Setting Preferences for Special Characters

2»

Comments

  • @mikewu99

    I wish I had a more satisfying answer to provide. I'm sorry that isn't the case.

    Please explain why you cannot provide a field under "settings" where we can specify the special characters we want to allow.

    I don't see why that couldn't be a solution. As mentioned in my last post the devil is in the details. It isn't that we're unwilling or unable to provide some sort of solution for this problem within 1Password, but I'm trying to be up front about the fact that we don't have anything like that in production right now, and so anything we would implement would be some time away.

    Ben

  • jackx36
    jackx36
    Community Member

    I've run into this problem numerous times now. I've employed a work around where I open 1password on a separate tab, generate a password, add/remove special characters as necessary, paste into the needed account to test if it's accepted, then come back to 1password and save a login. I did this 72 times yesterday as I went to update my compromised accounts with stronger passwords. Suffice it to say, the added time to accommodate the inability to remove certain special characters from password generation circulation was pretty upsetting. It maybe the websites fault for implementing antiquated security requirements but 1password is advertising itself as a solution for our password issues. This falls squarely within that mission statement.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for taking the time to share your experience with us @jackx36, that was very useful :+1:

  • flyinprogrammer
    flyinprogrammer
    Community Member

    Ran into this again being an issue when setting up AWS passwords.

    Looks like your open source competitor had some issues implementing it but does offer it as a feature: https://github.com/keepassxreboot/keepassxc/pull/1841

  • Thanks for sharing, @flyinprogrammer.

    Ben

  • crstn
    crstn
    Community Member

    +1 for this.

  • Thanks @crstn :+1:

    Ben

  • birkin
    birkin
    Community Member

    Question: I've always used the "Avoid ambiguous characters" checkbox, seen here https://apps.apple.com/be/story/picky-password-criteria-no-pr0b1em/id1477374257, but don't see that any more. (macOS v11.0.1, 1Password7 v7.7 ) I've looked through all the settings and cannot figure out how to get it back. Suggestions?

  • ag_ana
    ag_ana
    1Password Alumni

    @birkin:

    I think this is one of the changes in the latest password generator, as I don't see that option anymore either.

  • birkin
    birkin
    Community Member

    :( (thanks for the info; i hope it returns)

  • ag_ana
    ag_ana
    1Password Alumni

    @birkin:

    At the moment, I believe there are no plans to bring these additional controls back. If you are curious and would like to know more about the security decisions behind the choice, please see this discussion in the forum.

  • BaldJJ
    BaldJJ
    Community Member

    +1
    I'm near my 1-year renewal and this is a factor in my decision to stay with 1password or switch. I'd love the ability to generate my own special character list. In my own experience it seems like @ and * come up nearly every time under random generation, yet + or = never come up.

  • Lars
    Lars
    1Password Alumni

    @BaldJJ - we did reduce the symbol set in the new Strong Password Generator, down to the most-commonly-accepted symbols. If you're used to (or prefer) other, less-common ones, you may wish to manually edit your passwords to include those.

  • electroAJ
    electroAJ
    Community Member

    1000 upvotes to the OP. A field in the generator where you can key in the acceptable(or unacceptable) characters for generation would save much consternation. Leave it blank for everything to be fair game (default).

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the feedback as well :)

  • rsstorey
    rsstorey
    Community Member

    I don't mean to sound condescending but it seems that after almost two years this capability should have been developed. It also sounds like someone is trying to get outside entities (industry) to change and not the application to a set business practices. The purpose of an application is to serve the users and I understand software design should also support best practices. I know that both ISO 27001 and NIST Guidelines provide such specifications but I haven't been able to determine if either of these contain a recommended set of characters. It's one thing to design to a standard which is preferred the only outcome is to not support those external entities that do not support the standard. The other item is if 1Password supports international language sets which I think would make this more difficult of a problem to solve.

    With that said, I can only assume that 1Password software stores the acceptable characters that can be used to generate a password. I don't know the software design 1Password has developed and deployed but this is key because you don't want to start from ground zero and redesign from the ground up but to design an update. I would think that the application has one or more files, libraries, or some other containers that defines the acceptable characters that can be used in generating a password. The application then only needs to allow the user to set the values that can be used to generate a password.

    The bottom line is that the application sole purpose is to support the user. A simple use case, as a user, if I want to take the default characters set which consists of (alphabetic characters (upper and lower case (52)), numbers (10), and special characters (32)) giving a total of 94 characters to use to create a password and limited that set to only 26 (clearly not a good practice) that is my options and responsibility as a user. As always an application should allow to revert back to a default set of characters.

    Anyway this is my point and 2 cents worth. I need to be able to set the allowable characters, preferability at the password generation level (allowing me to alter the characters sets each time I generate a password) and not at the application core level.

