change suggested password length

2»

Comments

  • Matthew_1PMatthew_1P

    Team Member

    @uncaught: As kaitlyn mentioned, we're going for entropy (which is what makes a password strong) rather than length with these suggested passwords. That way, suggested passwords can be accepted on a wider range of websites whilst still being a strong password. The password generator works slightly differently as you can set the password recipe to match the requirements of the website you're on, which is why the default length for it is different. Thanks for sharing your thoughts on this! :smile::+1:

  • Chiming in here as I saw 1Password X 1.19.0 just increased the length of the suggested password :+1:

    I think I understand what you mean with that the suggested password and the password generator serve two different purposes. For my usage it would be great though if they would be more in sync. I use the generator for some very custom rules or situations now and then, but I always put it back to 'random password' and a good amount of length as my default preference of length for new passwords.

    I would love if the suggested password follows the changes I make to the generator (at least for when set to 'random password'). Or, maybe a setting in the addon page (where I can also change the idle timeout) to adjust the default length of the suggested password. Either one would help me in my flow.

    Thanks!

  • PeHansSePeHansSe
    edited April 28

    Just coming from one of your competitors and this is very painful. It's takes too much time to always navigate to the pw generator instead of just using the suggested password. Why can't the suggested password feature just use the settings from the password generator? That would help alot.

  • kaitlynkaitlyn

    Team Member

    Thanks so much for sharing your input here, @lode and @PeHansSe! I'll pass both of your feedback along. We're always looking for ways to improve the 1Password experience, and I appreciate you helping us in doing that. :)

    @PeHansSe – To answer your question a little better, here's a post from a while back that you can refer to. The same thing still applies today, but like I mentioned, we're always looking for feedback on how we can improve. I've passed yours along!

    ref: dev/core/core#352

  • I would suggest making the 'Use Suggested Password' tooltip functionally the same as the Password Generator in the plugin menu.
    Besides that, use the kind of passwords the 'Use Suggested Password' tooltip currently generates as a password 'type' in the Password Generator (and the 1Password native app as well). Because it generates passwords I really like, readable but with numbers and symbols (e.g., guld9TOCT7pull-bont). It's currently not possible to create this type of passwords anywhere else in the 1Password suite.

  • kaitlynkaitlyn

    Team Member

    Thanks for that feedback, @Boris_Online! I've passed both of your points along to the rest of the team. :)

    ref: dev/projects/customer-feature-requests#165
    ref: dev/core/core#352

  • Hi @kaitlyn,

    Definitely agree with Boris above. Have the suggested password generator use the same settings as we have set in the main program. It's a must!

    I have only just started using 1Password in earnest. I'm going through hundreds of sites updating passwords, and even on some utility sites the "suggested password" from 1Password is sometimes simply too long. While they're technically sound they are over the top.

    Rather than the nuisance of going to the main program users will end up ignoring the suggestion and typing their own new password which will likely be weaker than a good 12 char random generated password.

  • ag_anaag_ana

    Team Member

    Thank you for sharing your thoughts about this with us @gembrain :+1::)

  • I thought in the previous version that the inline password pop-up did have the ability to make modifications to the password generator. Perhaps I mis-remember, but that ship seems to have sailed regardless with version 7.

    I would like to add 1 vote for being able to access the password generator from the inline pop-up (maybe by simply being able to open the larger plug-in from the pop-up), and 1 vote for being able to qualify the list of special characters. I was stuck in a loop on a portal yesterday set up by an advisor that required special characters, but a relatively narrow list. I've seen that on other sites, too.

    It's not that hard to just let my fingers type some random sequence and include one of the small set of special characters, but it would be appropriate for 1P to help me.

  • kaitlynkaitlyn

    Team Member
    edited May 27

    Thanks for the feedback, @tempeCarlson! 1Password X has never had the ability to change the suggested password. You may have used the desktop-dependent 1Password extension previously, which is the other extension we offer, but that extension doesn't have inline suggested passwords at all.

