Password generator differences

I have noticed that the two 1Password clients that I have been using have different character-based random password generators. 1Password 7.2.4 on macOS has sliders to select the number of digits and the number of symbols in the resulting password, whereas 1Password 7.0.9 on Android has simple toggle switches to control whether or not those character classes are included as candidates. I am curious about just how much password entropy is being sacrificed on the macOS version (where, frustratingly, it is more convenient to update passwords than on a mobile device). I was also interested in where I should set those sliders to maximize password entropy (assuming no antiquated character restrictions).

Not knowing the details of either password generator algorithm, I made some assumptions about how they work based on observation of the output. I'm guessing the Android version simply chooses a random character from the 94 printable non-whitespace ASCII characters for each position. This is trivial to calculate the possibilities. The macOS version is much trickier, because we first need to find the number of permutations of the character class entries in the resulting password. The math is a bit complicated to describe, so I won't go into it in detail here, but I did make a spreadsheet to play around with it and test my guesses.

It's possible that I've made an error (and if so, I would welcome corrections), but I'm fairly confident in what I found:

  • The amount of the decrease in entropy depends on the numbers of different character classes selected. This is unsurprising, as there are 52 letters, 32 symbols, and only 10 digits.
  • To maximize the number of possibilities in the final result, the sliders should be set so that the three character classes have the same relative ratios as their number of members. For example, in a 9-character password, the best you can do is have 5 letters, 1 digit, and 3 symbols.
  • The total amount of entropy decrease is worth noting (it can be compensated for by adding just one more character), but if there's a maximum length of, say 8 characters, you still have 9 times as many possibilities when using the simpler generator from the Android version.

I'm guessing the more complex generator is the older one, and was designed to satisfy some of those character restrictions in passwords. In my recent experience with web sites that still use those types of restrictions, this doesn't help, as they almost always have some secret list of symbols that are allowed (often different than the published list), and I need a much more specific set of controls to satisfy them. I would much prefer the version of the generator used by Android, as requires less of me and also has more possibilities for the output.

«1

Comments

  • I should also point out that, though the passwords generated by the more complex version do have fewer possibilities, that doesn't mean they're necessarily quicker to crack, unless the attacker knows how many of each character class are included.

  • rob
    rob
    edited February 2019

    Hi, @gedankenexperimenter.

    Wow, I'm not sure how I didn't see this thread sooner. I gave a talk about all of this back in November at PasswordsCon in Stockholm and am very interested in the subject. :) If you watch the talk, I apologize in advance for the poor audio quality.

    You're correct on almost all counts.

    • The slider generator is the older version, yes. The plan is to replace it with the toggle version everywhere eventually.

    • Your spreadsheet correctly calculates the entropy of passwords generated on macOS given the character set sizes you used. I show an equation for this at 1:55 in the video linked above. It's slightly different from your version, but they are equivalent.

    • It looks like you got your character set sizes from our public SPG repo here: https://github.com/1Password/spg/blob/master/char_gen.go#L13. That library is what is in use by 1Password for Android, so the sizes in your spreadsheet are correct for Android.

    • However, the entropy calculation for Android is incomplete. Each enabled character set is required to be represented, so if you enable digits and symbols, for example, the generator will discard any candidate passwords that contain only letters or only letters and digits, etc. This brings the entropy down just slightly but it increases the usability of the generator since usually the intent of turning on digits or symbols is to require one of those in the resulting password. The equation for this is much more complicated than the equation for the slider version, and explaining it takes up the majority of my talk linked above.

      I'm no spreadsheet expert, but it might not be possible to write the equation there since it's recursive. If you'd like to play with it though, check out the passwordscon/demo CLI in the SPG repo: https://github.com/1Password/spg/tree/master/passwordscon. You can run ./demo --length=8 --allow=lowercase,uppercase --require=digits,symbols --exclude=ambiguous --entropy to find that the actual entropy is 48.64.

