Password generator not configurable
Hi there,
I'm very annoyed about the password generator in ip7. Maybe to let the user NOT configure it is more secure but I have to be able to find passwords that are accepted by websites and stores. When a website tells me that my password is not accepted because I have too many special characters or characters that are not accepted this is annoying for me. To regenerate and regenerate again and try or modify by hand, but then I don't need a generator.
I know you say, this generator is the most secure one, but if I can't use it its useless.
Comments
-
Hey, @Thundersnake! It definitely can be an annoyance. I always point the finger at the bank that handles my mortgage as an example of the worst possible scenario – it disallows certain symbols, but won't tell you what those are until you try to use them. And, even then, it only calls out those you actually did use. The next password you generate may include a completely different symbol they disallow. They do, however, require at least one symbol so disabling symbols entirely isn't an option either. It's awful and they make me change my password periodically making it even worse. All of this is to say that I totally do understand your struggle.
That said, you're right that more random is more secure, but you're also right that something that doesn't work in the current environment isn't too helpful no matter how secure. So, what would a perfectly configurable password generator look like? To start, perhaps it would allow you to select which symbols are used. So let's add a significant number of check boxes for each symbol one might want to include or not. Next, the number of symbols, letters, etc. might need configuring so there's a slider of each of these. Already, you've got yourself a pretty bloated password generator with a mess of configuration options that you need to individually edit for each site because all of them are different. You could add saved recipes, but that's even more bloat.
For power users (and yourself, based on your comment), this might be great, but for others it could just as easily discourage use of the password generator. 1Password is my job, so I do dive into advanced settings and micromanage 1Password, but if I saw something like my imagined generator in another app? I'd probably file that feature under "will not use" and never look at it again. The increased security a simpler generator provides isn't just that it's more random, it's that it's more accessible to the average user. It does have its problems on picky sites and it would be lovely if there were a way to address that without sacrificing simplicity, but the ultimate goal we have is to help the most people possible have the most secure passwords possible on the most sites possible. We believe the password generator as it stands does more to further than goal than adding complexity to handle those picky sites would. This doesn't mean there's no room for improvement. If you check out 1Password X's password generator, you can see we've made some changes there. Those changes have already come to 1Password for Mac and will probably make their way to Windows too, in time. There's always room to improve, but extremely fine-grained configuration is likely not in the cards.
0 -
How about this:
Option1:
Leave the current setup as it is where you offer the recommended password. However, for "power users" or people who need to fiddle with the password config settings - add an icon to display a mini password generator which will allow you to change config settings as needed.Option2:
Display multiple passwords. Whichever password is selected will get saved in the password manager while others get discarded.Example:
Password1 - shrive.myth.escape.scraggy
Password2 - Cm+xrB7o++ar@q
Password3 - Uvgez4AaQi3MPu
Password4 - HWYuEJoGFRWueWI am sure that rather than thinking about how big the problem is, if you put your minds to it, you can come up with better options than my idea. Like the OP, i completely agree that if the password generator is not useful, then it basically defeats the purpose of having a password manager. I finally got my wife used to using a password manager but when it comes to adding a new login, she still hates it and just leaves it to me to add it to 1password.
For me, a useful password generator is critical. Lack of one is basically a deal-breaker. That being said, I understand you want to ensure that any features you add is a good one and I am more than willing to let you work on it. Thank you.
0 -
Hi @knpatel,
When you generate a new password, you can edit the new password inline, just remove the symbols and add what the site allows. It's far more simple than trying to figure out which password to use by looking for the specific symbols to remove.
We're not going to do either options but thank you for the suggestions.
0 -
When you are trying to reset password or you enter a new password and then select the "Use Suggested Password", the suggested password is entered into the password textbox and all you see are "************************". How exactly am I supposed to edit the password and remove the unneeded characters when I cannot see the password characters?
0 -
Hi,
this is more or less the way I have to work, more and more sites don't like your generated passwords. But then i don't need a Generator because I have to change most of them manually. I don't like your way, sorry.0 -
The problem is that there's no point of using the symbols in the first place if the site makes it known that they're only allowing certain symbols. Criminals can just tune their password crackers to only include these symbols as well.
In this case, we recommend that you increase the length of your passwords instead of using symbols, assuming the site doesn't have a restricted length either.
That's not to say we won't improve this. We have some ideas on how to tackle these restrictions and hopefully have an automated solution that will make the generator better.
0 -
@Greg, I was under the impression that i should be using 1PasswordX in the browsers. I have only been a user for about a month so I may have missed. Can you tell me when it is a good idea to use 1Password X vs regular extension? Or if you have a KB article, that would be great also.
@MikeT:
A lot of websites often do not display their max password length. They just specify minimum length. It is only when you submit the password that you get an "invalid password" or something similar.All I am saying is that it is fantastic to have a password generator that generates super complex passwords but if I have to copy it to notepad to modify it or some other workaround, then it defeats the purpose of the generator in the 1st place. Like Thundersnake, there are sites where I cannot use the password generator. I use another tool generate my password then paste that in which makes a very onerous workflow
0 -
Hi @knpatel,
I was under the impression that i should be using 1PasswordX in the browsers
It's up to you. 1Password X isn't as full-featured as 1Password desktop app + extension is; it is relatively a new product and we'd like it to be the only 1Password extension available in the future. We're working on adding desktop app integration in a future update that may help improve this as well.
All I am saying is that it is fantastic to have a password generator that generates super complex passwords but if I have to copy it to notepad to modify it or some other workaround, then it defeats the purpose of the generator in the 1st place.
We do understand, thanks for letting us know; we haven't heard from many users doing this and we certainly don't see that many sites doing this in our own daily use of 1Password.
We'll keep this in mind as we continue to improve the generator; we do have some ideas that is focused on the symbols itself but we can't say it'll work until we test it first.
0