Feature Request - PW requirements for words recipe (length, capitalization, alpha and symbol chars)

Ben.S
Ben.S
Community Member
edited May 2018 in Lounge

Okay... Here’s a picky request, in brain dump fashion. :)

The random password recipe allows you to choose the length of characters. I would like to suggest the ability to, at the least, see how many characters are in the generated password when using the words recipe.

Also, a few other suggestions that would make this idea better, in my opinion - The ability to choose character length within the words recipe, and the ability to add upper case (I usually upper case each word or one or two words), and add in a set of numbers.

Okay okay. After writing this down I see that my request/idea could arguably add a bit of complexity to 1Password’s great UX. The problem I have, that is like to see solved, is the ability to use the words recipe, while conforming to password requirements from a website, as many website require a range of characters and or symbols and numbers. I know the random recipe solves my issue, but it’d be nice to meet certain requirements and have a readable password as an end result.

Edit: looks like someone recently suggested, basically what I was asking for. Whoops.

https://discussions.agilebits.com/discussion/88532/feature-request-improve-password-generator-for-words#latest

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    The random password recipe allows you to choose the length of characters. I would like to suggest the ability to, at the least, see how many characters are in the generated password when using the words recipe.

    @Ben.S: That's an interesting idea. I'm actually surprised, as it hasn't come up before to my knowledge. I can't promise anything, but we can certainly consider that. :)

    Also, a few other suggestions that would make this idea better, in my opinion - The ability to choose character length within the words recipe, and the ability to add upper case (I usually upper case each word or one or two words), and add in a set of numbers.

    That, unfortunately, is a less-than-great idea. First, restricting the character length of a word-based password will make it considerably weaker, as 1Password will then be excluding a lot of things, decreasing the entropy. And with uppercase, that makes the words harder to type and doesn't add any real security benefit: the entropy is from the number of possible combinations based on the size of the Wordlist (about 18000) and number of words used. Certainly in some cases it may be necessary to add a capital letter, number, or symbol, but it's something you can do yourself without hurting anything. But it's also worth pointing out that the "words" option is meant for cases where you need to memorize and/or type a password. In all other cases, it's best to use "characters", as you'll not only have complete control over the length without compromising strength, character-for-character this will always be stronger than a word-based random password.

    Okay okay. After writing this down I see that my request/idea could arguably add a bit of complexity to 1Password’s great UX. The problem I have, that is like to see solved, is the ability to use the words recipe, while conforming to password requirements from a website, as many website require a range of characters and or symbols and numbers. I know the random recipe solves my issue, but it’d be nice to meet certain requirements and have a readable password as an end result.

    Usability is definitely a concern, but we always need to prioritize security. If we can get that down, it frees us to focus on making it intuitive. An intuitive design is great, but with 1Password we can't start there. And similarly, "readable" passwords are nice looking, but should only be used when necessary, as they will be easier to guess than a random character-based password of the same length. We're in the process of trying to learn definitively just how quickly (or not) a three-word password can be brute forced with current technologies.

    Edit: looks like someone recently suggested, basically what I was asking for. Whoops.

    No worries! Honestly this is a slightly different take, and I do think it could be helpful to show the length of the word-based password, especially since we don't want to limit it. Cheers! :)

  • Ben.S
    Ben.S
    Community Member

    That, unfortunately, is a less-than-great idea. First, restricting the character length of a word-based password will make it considerably weaker, as 1Password will then be excluding a lot of things, decreasing the entropy.

    You are absolutely correct. The only reason I suggested being able to choose character length, was because there are unfortunately a lot of sites that have a max character limit on passwords, including some financial institutions. I'm not sure if you'd agree, but perhaps displaying the character count of word-based passwords (mentioned in original post), would solve this issue. I'd be happy with just that. As a user, I could then choose a word count, and click re-generate until a length comes up that falls within the password range requirements of said website. Correct me if I'm wrong, but I don't see any compromisation of passwords due to 1password, but due to the requirements of the website.

