Passphrase question

LarryMcJLarryMcJ Senior Member
edited August 21 in iOS

I decided to start using passphrases for new logins but encountered a problem. Most sites require at least one special character and one number. 1Password doesn’t add either of these to newly-generated passphrases.

Editing the passphrase isn’t easy. I can reveal the passphrase but I only see the obfuscated dots in the edit field above the displayed passphrase and can’t select where I want to add a number or special character. It would be nice to be able to change the passphrase recipe, as with new passwords.

Comments

  • ag_anaag_ana

    Team Member

    Hi @LarryMcJ!

    You are right that currently it's not very easy on iOS to modify passwords this way, perhaps this is something we are going to be able to improve on someday :+1:

    I can reveal the passphrase but I only see the obfuscated dots in the edit field above the displayed passphrase and can’t select where I want to add a number or special character.

    One question for you however: if the website requires you to use a number and a special symbol, does it matter where this number or symbol is in your password? Meaning, no matter where you end up putting these characters, 1Password will store that information and fill it for you later anyway. Have you found a website where the location of characters is important?

  • LarryMcJLarryMcJ Senior Member

    I doubt a site would ever specify a location. I currently just position the cursor between two dots and add a number and special character. But adding multiple numbers and special characters is still a pain point I wouldn’t expect from the best password manager, especially since you already have a way to add these in new passwords...just not with passphrases.

  • ag_anaag_ana

    Team Member

    @LarryMcJ:

    Thank you for the confirmation! I thought I'd clarify since you specifically mentioned this in your first post:

    can’t select where I want to add a number or special character.

    Which made it sound like choosing the location was exactly what you wanted to do :+1:

  • LarryMcJLarryMcJ Senior Member

    Thanks for considering a fix for this someday. I was going to change all my passwords to passphrases, but I think I’ll wait 🙂

  • ag_anaag_ana

    Team Member
    edited August 21

    Luckily more and more websites are accepting word-based passwords @LarryMcJ without requiring special characters or numbers, so things should get easier if you would like to continue down this path ;)

  • LarryMcJLarryMcJ Senior Member

    I'll probably give it a try and see how many allow it. Perhaps hyphens between words will suffice for the special characters and all I'll need to add is a number or two for the sites that still require these. Thanks, again.

  • ag_anaag_ana

    Team Member

    @LarryMcJ:

    Perhaps hyphens between words will suffice for the special characters

    Exactly! :+1:

    And you are very welcome! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • @LarryMcJ, careful with hyphens. Sounds good, but they can be a bit of a pain to enter using iOS "keyboards."

  • BenBen AWS Team

    Team Member

    careful with hyphens. Sounds good, but they can be a bit of a pain to enter using iOS "keyboards."

    I haven't found it particularly painful myself, but that's a consideration I suppose. :)

    To add: a character-based password of the same length as a words-based password is going to have more entropy and thus be stronger. Unless there is good reason to use a words-based password (e.g. having to memorize it, having to read it over the phone, etc) characters is still the recommended recipe in most cases.

    Ben

  • LarryMcJLarryMcJ Senior Member
    edited August 24

    I would agree...but when I started changing over 200+ passwords to passphrase and the first six all required "at least one special character and one number" and a couple of them added "one upper case letter" to the mix, I thought I'd stop and ask. Actually, the hyphen included between words should suffice for the special character so all that's needed is an upper case and a number. If it happens, fine...if not, I'll figure out another way. Thanks, Ben.

  • BenBen AWS Team

    Team Member

    Sure thing @LarryMcJ. While we're on the subject, would you mind sharing what your motivation for using the 'words' recipe is, vs the 'characters' recipe?

    Ben

  • LarryMcJLarryMcJ Senior Member

    It started out as a need to actually remember one password without storing it anywhere. Then I started reading the pros and cons of passwords vs. passphrases and the general consensus (from the sources I trust) was that passphrases of the same length, and which included the variants we've discussed earlier in this thread, are a "little bit" better than passwords.

    It really doesn't matter that much which I use, so since I also trust you a lot...what's your take?

  • BenBen AWS Team

    Team Member

    Interesting. I had been under the opposite impression. I'm going to see if our security team can chime in here and provide any clarification. :)

    Ben

  • LarryMcJLarryMcJ Senior Member

    I'll likely be swayed one way or the other based on what they say. I Googled "passphrase vs passwords 2020" and arbitrarily selected about six articles, of which four preferred passphrase. Again, I only "need" to remember one password, so either way works for me.

    FWIW, the iCloud Keychain password generator uses a three-word passphrase scheme with one capital letter and one number, and the hyphen is the special character. Not that it means anything in the "which is best" question.

  • BenBen AWS Team

    Team Member

    I have no doubt passphrases are better (for practical reasons) if not using a password manager, however my (admittedly perhaps limited in this case) understanding was that 'charater' based passwords provided a higher level of security, assuming the same length. Hopefully Lars or one of my other colleagues on the security team can jump in. :+1:

    Ben

  • LarsLars Junior Member

    Team Member

    @LarryMcJ - it's all about the keyspace if what you're looking for is highest overall security. As Ben mentioned, there are other considerations (such as memorableness) that might tip the scales in favor of passphrases, but if you have X characters total, then in general the greater the keyspace, the greater the entropy. ASCII printable is 94 characters: (26 upper, 26 lower, 0-9 plus 32 symbols, and space). Using a passphrase would presume only 53 characters (if you include space). If you're going to make a memorable, passphrase password, just make sure it's at least three words, preferably four. Fourteen characters or more.

  • LarryMcJLarryMcJ Senior Member

    Thanks, Lars. Actually, I could care less about memorableness...except for the one single password I need to remember. For the logins in 1Password, I'm looking for the highest overall security. What I normally try to do is use a password, 48 characters in length, upper and lower case, at least five number and five special characters. Then if the site doesn't allow for that, I decrease the overall number of characters to fit with the site's max character limit.

    I think what I'm taking away is that I should probably just keep this methodology except for the one memorable password I need. Correct?

  • BenBen AWS Team

    Team Member

    That does indeed sound like a reasonable approach. :+1::) I usually only recommend switching to using the words recipe for instances where credentials need to be memorized (e.g. the passphrase to unlock your device) or other special circumstances. They definitely have a time and a place, which is why we implemented that recipe, but likely should not be considered a wholesale replacement for the character recipe. :+1:

    Ben

  • LarryMcJLarryMcJ Senior Member

    Thanks!

  • LarsLars Junior Member

    Team Member

    @LarryMcJ - for whatever it's worth, I'd also avoid publishing the exact recipe you use online anywhere (like here).

  • LarryMcJLarryMcJ Senior Member

    Agree. That’s why I always lie in my examples 🙂

  • BenBen AWS Team

    Team Member

    Good idea! Same for security questions. :)

    Ben

  • My hyphen nit was specific to iPad's virtual "keyboards." Periods or commas work instead of hyphens and are on the same iOS keyboard as regular letters (one keystroke instead of three for me).

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file