab. Simply untick/uncheck the Enable JavaScript box."
    Never knew that. Thanks. I've marked it and will give it a try next time.

  • rlh
    rlh
    Community Member

    @BenFerber Multiple good use cases. I definitely sympathize with the typing in others' computers scenario. And even if I don't imagine wanting/needed the requested functionality I can see how adding it would have value.

    And, "robot vomit"... :-) :-) :-)

  • steven1
    steven1
    Community Member

    Hi @chucksense I have been using the following technique to solve this problem...may be of use while we wait for the feature to appear in 1P

    https://discussions.agilebits.com/discussion/comment/384634/#Comment_384634

  • steve28236
    steve28236
    Community Member

    I would like to see this feature too. And I would imagine it would be easy to implement considering the options are already there for a random character password.

  • romad
    romad
    Community Member

    Here is an example of just ONE of the more ridiculous requirements I face:

    The PASSWORD MUST:

    be 9 to 30 characters in length
    contain at least one uppercase letter (A-Z)
    contain at least one lowercase letter (a-z)
    contain at least one number (0-9)
    contain at least one of the following special characters: # @ $ % ^ ! * + = _
    change at least four characters from your previous password
    

    The PASSWORD CANNOT:

    contain spaces
    be one of your last five previous passwords
    

    The PASSWORD will expire in 150 days.

    So though I'd like to use an actual random generated password, I can't as I have to manually work out a password that will meet these requirements.

    BTW, the guy who started all this 15 years ago says he was wrong: http://tinyurl.com/y9voukcl

  • Ben
    Ben
    edited June 2018

    @romad

    BTW, the guy who started all this 15 years ago says he was wrong: http://tinyurl.com/y9voukcl

    Yep! Unfortuantely some cling to this stuff as though it were gospel regardless of that fact.

    So though I'd like to use an actual random generated password, I can't as I have to manually work out a password that will meet these requirements.

    This is a tough problem to solve. There is no standard way for a site to present what their requirements for passwords are... and as such there is no reliable way for 1Password to determine what those requirements are. We could perhaps attempt to read and parse the text, but then different phrasing would cause issues, as would different languages.

    Ben

  • @BenFerber

    @rlh you definitely aren't being dismissive! It did feel a bit like @Ben was, though, which is why I posted in this thread in the first place. I imagine, from the tone of his post, that if I hadn't posted here, as well [and all of you, too] this issue would not be considered further.

    My apologies that I made you feel that way. My only intention was to present the options which are currently available. We’re always looking for ways we can improve 1Password and perhaps this is one.

    Ben

  • pcburcham
    pcburcham
    Community Member

    +1 for adding an option to include or exclude capital/lowercase letters in the password generator. I've been encountering sites that allow special characters but not capital letters, which to me is very strange, but I'm seeing them nonetheless. In such cases I'd rather just un-check an option to exclude a letter case and proceed to generating the password. The option to exclude certain characters isn't really an issue to me, since 99% of the time you can regenerate a password and the offending characters are typically replaced by ones that are allowable. Letter case, on the other hand, is entirely different. You can hit the generate button a million times and not get one single password with all lower or uppercase letters.

    I don't think it has anything to do with 1Password trying to determine what a site's password requirements are and certainly wouldn't want/expect them to fall down that rabbit hole. I think it is more about helping the user meet those requirements as efficiently and effortlessly as possible. Besides, what if I want to generate a password using numbers, symbols, and only one letter case? I also don't believe that adding options to meet these types of requirements undermines or trounces the security of 1Password in any way, especially since the premise of this application is built upon 1 password to rule them all. I worry more about my master password and how 1Password secures and transmits sensitive data than I do if joeschmo.com gets hacked and my password for that site is revealed. The security or liability of 1Password isn't compromised one bit in that scenario and I can determine on my own whether or not to simply change my password or close my account with that site entirely. I only bring up those final security points because the security of passwords is referenced many, many times when additional features exactly like this one are requested, and while I absolutely agree with those points, I can also agree that what a site's password requirements are (no matter how lax) is entirely irrelevant to a feature request such as this one.

    That said, even though 1Password lacks the generator options that most password managers have, I can definitely say that I think it is by far the best across the board. I just left version 4 and local sync for version 7 and cloud sync and so far I love it.

  • Hi @pcburcham ,

    Thanks for the kind words and the detailed feedback. To confirm, we do read every single bit. To address your point about not undermining security - you are correct, usually these options do not, and our strength meter would reflect that. Usually the number one preventer of adding options and checkmarks is usability. Indiscriminately adding a checkbox or other preference will often result in something that looks daunting or confusing to novice users. Our aim is to provide usable security to everyone. Now, you'll note I said "indiscriminately" - that doesn't mean we will flat out refuse to add a preference. It just means we have to take the time to consider each one, how well they work with what is already there, and if there are alternatives that are better, etc.

    But bottom line, yes, we do want to and plan on improving the password generator, and it will take some time to do it in a manner that improves it for everyone.

    Cheers,
    Kevin

  • pcburcham
    pcburcham
    Community Member

    Thanks for your response Kevin. I agree with your point. 1Password has an extremely clean and intuitive UI, and you guys and gals have done a wonderful job of making sure that experience transfers across all platforms. Besides being a long time user of the app myself, it is one of the main reasons I have chosen to stick with it going forward. I'm trying to bring my wife along in maintaining more secure logins and protecting sensitive information, and if the application handling that is the least bit confusing I'll lose her pretty quickly. I can certainly appreciate that aspect of the design.