    The same reasoning also applies to my request for uppercase letters and numbers. Some websites require it. Clarification, I never imagined there being random uppercase letters or numbers through-out the word-based password. I manually do any of the following combination that would be simple to read out loud or in head on the spot, but not for long-term memorization, like so:

    • Uppercase of first letter of 1 or more words - Ex: Cat.Dog.Fish
    • Uppercase of last letter in 1 or more words - Ex: caT.doG.fisH
    • Uppercase of all letters in 1 or more words - Ex: CAT.DOG.FISH

    It could be simplified, and only allow the option to uppercase the 1st letter in all words, or make them all lowercase, however, you may consider this a violation of how you prioritize UX.

    In regards to numbers, my solution involves adding a random (well, I bash the numbers on my keyboard :)) set of numbers somewhere in the password. Ex: cat.dog.1234.fish

    I'm interested in hearing your thoughts about this, and where you see what is given up in terms of security.

    Ahhh! Very cool. Thanks for sharing. I will be watching for this!

  • AGAlumB
    AGAlumB
    1Password Alumni

    You are absolutely correct. The only reason I suggested being able to choose character length, was because there are unfortunately a lot of sites that have a max character limit on passwords, including some financial institutions. I'm not sure if you'd agree, but perhaps displaying the character count of word-based passwords (mentioned in original post), would solve this issue. I'd be happy with just that. As a user, I could then choose a word count, and click re-generate until a length comes up that falls within the password range requirements of said website. Correct me if I'm wrong, but I don't see any compromisation of passwords due to 1password, but due to the requirements of the website.

    @Ben.S: I think we're in complete agreement here. I'm uncertain about if or when we'll do something like this because our todo list is very, very long. :)

    The same reasoning also applies to my request for uppercase letters and numbers. Some websites require it. Clarification, I never imagined there being random uppercase letters or numbers through-out the word-based password. I manually do any of the following combination that would be simple to read out loud or in head on the spot, but not for long-term memorization, like so:
    Uppercase of first letter of 1 or more words - Ex: Cat.Dog.Fish
    Uppercase of last letter in 1 or more words - Ex: caT.doG.fisH
    Uppercase of all letters in 1 or more words - Ex: CAT.DOG.FISH
    It could be simplified, and only allow the option to uppercase the 1st letter in all words, or make them all lowercase, however, you may consider this a violation of how you prioritize UX.

    Thanks for the clarification! Indeed, I am not able to get on board with the second option since that would largely obviate the key benefit of word-based passwords: memorability. But you make an excellent point about typability. Something to consider.

    In regards to numbers, my solution involves adding a random (well, I bash the numbers on my keyboard :)) set of numbers somewhere in the password. Ex: cat.dog.1234.fish
    I'm interested in hearing your thoughts about this, and where you see what is given up in terms of security.

    The problem with that is the numbers don't really add much in the way of entropy if they're grouped together like that. I do get your meaning though, and maybe there's something similar we could do in the future. I think this enters more into the human realm. A person may want an easy-to-read password. A website may demand that it contain numbers, whatever. While 1Password can generate a word-based password and a character based password, the user would have to do those separately and add them together. So I can appreciate the desire to have 1Password do it all at once in those cases. The problem is that a lot of people will see cat.dog.1234.fish (or non-union Mexican equivalent) and think this is an AWESOME password, and they would be less likely to use a more repugnant-looking (humans + randomness = no bueno) password with greater entropy. It's something we'll keep in mind, especially if more websites become worse about stuff like this. But at least for the last while things have been improving in that space. If we can avoid making changes that could lead to weaker passwords, I think we should.

    Ahhh! Very cool. Thanks for sharing. I will be watching for this!

    Me too. Still waiting! :eh:

  • Ben.S
    Ben.S
    Community Member

    I think we're in complete agreement here. I'm uncertain about if or when we'll do something like this because our todo list is very, very long.

    I completely understand you there! Been there, done that, currently there, currently doing that, got the t-shirt, and getting more. :)

    Indeed, I am not able to get on board with the second option since that would largely obviate the key benefit of word-based passwords: memorability.

