macOS CMD-\ floating menu password generation recipe options

wagnerone
wagnerone
Community Member
edited May 2020 in Mac

A while ago I noticed the reduction of options in the CMD-\ pop-up password generation recipe.

Namely one cannot specify how many special characters or numbers. I remembered doing this in the past and thought it odd that it was removed, but then recently saw I could still do it in iOS and in the 1Password macOS client when creating new passwords.

Were these passwords recipe options present and removed at some from the CMD-\ pop-up window?

If so, please consider adding or restoring this feature.

Of the 3 ways I can generate a new password, I do it 90% of the time in the CMD-\ pop-up, so having the "advanced" options available there is important.

Thanks!
Mike


1Password Version: 1Password 7 Version 7.5.1.BETA-0 (70501000)
Extension Version: Not Provided
OS Version: macOS 10.15.4
Sync Type: Not Provided

Comments

  • Hi @wagnerone

    "On" or "off" is the way we've decided to standardize these options in the password generator across all access points. It hasn't been implemented that way everywhere yet, but that is where we're heading.

    Ben

  • wagnerone
    wagnerone
    Community Member

    Nooooo! Please take your time spreading this limitation everywhere else!

    Mike

  • @wagnerone,

    What is your use case where you want / need to be able to specify an exact number of each that are used? The reason for the change is that specifying how many decreases entropy (randomness) and as such is an overall decrease to generated password strength.

    Please let me know. While these specific options are unlikely to change at this point there may be other things we can do to help.

    Ben

  • wagnerone
    wagnerone
    Community Member

    I'm thinking of a case where I am generating passwords for an app database login where I know it may be used in cases where we may have to manually key it in or use it in a script using Vault or some such and I don't necessarily want a whole mess of special chars. I want the minimum. Maybe not the best example, but something like this.

    I'm unsure how letting me adjust it manually decreases the entropy. I just did a test where I clicked "special characters" on and off several times and the number of special characters changed each time. Is that therefore maximum entropy each of those times despite the number of special chars being different each time? Explain like I'm 5. :)

  • Thanks for sharing @wagnerone. Using the 'words' recipe may be more advantageous for passphrases that you have to remember or type. Might be worth considering. :)

    I've asked our security team to chime in about the entropy issue, as they are the ones guiding those types of decisions. They're a little backed up at the moment but hopefully they'll be able to provide a better explanation than I could. :+1:

    Ben

  • wagnerone
    wagnerone
    Community Member

    Thanks, @Ben - I appreciate it. It seems backwards for such a powerful tool like 1Password to reduce options. Sometimes I go to sites that want 2 numbers and 1 special character or some such too. Not having a way to specify such may require extra fiddling.

  • I understand it may seem counter-intuitive, but I've been assured that from a security perspective it makes sense. Hopefully someone from the security team will be able to jump in with further explanation. :)

    Ben

  • DanielP
    DanielP
    1Password Alumni
    edited May 2020

    @wagnerone:

    First of all, thank you for your patience while we got back to you on this. As Ben said, it's been quite busy lately, so it took me more than I would have liked to get back to your question.

    I'm unsure how letting me adjust it manually decreases the entropy. I just did a test where I clicked "special characters" on and off several times and the number of special characters changed each time. Is that therefore maximum entropy each of those times despite the number of special chars being different each time? Explain like I'm 5.

    The general idea is that adding more rules to your password makes your password less random. Let's take an edge case as an example: take a password of length 1. If you pick your password characters out of the whole pool of uppercase letters, lowercase letters, symbols, and numbers that are available to you, you have the same probability of getting an uppercase letter, a lowercase letter, a symbol, or a number as a result. In other words, each character has the same probability of being picked. In the case of the English alphabet with 10 symbols and digits, your probability is 1/72 (26+26+10+10). So you have 72 possible passwords as a result.

    Now imagine you tell 1Password that for this one-character password, you only want a number. By adding a rule, you are lowering the number of options available to you to only 10 (the digits from 0 to 9). So by adding a constraint to your password recipe, you are lowering your password entropy. The probability to pick a letter or a symbol becomes zero, while the probability to pick a random number is 100%.

    You can extend this edge example to other passwords: if you tell 1Password to use a certain number of symbols or digits, the password generator won't be able to pick freely from the character pool. For certain units of the final password, you are limiting the password generator into picking units from specific, smaller pools (e.g. digits or symbols) instead than from the larger character pool.

    ===
    Daniel
    1Password Security Team

  • wagnerone
    wagnerone
    Community Member

    Thanks @DanielP. I appreciate the detailed response and it makes sense.

    For my other use case "Sometimes I go to sites that want 2 numbers and 1 special character or some such too. Not having a way to specify such may require extra fiddling.", is the recommended method of handing this situation to hand edit the generated password?

    Thanks,
    Mike

  • DanielP
    DanielP
    1Password Alumni

    @wagnerone:

    Yes, in this case manually editing the generated password is the way to go (that is the approach I also personally follow when I find myself having to deal with such a website). In an ideal world, there would be no websites with such password limitations, but we have to work with what we have ;)

    ===
    Daniel
    1Password Security Team

This discussion has been closed.