    • Finally, the Mac app uses a slightly different set of symbols than the Android app (open source SPG) . It has 29 total symbols and 21 non-ambiguous symbols, so that will tweak your numbers in the spreadsheet just slightly, in this case just from 44.68 to 45.26.

    Thanks for your post and curiosity! :)

  • kensec
    kensec
    Community Member

    If I understand correctly, the slider version of the password generator will be replaced. If so, I am disappointed that the slider version of the password generator won't be available. I need the ability to generate passwords with only digits as required by some applications and believe it or not, some sites only allow a single special character. I find I am editing the generated passwords to meet the the site/application requirements.

  • Thanks for sharing your perspective on this @kensec. You are correct in that we are moving away from sliders. I will however mention this feedback next time we're brainstorming about the direction we're going with the password generator.

    Ben

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I need the ability to generate passwords with only digits as required by some applications

    That's not uncommon, @kensec. While I don't know what the user interface (UI) will eventually look like, but I expect there to be a "PIN" mode presented in some way or other.

    The command-line utility (still very experimental days), based on the new generator does allow for this

    $ opgen characters --allow=digits --length=8
    37478343
    

    On the whole, we've been trying to simplify what is exposed in the UI in 1Password for password generation, while at the same time, we've actually made the underlying engine more powerful. This gives us the flexibility to tinker with what we do offer in the UI over time. That is, the old generator it was a "what you see is all you get". Pretty much everything that the old generator was capable of underlyingly was presented in the UI. Now that we have a more powerful underlying generator, we don't expose its full power in the UI, but we can adjust what is exposed without having the rewrite the generator engine.

    This makes comments and observations like yours very valuable, as we now have the capability to expose more features.

  • wavesound
    wavesound
    Community Member

    I just stumbled into this thread but learning that the generator toggles are leaving is a bit concerning since around 30-40% of the sites that I navigate to have arbitrary length and character type restrictions. So I’ll have to chime in and echo my concern as well along with @kensec .

  • Thanks @wavesound. We want the password generator to be as helpful as possible, while not making it overwhelming or overly complex for less technically literate folks. It is a difficult balance to strike.

    Ben

  • prime
    prime
    Community Member
    edited April 2019

    I saw this today in my windows computer. I like the slider so much better than what it is now. Please bring back the slider.

    Edit: I got a prompt to change one of my work password. I forgot the limitations I have. The one site Lets me have 1 number and 1 number only. So I have to “customized” the password. Please bring back the slider, it’s making more work for me.

    These are old sites and the funny part (or sad) they only work in Internet Explorer. Maybe one day they will let me add a special character to my passwords.

  • ravensorb
    ravensorb
    Community Member

    I was curious -- what are the plans to simplify password generation and provide a lot more consistency across the different interfaces. For example, I would expect that the configuration settings I have in the desktop app would be leveraged by the browser plugin. I have a LOT of applications that do not support characters like * % ? -- so I have a tendency to configure use multiple works with a valid character delimiter. The issue is, the browser plugins do not leverage the app settings so I need to forgo using the browser to generate passwords (which is rather annoying).

    Thoughts?

  • Lars
    Lars
    1Password Alumni

    Hey @prime - as jpgoldberg and Ben mentioned, this is something I don't think we'll be bringing back; at least, not in that specific form. As you observed, these are older sites that will (one would hope) be updated in the not-too-distant future. Even if not, the number of such instances is decreasing over time naturally; I'm not sure how often you have to generate new passwords for the gradually-decreasing number of sites like this, but I'm not sure it makes sense to build the next (and hopefully forward-looking) iteration of the password generator around the needs of sites stuck in the past. Don't worry, however, you'll get a chance to play with things long before anything's set in cement, via the beta channel. :)

  • prime
    prime
    Community Member
    edited April 2019

    @Lars I can promise these sites will not be updates anytime soon. Most enterprises companies are behind, heck one company is dealing with Windows XP at their office (thank goodness it’s not our company). This is a company who does telecommunications. I’m now dreading with the other sites I have to change my password every 90 days. So every 90 days (and not at the same time) I’m going to have to deal with this.