    You make a good point there. I agree for now, unless someone were to have a solution to the problem that would include enough entropy, while also keeping the password memorable. And I don't know, but perhaps this is a problem that only I, or a small percentage of 1Password users have. You guys know your users better than me. :)

    I think this enters more into the human realm. A person may want an easy-to-read password. A website may demand that it contain numbers, whatever. While 1Password can generate a word-based password and a character based password, the user would have to do those separately and add them together. So I can appreciate the desire to have 1Password do it all at once in those cases. The problem is that a lot of people will see cat.dog.1234.fish (or non-union Mexican equivalent) and think this is an AWESOME password, and they would be less likely to use a more repugnant-looking (humans + randomness = no bueno) password with greater entropy.

    That's understandable. I will say that cat.dog.1234.fish is extremely better than someone just adding 1, year, birth date, anniversary, etc to the end of their generated password because they couldn't auto generate a number or a couple of numbers and place them within their password somewhere.

    I see where there are a lot of things to consider here. One thing that I didn't think to mention is that this only a pain point for me on iOS. In the mac app and firefox addon, I can easily click into the password field and it'll turn into to a text field revealing the password. Now, I can move the cursor to certain places in the password and can proceed with manually fixing my password to meet requirements of certain websites. However, on iOS, you don't know where you're moving the cursor to, because the cursor is in the password field, which is masked, instead of the visible password. The visible password appears to be a label, so is changing the password field to a text field, when "show password" is enabled something that would be considered? Especially, considering that it currently happens in the mac software and possibly other clients.

    Unless you or someone else throws an angle in here that I'm not seeing, this solves the issue. It doesn't outright give users the ability to generate insecure passwords thus giving the false notion that they have an amazing password, which seemed to be a concern of yours. It should be and hopefully improves, that the idea of manually modifying your password, should be avoided if possible. There are also a few easily identifiable ways you can implement great UX.

    I'm okay with manually modifying the password. Yes it's not the most secure, yes it's not recommended, but it's my way and the only way to remedy the issue using word-based passwords. Are others not having the same issue? Maybe they just stick to random character-based passwords.

    Side note: on ios devices with 3D/force touch support, you cannot use on the keyboard to move the cursor. Not a big deal. Just a tiny pet peeve :)

    Thank you for taking the time to hear and respond to my comments. It's greatly appreciated and not many companies excel in as many areas as you guys do! Thank you

  • AGAlumB
    AGAlumB
    1Password Alumni

    I completely understand you there! Been there, done that, currently there, currently doing that, got the t-shirt, and getting more. :)

    @Ben.S: Thank you for this! :lol:

    You make a good point there. I agree for now, unless someone were to have a solution to the problem that would include enough entropy, while also keeping the password memorable. And I don't know, but perhaps this is a problem that only I, or a small percentage of 1Password users have. You guys know your users better than me. :)

    Honestly, I 'd bet that most people run into something like this occasionally. What's rare is websites that do this, and also even rarer that they agree with each other. There's just too much variation for there to be a good one-size-fits-all solution, but it's something we'll continue to evaluate.

    That's understandable. I will say that cat.dog.1234.fish is extremely better than someone just adding 1, year, birth date, anniversary, etc to the end of their generated password because they couldn't auto generate a number or a couple of numbers and place them within their password somewhere.

    Hey, if you have a long, random, unique password generated and the site is like, "No! You must add a symbol! The Great Old One wills it!" adding a * or whatever doesn't make your password weaker. Not ideal, but doable.

