Passphrase question

LarryMcJ
LarryMcJ
Community Member
edited August 2020 in iOS

I decided to start using passphrases for new logins but encountered a problem. Most sites require at least one special character and one number. 1Password doesn’t add either of these to newly-generated passphrases.

Editing the passphrase isn’t easy. I can reveal the passphrase but I only see the obfuscated dots in the edit field above the displayed passphrase and can’t select where I want to add a number or special character. It would be nice to be able to change the passphrase recipe, as with new passwords.

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @LarryMcJ!

    You are right that currently it's not very easy on iOS to modify passwords this way, perhaps this is something we are going to be able to improve on someday :+1:

    I can reveal the passphrase but I only see the obfuscated dots in the edit field above the displayed passphrase and can’t select where I want to add a number or special character.

    One question for you however: if the website requires you to use a number and a special symbol, does it matter where this number or symbol is in your password? Meaning, no matter where you end up putting these characters, 1Password will store that information and fill it for you later anyway. Have you found a website where the location of characters is important?

  • LarryMcJ
    LarryMcJ
    Community Member

    I doubt a site would ever specify a location. I currently just position the cursor between two dots and add a number and special character. But adding multiple numbers and special characters is still a pain point I wouldn’t expect from the best password manager, especially since you already have a way to add these in new passwords...just not with passphrases.

  • ag_ana
    ag_ana
    1Password Alumni

    @LarryMcJ:

    Thank you for the confirmation! I thought I'd clarify since you specifically mentioned this in your first post:

    can’t select where I want to add a number or special character.

    Which made it sound like choosing the location was exactly what you wanted to do :+1:

  • LarryMcJ
    LarryMcJ
    Community Member

    Thanks for considering a fix for this someday. I was going to change all my passwords to passphrases, but I think I’ll wait 🙂

  • ag_ana
    ag_ana
    1Password Alumni
    edited August 2020

    Luckily more and more websites are accepting word-based passwords @LarryMcJ without requiring special characters or numbers, so things should get easier if you would like to continue down this path ;)

  • LarryMcJ
    LarryMcJ
    Community Member

    I'll probably give it a try and see how many allow it. Perhaps hyphens between words will suffice for the special characters and all I'll need to add is a number or two for the sites that still require these. Thanks, again.

  • ag_ana
    ag_ana
    1Password Alumni

    @LarryMcJ:

    Perhaps hyphens between words will suffice for the special characters

    Exactly! :+1:

    And you are very welcome! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • williakz
    williakz
    Community Member

    @LarryMcJ, careful with hyphens. Sounds good, but they can be a bit of a pain to enter using iOS "keyboards."

  • careful with hyphens. Sounds good, but they can be a bit of a pain to enter using iOS "keyboards."

    I haven't found it particularly painful myself, but that's a consideration I suppose. :)

    To add: a character-based password of the same length as a words-based password is going to have more entropy and thus be stronger. Unless there is good reason to use a words-based password (e.g. having to memorize it, having to read it over the phone, etc) characters is still the recommended recipe in most cases.

    Ben

  • LarryMcJ
    LarryMcJ
    Community Member
    edited August 2020

    I would agree...but when I started changing over 200+ passwords to passphrase and the first six all required "at least one special character and one number" and a couple of them added "one upper case letter" to the mix, I thought I'd stop and ask. Actually, the hyphen included between words should suffice for the special character so all that's needed is an upper case and a number. If it happens, fine...if not, I'll figure out another way. Thanks, Ben.

  • Sure thing @LarryMcJ. While we're on the subject, would you mind sharing what your motivation for using the 'words' recipe is, vs the 'characters' recipe?

    Ben

  • LarryMcJ
    LarryMcJ
    Community Member

    It started out as a need to actually remember one password without storing it anywhere. Then I started reading the pros and cons of passwords vs. passphrases and the general consensus (from the sources I trust) was that passphrases of the same length, and which included the variants we've discussed earlier in this thread, are a "little bit" better than passwords.

    It really doesn't matter that much which I use, so since I also trust you a lot...what's your take?

  • Interesting. I had been under the opposite impression. I'm going to see if our security team can chime in here and provide any clarification. :)

    Ben

  • LarryMcJ
    LarryMcJ
    Community Member

    I'll likely be swayed one way or the other based on what they say. I Googled "passphrase vs passwords 2020" and arbitrarily selected about six articles, of which four preferred passphrase. Again, I only "need" to remember one password, so either way works for me.

    FWIW, the iCloud Keychain password generator uses a three-word passphrase scheme with one capital letter and one number, and the hyphen is the special character. Not that it means anything in the "which is best" question.

  • I have no doubt passphrases are better (for practical reasons) if not using a password manager, however my (admittedly perhaps limited in this case) understanding was that 'charater' based passwords provided a higher level of security, assuming the same length. Hopefully Lars or one of my other colleagues on the security team can jump in. :+1:

    Ben

  • Lars
    Lars
    1Password Alumni

    @LarryMcJ - it's all about the keyspace if what you're looking for is highest overall security. As Ben mentioned, there are other considerations (such as memorableness) that might tip the scales in favor of passphrases, but if you have X characters total, then in general the greater the keyspace, the greater the entropy. ASCII printable is 94 characters: (26 upper, 26 lower, 0-9 plus 32 symbols, and space). Using a passphrase would presume only 53 characters (if you include space). If you're going to make a memorable, passphrase password, just make sure it's at least three words, preferably four. Fourteen characters or more.

  • LarryMcJ
    LarryMcJ
    Community Member

    Thanks, Lars. Actually, I could care less about memorableness...except for the one single password I need to remember. For the logins in 1Password, I'm looking for the highest overall security. What I normally try to do is use a password, 48 characters in length, upper and lower case, at least five number and five special characters. Then if the site doesn't allow for that, I decrease the overall number of characters to fit with the site's max character limit.

    I think what I'm taking away is that I should probably just keep this methodology except for the one memorable password I need. Correct?

  • That does indeed sound like a reasonable approach. :+1: :) I usually only recommend switching to using the words recipe for instances where credentials need to be memorized (e.g. the passphrase to unlock your device) or other special circumstances. They definitely have a time and a place, which is why we implemented that recipe, but likely should not be considered a wholesale replacement for the character recipe. :+1:

    Ben

  • LarryMcJ
    LarryMcJ
    Community Member

    Thanks!

  • Lars
    Lars
    1Password Alumni

    @LarryMcJ - for whatever it's worth, I'd also avoid publishing the exact recipe you use online anywhere (like here).

  • LarryMcJ
    LarryMcJ
    Community Member

    Agree. That’s why I always lie in my examples 🙂

  • Good idea! Same for security questions. :)

    Ben

  • williakz
    williakz
    Community Member

    My hyphen nit was specific to iPad's virtual "keyboards." Periods or commas work instead of hyphens and are on the same iOS keyboard as regular letters (one keystroke instead of three for me).

This discussion has been closed.