    This is how far behind some of the companies we works for are. One only lets me use an 8 letter password only. One (as far as I know, just this one) only lets me have 1 number. One company’s passwords isn’t case sensitive. One company I do stuff for, the screen is black and has a big green cursor.

  • I'd bet they'd update if these poor practices resulted in a data breach that were to go public. :( In any event, we'll continue to evaluate how we can better present the UI for the password generator. As jpgoldberg mentioned above the underlying generator is quite powerful... the question is how to expose that in a way that doesn't scare off less savvy customers.

    Ben

  • gordcook
    gordcook
    Community Member

    @Ben,

    I've said this before and I'll mention it again. I think it would be great if the password generator had a really simple UI by default. However, in the settings control panel, there could be a toggle that exposes a power user interface to the password generator.

    I think that would satisfy Marketing's desire to keep the UI as simple as possible, but still give the customers the power that many people need today and will continue to need for the near future. I personally think that this is a good compromise that would make most people happy (you can't please everyone).

    Gord.

  • Thanks @gordcook. As you've probably heard in other threads our development team has a fairly strong resistance to adding additional preferences / settings, strongly favoring choosing sensible defaults. That said, this may be a case where a strong argument could be made. I'll bring the topic up with development and see what the best way we can approach this is.

    Ben

  • prime
    prime
    Community Member

    @Ben they won’t. Sadly it’s cheaper to fix from a massive breach then to update everything. I’ve heard many IT people even say this across all the companies that my company works for. We are a small company and our stuff is more up to date than the big wigs that we work for. Sadly, everyone in the USA uses some kind of product from one of these companies.

    I like @gordcook idea. I would hate to have to get a different password manager just for my work stuff. I shouldn’t have to do all of these work arounds just to change a password.

  • Lars
    Lars
    1Password Alumni

    @gordcook - it isn't just "marketing" (in fact, it's not really that at all) which makes us leery of too much UI clutter. It's a long-held and pretty stubborn belief that good design isn't (just) about how something looks, but about how it works. We've all seen more than a few examples of products whose products whose designers appear to have decided, at some point along the line, "ah, heck with it: just give 'em every option," either out of frustration or even out of a belief that more "configurability" translates into a better experience and more satisfied users. We don't think this is true, most of the time. We agree it's not our job to think for you or make 1Password too rigid or difficult to use and un-adaptable to various circumstances, but we also believe that it's our job to be creators of a first-class password management solution that can manage to be powerful enough for the more-demanding and knowledgeable users while remaining unintimidating or off-putting for newer users who deserve good security too, even if they don't know what an elliptic curve is or when it's appropriate to use cipher block chaining mode or Galois-counter mode. ;)

    We may very well end up with something similar to what you're suggesting, but don't be surprised if it doesn't include every asked-for or wished-for power user feature. It's sometimes a difficult balance to strike, between making a product that's great for beginners but no really experienced person would use, and one that's full-featured enough for "Pros," but which makes the average person feel inadequate and/or like they're in the wrong place. But striking that very balance, is our goal. :)

  • gordcook
    gordcook
    Community Member

    @Lars, I appreciate that you're taking it seriously. I feel like you've given us this Lamborghini, but in the future you're only going to ship with an automatic transmission. ;)

    The way I see it, to reduce the number of options, you're either going to be creating passwords that are too complex for many of our sites (forcing people to choose passwords), or cripple it down to the lowest common denominator. Neither of these are good for security as a whole.

    Anyway, I see that I've made my point so I won't bring it up a 3rd time. :+1:

  • AGAlumB
    AGAlumB
    1Password Alumni

    :) :+1:

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    We've made some changes to the default symbol set used by the password generator. These haven't yet percolated to the various 1Password clients yet, but they should start to appear "any day now". The new default symbol set is !@.-_*, while the old one was !#%)*+,-.:=>?@]^_}~.