  • ag_ana
    ag_ana
    1Password Alumni

    @rsstorey:

    Anyway this is my point and 2 cents worth. I need to be able to set the allowable characters, preferability at the password generation level (allowing me to alter the characters sets each time I generate a password) and not at the application core level.

    Thank you for letting us know! I have let our developers know that you would find this useful :+1:

    ref: dev/projects/customer-feature-requests#28

  • chesterdesmond
    chesterdesmond
    Community Member

    Came here to suggest this feature and pretty disappointed that there's been years of requests and no action on this. I'd say the majority of sites I use now have specific (but common) restrictions on special characters. Sometimes I just give up on 1Password password generation entirely because it's too frustrating to manually "hack" when there are these parameters. Please stop ignoring this incredibly common roadblock to easy password generation.

  • Hi @chesterdesmond

    We've begun to work with Apple and others using the 'password manager resources' repository:

    GitHub - apple/password-manager-resources: A place for creators and users of password managers to collaborate on resources to make password management better.

    With this we're able to learn the requirements of specific sites, so that when a password is generated for any of the supported sites it'll always be accepted the first attempt. To take advantage of this make sure 1Password in your browser is set to generate smart passwords:

    I hope that helps!

    Ben

  • chesterdesmond
    chesterdesmond
    Community Member

    Thanks, Ben. I appreciate this effort, but it doesn't quite address the issue we're all describing. This repository will likely not include the kinds of sites using outdated password requirements. Why not add a "Basic Password" type (with a warning, of course), that is less than 20 characters and has only 1 uppercase letter, 1 lowercase letter, 1 number, 1 basic symbol? Or better than that, sliders for each type of character (letter, number, symbol)? I know it'll never be perfect, but surely something can be done.

    Also, this Smart Password type in the screen grab doesn't exist in my version of one password, which is 7.8.2. I can only guess this is a 1Password X feature (and thus not available in Safari)?

  • Lars
    Lars
    1Password Alumni

    @chesterdesmond - yes. For now. We hope to introduce it into Safari in the future, but you're correct for the present. Regarding the configurability of generated passwords, our Chief Defender against the Dark Arts (AKA: Security Team lead, @jpgoldberg) recently had some thoughts in a different thread here. The original question there was in regard to specific password settings beginning with a number, but much of his comments there are relevant to the larger discussion of why we've structured the revised Smart Password Generator the way we have.

  • jacqueanton
    jacqueanton
    Community Member

    Yay! Finally the “dumb” password generator has been replaced by the “Smart” Password Generator. I can’t wait till the “Very Smart” Password Generator gets developed, using machine learning and AI to supplement the gains in the “Smart” Password Generator. I would imagine the “Very Smart” Generator being the fallback for sites not using a tag attribution will shine. I could see it that little bot parsing through the rendered display of code searching the page area immediately closest the password field looking to read what the site’s pass rules are. Sometimes password rules aren’t given or displayed on initial password creation and the bot would poll out and attempt a 1st pass hoping to either succeed or at least if fail repeat it’s area scan and find on the second pass the password rules of the site and generate accordingly. If it wasn’t lucky to pull the site password rules, it could make a few more attempts of varied Password combinations and just continue to cycle until one finally was accepted. That kind of bot maybe it wouldn’t be a “Very Smart” Password Generator; but it would be a “Tenacious” Password Generator. Just saying though… every once in a while I do enjoy more so employing the hard worker then the smart worker cause in the end the harder worker will be just faster and complete the job while the smart worker is still thinking things over trying to figure out what to do next.

    Hehe daydreaming future 1Password Manager version XX+ is gonna be wicked cool.

  • ag_ana
    ag_ana
    1Password Alumni

    Hehe daydreaming future 1Password Manager version XX+ is gonna be wicked cool.

    Agreed :)

  • DCjenkins
    DCjenkins
    Community Member

    Thank you for your product, I love that my passwords are secure"r". Secure to the point that I don't even know them. When I have to fight with the generator I sometimes end up with the wrong password saved into my vault, and the next day I am back on the toilet paper hula hoop. While this may be my own stupidity... that is what we users are, we are as stupid as our apps let us be. Frustration leads to the F'it moment where the skeleton "P@55w0rd" gets used. I don't do this but I know it happens, so this is a problem worth solving.
    We are slaves to the sites we use, and because so many people choose $h!t passwords, sites lower the age. Making our lives even worse.

