Good password ranked as terrible?
1Password7 on my Mac is ranking an auto-generated password (not generated by 1Password, but still) as "Terrible":
And yet the same password is considered good by 1Password Web:
(don't worry - we've changed to a different password, so there's no security problem sharing it here).
Any idea what's up?
1Password Version: 7.0.3
Extension Version: Not Provided
OS Version: 10.13.4
Sync Type: Not Provided
Comments
-
I've got EXACTLY the same issue - my password was just the same as yours (in type) - I think it's a safari generated password - same pattern. Maybe something to do with the dashes? But here's the REALLY weird thing - I had the password stored twice for some reason, with slightly different descriptions - and in the other record, it's "excellent". I wonder if it's "terrible" because it's duplicated in my 1Password list (although it's for the same actual login...)
0 -
Welcome to the forum, @paulbutcherelit and @JMT! Thanks for your question about the password strength meter. You're correct, it's a function of whether WE created it or not. There are a few issues to smooth out with the Password Generator, but it's also not as easy as you might imagine to give a definitive answer: there are MANY ways to calculate password strength, and not everyone agrees what the "right" way to do it is. We've tried to use a conservative approach that includes making sure we don't give you a false sense of security by telling you a password is stronger than it actually is.
For instance, in the example from Paul's post, a copied password may LOOK strong, but we don't know how it was generated, so it may not be that strong at all, so it's assigned a lower score. When we generate a password, we can calculate much more precisely the strength, as we know how it was created. Nevertheless, certainly a long-and-strong password shouldn't have a near-zero strength, and this is a bug we're working on.
If you want general advice until we have a more solid fix for this out, once you hit 23 random characters (alpha/numeric/symbol), you're at 128 bits of entropy. That's enough to foil even the fastest cracking tools currently available.
0 -
Thanks for the reply @Lars. I'm not sure that it explains why the discrepancy between the local and web versions of 1Password? I would (naively perhaps) have expected them to use the same algorithm?
0 -
Greetings @paulbutcherelit,
I don't have an answer for you I'm afraid but I do agree with you, expecting the two to be consistent is a pretty reasonable expectation.
0 -
Yes I have the same problem. I have a password that is considered very very strong on password meters on the web (it's 19 characters, w some symbols, some caps, no recognizable words etc...), and it says "terrible" on the desktop 1password app. Then on the 1password website it says it's good (or the green bar is about 2/3s filled like on @paulbutcherelit 's)If the password strength meter were faulty on say the Netflix website or something I wouldn't care as much. But this is all you guys do, passwords, passwords, passwords. This is what we are paying you for, to help us with our passwords, to remember them and tell us if they are strong or not!
0 -
1Password will still try to make an educated guess about the password strength, but it will assume zero entropy (as it has no reason to assume otherwise or any data to calculate actual entropy). I just created a new login item and typed in the password
t8Ss8hased#@asdand even though that is a typed password with zero entropy 1Password estimated it was "excellent." If your password is similar there may be a problem with the calculation. I'd suggest troubleshooting by creating a new login item for this password and typing it again there (don't copy & paste). If it still comes up as 'terrible' then it would seem that is indeed 1Password's assessment of it.Ben
0 -
@BayUno please see my comment at the start of this thread about the discrepancy between the way that 1Password web and 1Password Mac rate passwords. It seems that 1Password does not have an opinion about passwords, it has multiple divergent opinions depending on where you look.
0 -
@paulbutcherelit: I've (un)fortunately been doing a lot of testing in the area of differences between platforms and know what you're talking about. There is no right answer when it comes to password strength, but we're working to improve it and also make it more consistent across the board. Thanks for your feedback on this.
However, I do think there's something else going on in your case. Like Ben, I'm not able to reproduce what you're seeing. I wonder if that login is simply damaged, or was created when there was a bug with the password strength. If you create a new login with the same password, does that give you a better result, more in line with your expectations?