  • gazu
    gazu
    Community Member

    Given that a 70 bit poorly hashed password is going to be near the very edge what what could plausibly be cracked by any entity on earth, I feel that this reduction in strength of generated passwords for the default case is acceptable. Users can chose longer passwords.

    I would like to see an option for the old set (i.e. the implied 'non-default' case) but I understand this may be in contrast to the KISS principle.

  • but I understand this may be in contrast to the KISS principle.

    Indeed. :)

    I would like to see an option for the old set (i.e. the implied 'non-default' case)

    Thanks for the feedback. :+1:

    Ben

  • prime
    prime
    Community Member

    So I got an email from the owner of my company and he wants to know more about 1Password. He sent the same one for a friend at work who uses Dashlane as well, and another coworker that I know uses Lastpass. I am meeting him next week, but as long as there are this obstacle, I can’t recommend this for the company. Too many sites we use, we have limitations.

    My mom also text me asking what happened. She actually likes using as many numbers or characters as she wants. I feel this is a step backwards. This is like Apple telling me What I can and cannot do.

  • She actually likes using as many numbers or characters as she wants.

    Why? :) We're still working on improvements for the password generator, so it would help to understand the specifics.

    Too many sites we use, we have limitations.

    Could you please provide some examples? If the sites aren't publicly accessible... what are the requirements they have?

    Ben

  • prime
    prime
    Community Member
    edited April 2019

    @Ben she’s like me with this. If I’m able to use a certain amount of characters, I added or subtracted the number and/or special characters with it. It’s how I do things and how she does it too. For every so many characters we can use, we change how many numbers/special characters we have in it. Personally I don’t want too many, but I want something I know it’s enough and I’m happy with it.

    The sites are not public for these companies. The one that I have the change every 90 days only lets me have 1 number, but it has to have a number. This is the site I learned of the changes you guys did. I can have 25 characters, but one has to be a number, and I have to have a number. When I changed it, I didn’t pay attention how many numbers I had. I put the new password in and I got a error, and I said WTH?. My co-worker was next to me and said “yeah, remember, only 1 number, so check that the new password and it had 3. So I figured I would just move the slider for how many numbers and there wasn’t one. So I had to do a work around and was not pleased. This site, most everyone in the company uses. The other sites have not prompted me to change the passwords yet, but I know they are just as goofy. I just know one site isn’t case sensitive (yes, scary).

    So because of this, I no longer can even say to the owner we should use 1Password, because I’m not about to have co-workers mad at me because of this work around. Us users should have control how we want our password to be. Back in the day when iCloud Keychain came out for iOS, we had to use a certain way that the keychain gave us. I think it was xxx-xxx-xxx-xxx (the x’s were mixed numbers and letters, but the - was the only character) and I did not like this. 1Password let me do whatever I wanted, and it was removed, why? So now every 90 days I know at least for 1 site I have to do a work around to change the password. Why are you guy making this a pain for me? It shouldn’t be. At all. I’m not happy at all I cannot make a password to what I need it to be.

    I gave my wife a heads up because I know she deals with government sites. And we all know most government sites are stuck in the past. She wasn’t happy.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2019

    If I’m able to use a certain amount of characters, I added or subtracted the number and/or special characters with it. It’s how I do things and how she does it too. For every so many characters we can use, we change how many numbers/special characters we have in it. Personally I don’t want too many, but I want something I know it’s enough and I’m happy with it.

    @prime: I get where you're coming from, but that sounds like a lot of work. And, frankly, it's better for security to just use something random. Users having direct "control" over the composition of passwords is exactly the problem that 1Password was created to solve. The less human interference, the better the password. It takes only a few clicks to refresh/regenerate until you get a password with the specific number of digits needed, and then you've got a password that's still got great entropy. I think the new 1Password mini design in the Mac app makes that more accessible too. I'd be curious to hear what you think if you're able to try the beta.