    I see where there are a lot of things to consider here. One thing that I didn't think to mention is that this only a pain point for me on iOS. In the mac app and firefox addon, I can easily click into the password field and it'll turn into to a text field revealing the password. Now, I can move the cursor to certain places in the password and can proceed with manually fixing my password to meet requirements of certain websites. However, on iOS, you don't know where you're moving the cursor to, because the cursor is in the password field, which is masked, instead of the visible password. The visible password appears to be a label, so is changing the password field to a text field, when "show password" is enabled something that would be considered? Especially, considering that it currently happens in the mac software and possibly other clients. I'm okay with manually modifying the password. Yes it's not the most secure, yes it's not recommended, but it's my way and the only way to remedy the issue using word-based passwords. Are others not having the same issue? Maybe they just stick to random character-based passwords. Side note: on ios devices with 3D/force touch support, you cannot use on the keyboard to move the cursor. Not a big deal. Just a tiny pet peeve :) Unless you or someone else throws an angle in here that I'm not seeing, this solves the issue. It doesn't outright give users the ability to generate insecure passwords thus giving the false notion that they have an amazing password, which seemed to be a concern of yours. It should be and hopefully improves, that the idea of manually modifying your password, should be avoided if possible. There are also a few easily identifiable ways you can implement great UX.

    This bothers me too. Unfortunately we don't have a good native way of doing this on iOS. Secure Input and "password" fields come hand in hand. This is one case where it would be nice if that wasn't the case, hence the sort of hacky password + display field combo you referenced. But it would be great if we can figure out a solution. Thanks for bringing this up!

    Thank you for taking the time to hear and respond to my comments. It's greatly appreciated and not many companies excel in as many areas as you guys do! Thank you

    Hey, no problem! Thanks for taking the time to share your thoughts with us. Hopefully we'll be able to surprise you with some things in the future. :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    This outstanding conversation tells me that I need to get back to working on our new/forthcoming password generator. I can report that it does have the ability to randomly capitalize words (as that part is written and tested already), and it does have the ability to use random digits as separators between words.

    As for what features will be exposed in the UI is a different question, but we want the underlying generator engine to be flexible. But we found no way to fix a length in characters for the wordlist system while keeping the output of the generator uniform, so that isn't a feature to expect.

  • stangln
    stangln
    Community Member

    For several websites I have encountered the password requirements include the following

    • 1 Uppercase Letter
    • 1 Number
    • 1 Special Character

    I understand writing a word recipe to meet these requirements decreases the possible options.

    In practice it means I take the password that is randomly generated and have to manually make it comply with the website requirements.

  • Thanks for the feedback, @stangln. Fortunately it sounds like the changes Goldberg mentioned above should help with most of that. It does sound like the characters based generator may be more appropriate in situations like this, though? We typically recommend the words based recipe for passwords which you may need to speak or type, and characters for everything else. Are you finding you have lots of passwords that you are required to speak or type?

    Ben

  • stangln
    stangln
    Community Member

    The reason that I like to use the words based recipe a probably not a good example but here it goes

    I frequently need to login into a website/service for a one time use (sometimes untrusted) computer. I will view/pull-up the password on my phone and have to manually type in the password based on reading it.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    The "new" Strong Password Generator can randomly capitalize words and it can use digits and symbols as word separators. It also offers a mode that this somewhat between the wordlist and just random characters. It can use a word list that is just a bunch of vaguely plausible syllables, and these can then use the digits and symbols separators.

    The syllable list has about 10,000 items, so a three syllable password isn't as strong as a three word password, but they are shorter and and the random capitalization along with a random digit separator make up for that. Here is a sample what what it would generate when saying to use three units (syllables) with random digit separators and randomly capitalizing one syllable.

    Nauw8phoc4bel
    Vaux6taux8skoy
    zoft5Klon5psiw
    sqax6Vool6beft
    cair6zach0Teer
    cus2word1Lit
    

    (Ha!, we tried to filter out syllables that were cus words, but I certainly had not anticipated a reference to Normal Mailer as in that last password. Also note that by modern standards, Norman Mailer's use of profanity is mild, but it was an issue at the time.)

    Anyway, those all have about 48.15 bits of strength, which make them six bits (64 times) stronger than the passwords that are part of our current password cracking challenge.

    I haven't kept track, but this new generator is being used by multiple versions of 1Password now. It was first used in 1Password X, but it is making its way to other platforms. Once it is deployed everywhere (and one more thing is added to its entropy calculation), we can begin to see what nobs and controls should be exposed to the user and how.

This discussion has been closed.