    I do want to make sure you're aware of the full-featured password generator in the 1Password X pop-up. That's where you can customize a generated password recipe to comply with the restrictions of the specific site you're visiting. To get there, click the 1Password icon in your browser, then press Command-G/Control+G. If keyboard shortcuts aren't your thing, you can click the + button, then click Password Generator.

    ref: dev/core/core#352

  • @kaitlyn, my apologies! I came to 1P through version 6 on my Mac, and recently converted to X and the latest desktop app. So my previous experience covers the Chrome plug-in to version 6.

    That said, your directions to get to the password generator in the latest version are spot on. I was aware of accessing the password generator from the + button; ctl-g gets me there faster.

    I don't see a place in there where I can chose which symbols I want included by the password generator. The advisor portal I was on wanted a symbol(s) but it was a really short list, things like period, comma, asterisk, dash and plus sign for example. It was grumpy with several iterations of symbols that 1P was offering symbols like ampersand and percent signs (again, just for illustration). I ended up in a loop where 1P was saving the new password, but the site was rejecting it because of the symbols the tool was choosing and losing the log-in credentials.

    It was tedious because I had to go back and get the original password from the 1P history for the site, re-enter that and let 1P try a new suggestion until it chose one the site liked. I should have just typed something in by hand, 1P would have remembered that, but I can get compulsive sometimes! Ordinarily, this isn't a problem but I have seen it on a couple of sites.

    Have a good day!

  • kaitlynkaitlyn

    Team Member

    @tempeCarlson – You're right in that you can't filter out exactly which symbols appear in a generated password. You can only tell the generator that you do or don't want symbols to be included. It'd be nice to have more granularity there without having too many options to the point where the UI feels cluttered. We'll continue to explore ways we can do both. For now, what you can do is leave symbols on and simply refresh the password until you've found one you can use. I actually ran into this issue when signing up for my new insurance company, and I was able to refresh the password until I found one with only periods, commas, etc. Another option is editing the password to remove any of the symbols that are restricted by the site you're visiting. If you click on the generated password in the full-featured password generator, you have the ability to edit it before autofilling. Yet another option would be to use a memorable password instead, which uses words separated by a separator of your choosing. That can help, but I've also run into length restrictions when I've done that (dang password restrictions!), so that's why I'm mentioning it last.

  • Hi all,

    Wow, this has been a dynamic thread! It's reassuring for me. I just joined and am already very stoked about the level of attendance to users' queries. The number & type of participating team members is quite respectable and the reply content continues to yield a depth of useful information. Thanks & kudos to you all, seems like you have great team! ^_^

    Cheers,
    Scott

  • ag_anaag_ana

    Team Member

    Thank you for the kind words @SscoootzZ! We do our best to help :)

  • +1

    One specific use case is painful to deal with that I regularly encounter. I like high entropy passwords, I really do. :) 20 characters, lots of numbers, punctuation, changed letter case. But there are instances where I'm using a computer to create an account for something I intend to use with a mobile device. But because entering those types of passwords is painful on mobile, my preferred password form is a few-words-together. But I can't change the suggested password format directly when creating a new account. So I end up having to use the external password generation function to create the password, then come back inside the webpage to paste it, ignoring the 'suggested password' that 1Password wanted me to use. Really really want the ability to change password format.

  • ag_anaag_ana

    Team Member

    Thank you for the feedback and the specific example @r3cgm, that was very useful :)

  • +1 for having an ability to make Use Suggested Password tool work like Password Generator tool. User should be able to choose either he/she wants to use only entropy or custom template like Password Generator tool uses. Regarding "we don't want to clutter UI" concern. Why can't it reside somewhere in 1Password X browser extension page? Advanced settings maybe? Now we have to click to 1Password X extension > then click to + sign > then click to Password Generator. It is pretty frustrating.