    At the end of the day, I can't remember the last time I encountered a website that only allowed a specific number of digits/symbols (even testing websites that customers mention -- though I often see some that require at least one digit), so it's helpful to know that you're encountering this somewhere even now. I'm just not sure it's reasonable to go back to the old method (which results in less entropy and therefor weaker passwords) because a handful of people are running into this limitation with a few specific sites, but it's absolutely something we'll keep in mind as we continue to iterate on the password generator design.

    The real concern is that most people (though I suspect not you) who encounter something like this once would set their digits to "1" and leave it there indefinitely. So it's tough to justify making a change like this which could affect a large number of users just to help a few. But I do think it would be nice if we find a way to give more control in general with the password generator while avoiding these kinds of pitfalls that effectively make everyone more prone to use weaker passwords than they would otherwise. Thanks for your feedback on this!

  • prime
    prime
    Community Member
    edited April 2019

    @prime: I get where you're coming from, but that sounds like a lot of work. And, frankly, it's better for security to just use something random. Users having direct "control" over the composition of passwords is exactly the problem that 1Password was created to solve. The less human interference, the better the password. It takes only a few clicks to refresh/regenerate until you get a password with the specific number of digits needed, and then you've got a password that's still got great entropy. I think the new 1Password mini design in the Mac app makes that more accessible too. I'd be curious to hear what you think if you're able to try the beta.

    @brenty I shouldn’t have to keep clicking until I get the right password. I really don’t have a Mac anymore (especially for work), I’ve been using Windows (sadly) lately.

    At the end of the day, I can't remember the last time I encountered a website that only allowed a specific number of digits/symbols (even testing websites that customers mention -- though I often see some that require at least one digit), so it's helpful to know that you're encountering this somewhere even now. I'm just not sure it's reasonable to go back to the old method (which results in less entropy and therefor weaker passwords) because a handful of people are running into this limitation with a few specific sites, but it's absolutely something we'll keep in mind as we continue to iterate on the password generator design.

    How do you know people are making weaker passwords? This way has work for how many years? I deal with a lot of old fashion issues at work and companies we work for. They will not change anytime soon, and they feel it’s cheaper to fix a breach then to update all of their systems. I said before, one program I use is a black screen and a green curser.

    The real concern is that most people (though I doubt not you) who encounter something like this once would set their digits to "1" and leave it there indefinitely. So it's tough to justify making a change like this which could affect a large number of users just to help a few. But I do think it would be nice if we find a way to give more control in general with the password generator while avoiding these kinds of pitfalls that effectively make everyone more prone to use weaker passwords than they would otherwise. Thanks for your feedback on this!

    Again, It wasn’t an issue for 10 years and suddenly it is?

    Again, it’s big companies who don’t want to spend money to update their system.

    Sadly, 1Password will not work now for my company. We have about 30-40 office people who would be getting it, but it won’t work for us now. I know we can’t be the only company who has this issue too. Also, a 25 random character password with 1 number is still better than making up your own password. There are sites that will only allow letter still. Best Buy just updated theirs maybe a year or 2 ago? It was only 18 letters also. One site I use for work only lets me pick 8 letters and numbers. Next thing I know you guys will feel all password should be at least 15 characters, and I can’t make 8 characters anymore.

    Even the US government uses old operating systems, imagine what big corporations do to save money, I’ve see it.

    I feel like you guys are pulling an Apple thing here. They have USB-C on all of their laptops, because USB-C is the future, while the world isn’t ready yet. And now we have to use work around (dongles).

    You guys removed WLAN Sync from users, and now remove the ability to make the password we need to work for certain sites.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2019

    I shouldn’t have to keep clicking until I get the right password. I really don’t have a Mac anymore (especially for work), I’ve been using Windows (sadly) lately.

    @prime: I hear you. We'll be improving the Windows app too to have the password generator be more accessible, similar to what we're doing on the Mac. I'm sorry we don't have a beta with a new mini design yet there though.

    How do you know people are making weaker passwords? This way has work for how many years? I deal with a lot of old fashion issues at work and companies we work for. They will not change anytime soon, and they feel it’s cheaper to fix a breach then to update all of their systems. I said before, one program I use is a black screen and a green curser.

