Setting Preferences for Special Characters

This really applies to all 1Password versions so you can move this to a different forum if you want.

It would be nice if 1Password would allow the user to choose from a list the special characters 1Password will use when generating passwords. Many sites limit the special characters to a finite list and it is frustrating to generate a password in 1Password only to have to edit it to remove characters such as [, {, etc. because the website does not allow them. Alternately, 1Password would allow a preference to only use a smaller set of special characters versus all special characters currently available to 1 Password.

It seems to me that the special characters !@#$%^&* are pretty much universally accepted (note I said "pretty much") so if 1Password would generate passwords with only those special characters I think it would make things easier for users.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1

Comments

  • LarsLars Junior Member

    Team Member

    @Michael Shingledecker - yeah, it's a problem that's never going to have a 100% solution, owing to how many different ways there are to set up a login page's requirements for the end user. Too often, websites don't even let you know you've violated one or more of their password policies until AFTER you violate them. A little javascript pop-up will appear, telling you that you can use only certain characters or no more than 20 total, or various other requirements/prohibitions for passwords. I've never understood this -- I would think a webmaster would want people to be able to sign up quickly and effectively, not do it by trial and error...but this happens way more often than it should.

    We're looking at ways the password-generation process can be made more useful and flexible without becoming overly complicated for less-technical users to navigate, but I don't have anything to announce on that score right now. It's definitely something we want to improve, however.

  • Thanks for the response. I agree with your assessment.

  • LarsLars Junior Member

    Team Member

    :):+1:

  • I came here to post on this topic as well but I figure I'll chime in here. It seems to be arbitrary what special characters 1password does suggest (I don't see Cyrillic or emojis, for example) so it would be nice if it would suggest less. Most password resets don't seem to suggest {}[]~+= and such. Perhaps it's a limitation of the language, database backend, or they don't want to risk it causing problems. Some may also not let a special character to be the first character as well.

    I'd be more apt to generate choosing from a couple of popular symbols (eg @!) and rely on the randomness of the standard alphanumerics to satisfy their password requirements while also being complex.

  • BenBen AWS Team

    Team Member

    @jwms

    Considering how terribly many databases are designed I shudder to think what might happen if we tried to stuff emoji into password fields and the website didn’t properly sanitize for that. The symbols we’ve chosen tend to be the most commonly allowed ones while also balancing that against having good entopy. It’s true that many websites limit symbol choice to just a handful, and that is troublesome. We do hope to find a way to do better in this regard, and hopefully websites will improve and allow for further diversity of symbols as well. Thanks for the feedback.

    Ben

  • hesspaulhesspaul Junior Member

    I came here to post about the same topic.

    In my experience these sites usually show the password rules to the right or in a little popup. I'd love to be able to copy that list of allowed characters and paste it right into 1P's regenerate password form to limit the characters it will use.

  • brentybrenty

    Team Member

    It's pretty rare that I even see a list like that, but perhaps in a future version of 1Password we can add a way to specify like that. Thanks for the feedback! :)

  • As a temporary workaround, could we at least be able to edit the generated password in the revealed field?

    It’s infuriating when you just want to swap a special character and you have to count the dots (iOS) to hopefully place the cursor right after the character you want to change.

  • LarsLars Junior Member

    Team Member

    @kebel87 - it's certainly something we can consider. :)

  • Recently, many of the new passwords generated by 1Password have failed site requirements because they've lacked a special character. I prefer using 1Password for generating passwords than using the Mac-generated passwords, but this is becoming tiresome.

    Why doesn't 1Password have a setting to choose to include a special character in every password?

  • BenBen AWS Team

    Team Member

    Hi @theshovel,

    I'm sorry to hear you're having trouble generating passwords. 1Password for Mac does have that option:

    1Password X does as well:

    Where are you generating passwords where you aren't seeing the option to include symbols?

    Ben

  • Just adding my support for the ability to filter the special characters used by the password generator due to sites limiting which characters they will accept (but often require).

    Also, is there a way to filter the criteria for a password suggestion in the 1password pop-up for a "new password"?

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @couchmantim! Thanks for adding your voice to the suggestion. I'm not sure what you mean by "filter the criteria for a password suggestion in the 1Password pop-up..." -- can you elaborate? Or maybe take a screenshot of what you’re referring to? Thanks.

  • I am loathe to bring up the competition, but I think KeePass has an elegant solution to this problem: A simple field where the user can type the series of special characters that the password generator is allowed to use.

