[Feature Request] Specify valid symbols in password generator

kajsa_a
kajsa_a
Community Member

Every site has different requirements for what symbols they support, and I end up needing to generate 5-6 passwords to get one that will work, or manually replace the generated symbol with one that a given site likes. It would be really nice to be able to enter a list of characters in the password generator to use as valid symbols.


1Password Version: 6.5.3
Extension Version: 4.6.2.90
OS Version: 10.10.5
Sync Type: Dropbox
Referrer: forum-search:Feature request

Comments

  • Pilar
    Pilar
    1Password Alumni

    Hi @kajsa_a

    Thank you for letting us know what you'd like to see in 1Password! We've heard some ideas related to the password generator and the controls that we offer, and I'll add yours to the list ;) The real solution would be if sites were to stop having all those crazy (and more often than not unhelpful) conditions on their passwords and just allowed you to make them as long as you want. Meanwhile, we'll keep your suggestion in mind and see where it goes :chuffed:

  • bigpawed
    bigpawed
    Community Member

    I came here to ask for the same thing. The password generator requires way too much effort (and repeat use) on my part. It's conceivable you could even scan the page for the requirements -- that'd be slick!

    At the least, it needs a "these are the only valid symbols" and conversely a "do not include these". Considering that the requirements are often based on database special characters, I should think you could leave off the ones obvious to cause trouble.

    I'd also like the generator to be able to decide for itself what the most secure combination of digits and symbols is. I spend too much time fiddling with them to make the strength go up.

    One last thing: grabbing that slider to set the length is a real pain! It's too hard to get the number I want (tends to be just short of or past the target). Better to enter a value. Thanks!

  • Drew_AG
    Drew_AG
    1Password Alumni

    Thank you for your feedback, @bigpawed!

    It's conceivable you could even scan the page for the requirements -- that'd be slick!

    That would certainly be a great feature! However, there's really no feasible way of doing that, as password requirements work differently on most sites, and apps don't have any way of "scanning" a web page to see what those requirements are - websites don't present the requirements in a standard way that other apps can read/understand. Even if it was possible, we would probably have to add custom code for nearly every single website.

    At the least, it needs a "these are the only valid symbols" and conversely a "do not include these". Considering that the requirements are often based on database special characters, I should think you could leave off the ones obvious to cause trouble.

    We wouldn't remove certain symbols from the password generator completely, so if we addressed this, we would need to add some sort of feature to allow the user to specify which symbols cannot be used. Hopefully we'll find a way to do that which doesn't add too much complexity to the interface.

    I'd also like the generator to be able to decide for itself what the most secure combination of digits and symbols is. I spend too much time fiddling with them to make the strength go up.

    That shouldn't really be necessary as long as you're generating long passwords. What do you use for the "length" setting in the password generator?

    ...grabbing that slider to set the length is a real pain! It's too hard to get the number I want (tends to be just short of or past the target).

    Hmm, I don't know why that would be a problem. I'm able to click & drag the sliders left or right to decrease or increase the number to what I want, then let go of the mouse or trackpad button. Can you please elaborate on what you see and what happens when you click & drag a slider in the password generator?

    Thanks in advance! :)

  • bigpawed
    bigpawed
    Community Member

    If you can't read the contents of the page, perhaps the user could copy the symbols and 1P could either recognize the contents of the clipboard or have a field for pasting the text. A toggle to say "use only these" or "exclude these" would be needed. I was thinking the user might copy the whole text of the instructions "Make it less than 20 characters and do not include *./" and 1P would figure out what that meant. That would be a lot nicer than having to set the length and the include/exclude. I don't see this as having to be site-specific; some general intelligence would be sufficient, and if its understanding is wrong, the worst is that the user has to adjust the settings.

    I always set the length to be the maximum that the site allows. Regarding the slider, I'm using a magic trackpad, and small movements generally are not consistent. So if the slider is at 29 and I want to make it 30, it tends to jump up to 31 or 32, and I have to adjust down, and back up, and so on. Obviously the length is not so critical, but it's an annoyance, and the password generator is already annoying to use anyway what with its tendency to generate passwords that don't meet all the specifications of a given site. (Typically this means including an illegal character.)

    I hope that helps.

  • Drew_AG
    Drew_AG
    1Password Alumni

    Thanks again for sharing your ideas with us, @bigpawed! It's unfortunate that some websites have these kinds of restrictions in the first place, as that just leads to weaker passwords. Instead of adding options in the password generator to help create weaker passwords, we'd rather encourage those sites to remove their restrictions so people can choose more secure passwords. That doesn't mean we won't make changes to the password generator that would make it easier to meet certain requirements, but we prefer to focus on helping customers make things more secure, not less.

    Of course, that means customers like you are forced to take extra steps to generate a password that is compatible with a certain site, and that's not an ideal situation either. It can be difficult to find the right balance between security and convenience! ;)

    For now, remember that you can edit a password in the generator before using it on a website. So if you generate a password that has symbols the site won't accept, you can delete those from the password before filling it. That might not be as convenient as setting some preferences ahead of time to prevent those symbols from being used, but I wanted to mention it in case it helps.

    We're here for you if you need anything else! :)

  • josste
    josste
    Community Member

    I agree with the fact that any "Complexity Enforcements" are in fact a loss of security. Nevertheless they are there. I most frequently use the app for generating my AD account accesses, and we have restrictions such as must contain at least two capital letters, two lowercase, and two numbers. Allowing us to define rules such as those for certain accounts (not autodetecting) would be greatly helpful.

  • Drew_AG
    Drew_AG
    1Password Alumni

    @josste, generating a password with at least two capital letters, two lowercase, and two numbers shouldn't be a problem at all (unless perhaps you have the generator set to create very short passwords). Every password I generate always has many capitals letters, lowercase letters, and numbers. So you shouldn't need any additional settings for that. Are you having trouble generating passwords that meet those requirements?

  • josste
    josste
    Community Member

    There is an extra requirement, which I have not mentioned here, because I think it reduces the attack range too much, but passwords have to be exactly eight characters long, and when the password generator is set to 8, it doesn't meet all those requirements... Sometimes one of the categories is left out completely, eg numbers in the generated password, even though the checkbox for the corresponding category is set.

  • Drew_AG
    Drew_AG
    1Password Alumni

    @josste, ah, that explains it. It's very unfortunate that account has those restrictions on passwords! Hopefully the people in charge of that will soon realize the error of their ways and allow users to protect themselves with more secure passwords.

    Thanks for your feedback on this. Have a great weekend! :)

This discussion has been closed.