    +1 for having an ability to customize Password Generator tool even further. Adding something like "exclude/include symbols" would be much appreciated. An example from these thousands of "online password generator" sites:

  • Thanks for the feedback, @vadimm. The inline menu's suggestions are meant to work for the majority of websites and offer strong security, and we've recently started implementing support for customizing passwords to meet websites' specific needs, too. The idea is that we want the easily accessible option to always offer something secure and not default to the user's preference from the full generator, in case it was set to low-security settings for a particularly troublesome page, but there's always room for improvement and so I appreciate the feedback. :smile:

  • You guys locking the inline password generator to a specific password formula because you believe it should "offer something more secure" is pretty disappointing. Your customers want to specify the types of passwords being generated in the suggestion field, so let us do so. Personally, I hate random-character passwords. They're a huge pain to deal with if I ever need to manually type in a password. So I like to use multiple word phrases instead. In order for me to do that, I have to manually generate a password (which still has next to zero customization).

    +1 for both things @vadimm suggested. I've found that most websites accept a 3-4 word phrase with a capital, lowercase, number, and symbol and would love to just make that the default. For instance, dale.Cupric.5yeah.

  • ag_anaag_ana

    Team Member

    Thank you for taking the time to share your feedback in this discussion as well @tc1p :+1: Perhaps this is something we can address in a future update, but if you want complete control over the generated passwords, you are correct that you will need to use the full password generator in the extension for the time being.

  • The problem with always using the generator is, the generator "remembers" your generated passwords, and stores them in the "passwords" category. This results in you getting a "duplicate password" banner on every site you generate a password for until you go delete the duplicated entry in passwords. There is no obvious way to turn this off either.

    The above, along with customer experience/ease of use is why the most elegant solution would be to have the suggested password us the generated password rules that the user has already set up. This would not only solve the length issues, which I have as well since I default to a much HIGHER length and complexity than 20. It would also solve for those who wish to use a word-based password or readable password instead.

    To expound upon @vadimm's comment from above, another useful option for the generator would be the ability to put in a whitelist of special characters. It is very common where a site will provide the restrictions for a password, at least for complexity, and there is no way to limit the generator to match. I had to generate 10 passwords for a site yesterday to get a working password (See above why this is exacerbated, as I then had 10 extra passwords in the passwords category.).

  • nhat_1Pnhat_1P

    Team Member
    edited October 16

    Hello @Jacrys, I would like to clarify that 1Password X does not create a password item when you use the password generator. It should only save the random password in the Generator History, and you can only access Generator History from 1Password X. Moreover, to generate a new password without copy or save it, you can select the recycling button between the "Copy" and "Autofill" buttons.

    Could you also send me the link to the site with unique requirements that you had to create multiple passwords? I will do some tests and get back with what I find.

    All that said, we put users' convenience and security first when implementing the suggested password, and I will send your issue to the development team as a feature request for further consideration. Please be patient and stay up to date with the latest version of 1Password. That is the best way to get all the fixes and features we offer.

    ref: dev/projects/customer-feature-requests#66

  • I understand where you are coming from. However, the fact that I had to clear out 10 password entries that had been created in the last hour (relative to that time point) seems to cast doubt on your statement. I get that you are talking in "shoulds"... As in: "there is no known subroutine that should be doing that". I get it. I really do. I've been a software engineer for the past 10 years or so. But I am talking about actual experienced effects, in "dids" if you will. What those 10 years have given me is a much healthier respect for "dids" than "shoulds". While I still maintain the "it shouldn't be doing that " mentality, it is tempered with a healthy skepticism of how the software "should" behave.

  • I will get you that site as soon as I can though. I fully admit they had ridiculous requirements. 😊

  • nhat_1Pnhat_1P

    Team Member

    Hello @Jacrys

    I appreciate your feedback. Understandably, you are not comfortable with "shoulds". However, sometimes we can only do our best and hope for the best, so a concrete answer right away is elusive at the time but rest assured that we take all feedback seriously to provide the best experience.

    Please take your time and let me know the link at your convenience.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file