    Limiting a password to only a set number of digits is always going to result in a weaker password than not limiting it. Since each position could potentially be a digit (or any of the other allowed characters, rather than just a subset of them), it increases the search space of s brute force attack considerably. The way the password generator before was a holdover from a time 1) when these kinds of legacy password restrictions were more common, 2) there were actually (ill-conceived) standards that recommended these kinds of practices (no longer the case), and 3) we hadn't come up with a better password generation technology. Put more succinctly, it was easier for us to generate passwords the old way before, and there was also greater need for what we're discussing here. We don't have any control over others' poor security policies/practices (or we'd change them in a heartbeat), and it's also our job to move security forward, not backward. I really don't think that a few clicks every few months is terribly onerous, but I am sorry for the inconvenience. As mentioned already, it's something we'll continue to evaluate. If we can find a solution that helps with this narrow use case without encouraging others to use weaker passwords, I think that would be worth doing.

    Again, It wasn’t an issue for 10 years and suddenly it is?

    I don't think there's anything sudden about it. The security landscape has undeniably shifted since the past decade. Practices which were the norm back then are no longer, being recognized as being both unsafe and, ultimately, costly. We're developing the new password generator based on the present, not the past.

    Again, it’s big companies who don’t want to spend money to update their system.

    I understand that is the case for some big companies, but certainly not as a rule.

    Sadly, 1Password will not work now for my company. We have about 30-40 office people who would be getting it, but it won’t work for us now. I know we can’t be the only company who has this issue too.

    Ultimately it's up to the company, but I don't see how that follows logically. Even in a worst case scenario, where you're not able to use 1Password to create and fill passwords at all (this is actually more common than your specific use case, since some companies do not allow use of browser extensions, and/or use portals that actively prevent pasting), 1Password can still be used to save complex passwords so that they do not need to be remembered, which not only allows stronger ones to be used, but keeps them secure as well.

    But in your case, I suspect that you can create a suitable password using 1Password, save it in 1Password, and probably even fill or copy/paste it. Your objection seems to be that we're not designing the generator around the specific restriction of "X digits required". I can certainly understand that, given your specific use case, but we've got to think of all 1Password users, not just a subset, when designing the app -- especially something as fundamental as the password generator. So I think that "will not work" is a bit exaggerated, even if the fact that it works may not be enough if this is the only deciding factor for the company.

    Also, a 25 random character password with 1 number is still better than making up your own password. There are sites that will only allow letter still. Best Buy just updated theirs maybe a year or 2 ago? It was only 18 letters also.

    Until about 3 years ago one of my banks allowed only 10 characters. Many financial institutions especially have absurd, onerous, and just plain insecure "security" policies/practices. But that's never a valid argument in favour of weakening security for all 1Password users, no matter how it affects me personally. I don't think we'd be doing our job if we let the lowest (security) common denominator dictate what we sell to millions of others, both corporate and individual.

    One site I use for work only lets me pick 8 letters and numbers. Next thing I know you guys will feel all password should be at least 15 characters, and I can’t make 8 characters anymore.

    I think you know this is an exaggeration. :) It's more likely that passwords will go away completely before there is no longer anyone left who needs a short password for some reason, and length is easy to adjust without affecting entropy needlessly. And even if we did set the minimum to something longer than what you need, it's easy to use only part of the generated password. I'm sure you know that, but I think it's worth stating in context.

    Even the US government uses old operating systems, imagine what big corporations do to save money, I’ve see it.

    Even the US government explicitly recommends against these kinds of practices:

    Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

    I feel like you guys are pulling an Apple thing here. They have USB-C on all of their laptops, because USB-C is the future, while the world isn’t ready yet. And now we have to use work around (dongles).

    This really isn't a forum for that kind of debate.

    You guys removed WLAN Sync from users, and now remove the ability to make the password we need to work for certain sites.