    The solution is elegant, because it covers any variation of forbidden or allowed special characters. You could even provide a check box that inverts what the special characters mean, i.e. either "only use these special characters" or "do not use any of these special characters."

    This way there are no profiles that need to be maintained or updated, the UI is kept simple and clean (just one extra text box and a checkmark), and any use case (web page allows or disallows a specific set of special characters) is covered.

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @swimmable9cultural! Thanks for weighing in. :)

  • As a paying customer, I would like to see an option which allows me to edit the special characters that can be used in the generation of the new password.

  • BenBen AWS Team

    Team Member

    Thanks for the feedback @conradwt. :)

    Ben

  • Hello, I'd like to root for the option to be able to specify a list of special characters the generator can take in account when generating a password.

    Cheers!

  • brentybrenty

    Team Member

    Thanks for letting us know that's something you'd like us to add in the future. :)

  • Me too. I'm very disappointed in this response from 1Password (again). This has been an outstanding request from users for several years now. It is a major frustration and impediment to regularly changing passwords. That and websites that restrict the password to no more than 12 characters and numbers.

  • BenBen AWS Team

    Team Member

    That and websites that restrict the password to no more than 12 characters and numbers.

    Hopefully those are becoming fewer and further between. 12 characters isn't terrible, but 50 is much better.

    Me too. I'm very disappointed in this response from 1Password (again). This has been an outstanding request from users for several years now. It is a major frustration and impediment to regularly changing passwords.

    We did recently make some changes to the password generator that should help with this. We now exclude some of the less frequently accepted symbols. We are continuing to evaluate how to make this even better. That said, regularly changing passwords shouldn't be necessary. The latest recommendation from NIST is: "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator." (NIST 800-63-3). As such, unless required, we don't recommend regularly changing generated passwords.

    Ben

  • Since every site will be different, can't you save the character preference per entry. The default will be all the characters, but if I have a password for Google and it only allows !@#$*()[]{} in the password, I should be able to save it in that entry and the next time I generate a random password, it should use that preference saved in the entry.

  • brentybrenty

    Team Member

    It's something we may do in the future, but it doesn't really scale. It would be cool to find a way to securely and privately crowdsource something like this.

  • IMHO, it would be relatively easy to create an option to use a subset of special characters. Of course it wouldn't be perfect but would probably work for 90% of sites. I end up always turning "special characters" OFF because it becomes so frustrating generating an acceptable password. Sort of defeats the purpose. This really is not a difficult addition. Pretty please?

  • brentybrenty

    Team Member

    1Password already uses a subset of special characters to avoid compatibility issues and bugs with websites with certain ones: [email protected]_* It's worth noting that the use of special characters does not magically grant a password better security properties. Entropy is the key, and the vast majority of it comes from just the alphabet, since you've got 52 characters total between uppercase and lowercase, with numbers making a small (10) contribution, and symbols serving merely to satisfy antiquated "password requirements" in most cases.

  • Just chiming in as well. Being able to customize the list of special characters the password generator uses would be huge. I often have to turn special characters off for generated passwords and then have to insert an "allowed" special character that the site will accept.

  • BenBen AWS Team

    Team Member

    Thanks @JohnnyV. We appreciate the perspective on this issue. :)

    Ben

  • I would like to add another voice of support for this capability. I understand the 1Password team has a rather dogmatic approach to this but the huge corporations we have to interact with are not likely to be swayed by customers and in the meantime you have removed the field to specify the number of special characters in the password generator so it is even harder to get a random password without a forbidden character. You could prevent a lot of frustration from your users by putting in this capability.

  • BenBen AWS Team

    Team Member

    the huge corporations we have to interact with are not likely to be swayed by customers

    Certainly not with that attitude. ;)

    and in the meantime you have removed the field to specify the number of special characters in the password generator so it is even harder to get a random password without a forbidden character

    Your point is well taken. The challenge is coming up with a solution that:

    1. Isn't compromising of security to any significant degree
    2. Can be expressed in an easy to use UI

    It isn't a problem we're oblivious to or ignoring, we just haven't come up with a solution that fits the bill as of yet.

    Ben

  • These answers are dismissive and borderline condescending. It is well known that a vast number of websites limit which special characters are allowed, but still require at least one special characters. This has been the situation for years. Stop telling us that it is the fault of the websites we are trying to access.

    Please explain why you cannot provide a field under "settings" where we can specify the special characters we want to allow.

    I am just starting my trial period with 1Password, but this special character issue may be a real show-stopper for me.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file