0 -
I've just tried creating a new password entry with the same password as is ranked terrible, and this time it's ranked excellent.
So it looks like you're right, there's something about the existing record that's "damaged" in some way.
0 -
@paulbutcherelit: I don't recall the details, but there was a bug with password strength. Since this is saved as part of the item, it was still hanging around there. Sorry for the trouble that caused, but I'm glad that creating a new item resolved it — and that we squashed that bug so it was possible. :)
0 -
It's April 2020 and this issue still persists. I used a 24 character password generated via 1P Chrome extension and it's showing as "Terrible" password in the Mac OS X app.
0 -
Thanks for your response, Ben. It's straight from the password generator.
I rarely create my own passwords - always use long complicated passwords directly via the generator.
0 -
Hi @Ben, any update on this issue you committed to look into back in April? I too am having the same problem. Auto-filled a 1Password generated password with the Chrome extension in Brave browser, then if I go and look in the 1Password app the password is "Terrible". However, if I expand the Saved Form Details on the same vault item, the exact same string in the password field down below is "Very Good". This is happening with many different sites.
0 -
I see that this seems to be related to a post I made a few hours ago today. What ever it may be worth, the password in question in my other post is 15 characters long. I did edit the 1PW generated suggestion by one character to make the symbol it contained conform to the web site’s limitations. But in my case, the result is sometimes Terrible, sometimes Very Good, even in the same entry record in the Login category. There is a screen shot in my recent post showing the same password with two different strength assessments in the very same record.
0 -
Thank you for the report, and for the offer. I don't believe we need any additional information at this time. Our plan going forward is to use shared code for rating passwords, so the code currently in use in 1Password for Mac is likely to be going away in future generations of the app. Unfortunately that does mean this isn't likely to be addressed in the short term, but should make it much easier to resolve any issues once implemented.
Ben
0 -
Hi @Ben, same issue here, password generated via 1Password and after copied again it's rated as Terrible.
Any plan to fix it soon?
Do we have a remediation in the meanwhile?Moreover, if I edit the password adding a single character, and after restore it to the previous state, the ranking is Excellent.
0 -
Any plan to fix it soon?
Unfortunately this is not a quick / short-term project.
Do we have a remediation in the meanwhile?
I think what you highlighted is the best I could offer:
"Moreover, if I edit the password adding a single character, and after restore it to the previous state, the ranking is Excellent."
I'm sorry there isn't a better answer for the moment, but it is something we're aware of and plan to address as we move forward.
Ben
0 -
Hi Ben, ag_ana, littlebobbytables, Lars and other 1Password Team Members.
I am having this issue in October 2020, could you provide an update on this? Its jarring and not reassuring that the app I am trusting with my most sensitive data can have a bug like this go unfixed for 2 years.
My specific issue: I am seeing passwords generated by 1Password's own generator ranked as 'terrible' when using the safari browser button, and this is reflected in the Mac app.
Many Thanks,
BiscuitHelp0 -
Hi @BiscuitHelp
We have some improvements planned regarding the rating of passwords for 1Password for Mac v7.7. This will not change existing ratings, but newly generated passwords should be less likely to be rated as terrible. If you're still having problems with newly generated passwords after 7.7 please let us know.
Also: for what it's worth, while the symptoms may be similar, this is an entirely different issue than what the OP reported 2 years ago.
Ben
0 -
Hi guys, I've run into this problem recently as well, and it's because of another issue in 1Password. Many times, I'd like to use a passphrase as my password, but it doesn't match up with the site's idiotic password requirements, usually the lack of a capital letter or a number. However, 1Password's generator for passphrase doesn't give you that option. I've started using Bitwarden's password generator, which does give that option for passphrases. So I'm copying/pasting the strong password from Bitwarden's site into 1Password, and running into this.
I'd really like to not use the Bitwarden site, but it does offer a feature that you guys don't. Any chance that we might see this feature added to 1Password's password/phrase generator?
0