    We haven't removed WLAN Server. But we're always going to make decisions based on consideration of all 1Password users collectively and in the context of the current security landscape. [edited to restore the part in italics -- not sure what happened when posting]

    And, as I mentioned, you should still be able to get an allowable password without the specific control you're looking for, which has ramifications for 1Password users outside this discussion. I say "should" because I don't have all of the specifics. But I am able to get a (fully random) 30 character password with only a single digit in about 3-5 tries in the Mac beta, as a concrete example. If the length is restricted as well, it may take fewer tries. I know that's more than a single click, but when you could just set "digits" to "1", it was easy to end up generating passwords with only a single digit for all websites. Even if you didn't do that yourself, and adjusted the settings for each site to max things out, the vast majority of people don't, so we need to take that into account when designing 1Password.

  • prime
    prime
    Community Member

    @brenty
    Maybe I misunderstood something, so the mini will have the full generator?
    I’ll make this short, I only brought up Apple to compare them thinking “we know what is best” thinking, and that’s how I feel you guys are doing. I feel like you guys are also doing “we know what’s best for you, and you can’t be trusted to make good passwords with the generator we provide”.

    For work, I can’t recommend something that won’t work for us. As of now, I have to use a work around. I will show the owner this, what I have to do to at least one of the sites, and let him decide.

    Funny, the US government is doing “do as I say, not as I do”. We have a few government sites also, and they don’t follow their own rules. I wish I could show you what I deal with. We are just 1 of probably a few 100 companies that deal with these issues working for these other companies.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: We can't reasonably expect all (or even most) people -- our friends and family included -- to make good passwords with 1Password if we don't take care to make these kinds of decisions. I get where you're coming from, but can you really say that generating passwords with potentially more than one digit isn't the best thing for everyone? It seems like the problem you're facing stems not from 1Password -- not from decisions we've made -- but from something else entirely. I think we both know this is best. If it didn't happen to be a pain point for you due to things outside of your control, I suspect you'd be arguing the other side. That isn't hypocritical; it's pragmatic. We'll both be happier if these practices ended once and for all.

    I'd encourage you to demonstrate how useful 1Password is overall, rather than focusing your demonstration on what is really an edge case in 2019 (and for good reason): systems that only allow for a single digit. I understand that you would need to deal with this every 90 days or so. But after a few clicks, for the other 89 days, you've got a long, strong, unique passwords saved securely in 1Password for you whenever you need it.

    I don't disbelieve you even a little bit. We interact with a lot of companies daily, many with very onerous policies in place, some of which you might find even more absurd than your current situation. The updated NIST recommendations are certainly very new by the standards of bureaucracy, so I would be surprised if even a majority of government agencies adhere to it. Nevertheless, it's important that it's been published, and I think by the same token it's important that 1Password keeps skating to where the puck will be rather than where it has been. I don't deny that this is an inconvenience for you. I'm just saying let's not throw the baby out with the bathwater. Let's look at the big picture. Thanks for listening.

  • prime
    prime
    Community Member
    edited May 2019

    @brenty I have been thinking about this for a while:

    The real concern is that most people (though I suspect not you) who encounter something like this once would set their digits to "1" and leave it there indefinitely.

    Now you can turn off numbers completely... who says a person turned off the numbers completely for whatever site and forgot to turn back the numbers back on? Same concept as a person who set the numbers to “1” and forgets to turn it back to something higher. Am I right?

    I’ve learned people who use passwords managers are a different breed. Even my mother in law who seems to break technology :lol: she pays attention to count of things when making a new passwords.

    Going to my original post. I feel like (I could be wrong) you guys are going the route of “we know what is best for you”, and it was one of the reasons why I don’t use iCloud Keychain. Because that’s how it use to be on iOS when it was 1st launched, and one of the reason why I came to use guys. You guys have a lot of advance users, at least let us have the advance settings (like in the advance tab in settings). Basics is just that... basic. Advance, we have control of how passwords are made.

This discussion has been closed.