    Presumably the current generator is not site aware or in anyway tied to my current entries, combined with the length of time this thread has been moderately active it is clear we (users) are still wanting something "better" from the user experience. I don't want to pretend to understand the underlying challenges, but it does seem odd that I cannot set a mask per login entry. When prompted for a new password 1password graciously offers the standard (at the browser field entry), perhaps I could optionally open my add-in, find my account, and initiate a new password there. The generator in the add-in can then use the mask per entry.
    More assumptions. Fingers crossed, you can't see any of my data. But maybe I can opt into sending my domain/mask to your partnership with apple, and crowdsource. Even better there is a feedback loop that notes that other users are reporting a higher entropy mask can be used.

    I hope this is all Captain obvious stuff, I am really just bumping this prayer for word peace and a better password generator.

    Thanks again.

  • ag_ana
    ag_ana
    1Password Alumni

    @DCjenkins:

    Thank you for the feedback! Can you clarify what you mean by "mask" in this context?

  • DCjenkins
    DCjenkins
    Community Member

    I thought a mask was the mechanism to store a regular expression (im not a programmer). Your Smart password only works for certain sites but there is a mechanism for storing the format the password must hit, that mechanism is some form of a mask.

    I fear my example is about to expose me for the stupid user I am, but if I've be unclear perhaps I can muddy the waters further.

    Using ChesterD's comment above, imagine I can use that form per password saved, but where you have a checkbox on Symbols include a dropdown next to it. If I hit the dropdown I can check or uncheck rows of symbols (say 10 rows of 5 characters) and even more granularly select and unselect the individual symbols (as buttons in the row).
    Whatever I select, 1password stores the mask

    The mask could be something like the first 2 character = length, the next is the alpha flag, the next is the digits flag, the next is the symbols flag 1 yes symbols, 0 no symbols, 2 only the characters that follow
    18112#^&() = 18 characters alpha, num, only symbols #^&() there should be an asterixis in there

    Whenever I use a password from the vault, the associated mask gets added to the password generator (replacing the previous mask).
    The next time I use the generator it still generates the default, but optionally allows my to use the current mask to set the generator options.

    If I set a mask for one of my passwords, I can optionally submit it to this public repository (noted previously) in the form crappysite.com:18112#^&*() Or however it is storing those masks... In fact whatever format they are storing that, is likely the format 1password should be.

  • DCjenkins
    DCjenkins
    Community Member

    Mask:
    Position 1 & 2 = Length
    Position 3 = Alpha 0/1/2 N/Y/Must
    Position 4 = Upper 0/1/2 N/Y/Must
    Position 5 = Digits 0/1/2 N/Y/Must
    Position 6 = Symbols 0/1/2/3/4 N/Y/Must/Custom/CustomMust
    Position 7... = by default empty but if custom is flagged, the characters to add to the mix

    I thought that was what the regular expression (RE) term was, I am not a programmer, my example above isn't RE but should work for this discussion. However the smart password tool knows what it can include for a site's password properties i.e. 181111 (I am going to call this the SmartMask), why cant I set that for the sites I use that are not known by the DB smartpass uses. Once I create a uname / pass for site xyz.com, why cant I set a mask to use the next time I need a new password (UserMask) for it.
    Were this mask stored with the record, the next time I use the site and 1password to enter my password, the act of using the password loads that same records associated UserMask variable to the current UserMask in the generator replacing it every time I use 1 password to enter a password. Its just a mask, not my password. If I am not prompted to generate a new password whatever. However, if I am prompted, the Smart pass generator checks, is this in my known smart pass sites? Y- use SmartMask N-use default generate & offer (button) to load current UserMask.

    But as many people have noted, we use a lot of crappy sites so why cant the mask include the option to limit the symbols to specific ones. However done, were we to set a flag on position 6 that would flag the routine to accept the remainder of the characters to be added to the RE used to generate the pass.
    Where ChesterD's image has a checkbox for symbols, couldn't we add a dropdown that allows us to select or enter the valid symbols for the site. After selecting the drop down I imagine something like this (apologies for crude excelly thing)

    Also please excuse the button mash in the custom box it should read #^&() but was added to illustrate how the user could add the less common ones.
    Resulting in a mask assuming 18chacter max of 181114#^&
    () and whatever is in the custom field (obviously verifying and stripping characters already checked)

    There are multiple enhancements past that. If I agree to submit my masks, they get passed along to the crowdsourced SmartPass repository, after x number of users submit the same mask, smart pass makes the entry available. When users masks have a lower entropy than the current smartpass they are prompted to update...

  • ag_ana
    ag_ana
    1Password Alumni

    I thought a mask was the mechanism to store a regular expression (im not a programmer). Your Smart password only works for certain sites but there is a mechanism for storing the format the password must hit, that mechanism is some form of a mask.

    Thank you for the clarification @DCjenkins, I see what you mean now :+1:

This discussion has been closed.