  • Lars
    Lars
    1Password Alumni

    @pcburcham - users like your wife are the exact reason we strive to keep the interface as clean as possible, even to the point of not adding certain feature requests as toggles/preferences -- because 1Password is already not the simplest app on the block by its very nature, and we know full well there are plenty of current and potential users who will either become confused/turned off if they have to contend with a farrago of options, or (much worse) actually wind up setting things in a way they don't understand that may also weaken their security. It's a tricky balance, satisfying the bleeding-edge power users who are always on the latest beta and pressing us for more functionality with the needs/desires/skill level of less-sophisticated users. Our overall philosophy is that good security should be available to everyone without having to become a power user. Glad you think we're hitting the mark most of the time, and feel free to give us a shout if you think we're not, or you have a question or suggestion. Cheers! :)

  • robbyberman
    robbyberman
    Community Member

    Given that some sites have very specific PW requirements — one cap, a digit, a symbol, blahblah — I'd love it if 1Password let us set up the formula a site requires and then generates a pw. This would be so much more useful than the present options.

  • Lars
    Lars
    1Password Alumni

    @robbyberman -- thanks for weighing in. Currently, you can always manually adjust created passwords before using them to change passwords (or create new ones) at a given site. While a minority of sites do make users jump through unusual hoops like you're describing, as ag_kevinmentioned previously, we tend to set the bar pretty high for adding new preferences/toggles/checkboxes, as this can quickly add up to a daunting user interface for non-power-users. We're considering how we might make the password-generation experience both more flexible and powerful while keeping the ease-of-use, so keep an eye on updates to see what's coming down the road.

  • robbyberman
    robbyberman
    Community Member

    Thanks, Lars. Understood.

  • romad
    romad
    Community Member

    Lars, while it may be a "minority" of ALL sites, it seems to be a MAJORITY of governmental and financial sites that have this out-dated requirement (even the requirement's creator now rejects it as wrong).

  • Lars
    Lars
    1Password Alumni

    :) :+1:

  • Lars
    Lars
    1Password Alumni

    @romad - yep, the new NIST guidelines recommend against such enforced complexity of user passwords. There is a difference between password strength and password complexity, as shown in the now-famous xkcd comic.

  • romad
    romad
    Community Member

    Yep, and now correct horse battery staple is probably used by thousands! ;)

  • Lars
    Lars
    1Password Alumni

    @romad - this is what gives me nightmares. Do NOT re-use passwords, people! That's maybe the main point of 1Password -- create one strong Master Password, don't share it with others, and let 1Password do the heavy lifting of creating, remembering and organizing all your other passwords for you. At this point, correct horse battery staple is literally no better than password123.

  • jdgoesmarching
    jdgoesmarching
    Community Member

    I like passphrases a lot, they're why I switched to 1Password in the first place. I don't think I've used one in the past year because I know clicking submit means there's a decent chance I'll be kicked back for not having a number or upper case letter.

    I get that I could manually edit every single passphrase I want to create with some collection of numbers or upper case characters, but one of the draws of password managers is not having to think about these processes. Not to mention the pain this can be on a mobile device with some non-optimized mobile site that rejects my password so I have to go through several more steps after getting my cursor back in some poorly zoomed entry field.

    I don't think anybody here would argue that such restrictions are necessary for good security and I get the feeling that the Agilebits dev team doesn't want to concede to stupid password rules. However, in my experience, a large majority of web accounts have these security requirements to the point that I don't even bother using the key feature that I switched over for. Maybe that's because I don't work for a flashy tech company that's up to date on the latest NIST standards, but I experience this pain point several times a week. I wish AB would understand that we're requesting a usability fix, not a security feature.

  • Lars
    Lars
    1Password Alumni

    @jdgoesmarching - thanks for the feedback. It isn't that we don't understand the nature of what you're asking for and why. We do. And we are indeed considering adjustments to the current state of the Strong Password Generator. It's just not the only thing currently on our plate. :)

    The reality of a wild and varied internet is that there will always be login pages for which a user has to manually and after-the-fact make changes to generated passwords. My favorite example of this is when sites tell you to "create a strong password," but wait until after you've done so to show you that you can't use certain characters, or that, by "strong," they meant "8-20 characters," so the nice strong 35-character password you generated is invalid for no other reason than length. Why not show those rules before someone violates them? ¯_(ツ)_/¯ I've never been able to understand this one, and no amount of fine-grained controls and checkboxes would prevent users from falling victim to it.

    The point here is twofold: one, there is no situation in which we could create the perfect password generator that would not cause people to "experience the pain" of having to generate a second password sometimes, or manually edit a just-created one to conform to some arbitrary rule. There are certainly refinements we can make, but point two is: we want to be sure to keep the user interface of 1Password as easy-to-use for all skill levels of user as we can, and that means not festooning it with checkboxes and preferences and sliders and other user-selectable options which each, in their own right, might arguably be of benefit to some users but which collectively add up to a messy and chaotic interface with increased confusion for newer/less-technical users and even potentially for bugs/conflicts on our end. That doesn't mean there won't be changes. It does mean it's not the highest-priority item on our plates and needs to be done (like everything else) correctly, taking into account all factors. Thanks for the input! :)

  • romad
    romad
    Community Member
    edited August 2018

    "My favorite example of this is when sites tell you to "create a strong password," but wait until after you've done so to show you that you can't use certain characters, or that, by "strong," they meant "8-20 characters," so the nice strong 35-character password you generated is invalid for no other reason than length."

    Lars, BTDTNT!

    BTW, how involved is the process to add this capability? Is it possible to include it with the next (or one after) update that is in the pipeline?

This discussion has been closed.