Password "recipe" functionality removed?

verdi1987
verdi1987
Community Member
edited April 2023 in 1Password 3 – 7 for Mac

In Version 7.7.BETA-7 (70700007), I am no longer able to specify how many numbers and symbols I want in my generated passwords. Is this functionality gone? I relied on that every time I generated a password.


1Password Version: 7.7.BETA-7
Extension Version: Not Provided
OS Version: macOS 11.0
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @verdi1987!

    If I am not mistaken, this changed a few versions ago already, I don't believe it's a change in Beta 7. Indeed, looking at the changelog, the only change in Beta 7 was for the inline menu:

    Fixed an issue that could cause the inline menu to errantly report that it is locked after unlocking 1Password.

  • @verdi1987,

    In 1Password mini? In the browser?

    The only change that I can think of is that you're talking about the main window, in which case yes, that functionality is gone. The unified password generator has made it to the main window as of 7.7.BETA-3 and will be coming to 1Password for iOS as well.

    The main 1Password editor now uses the improved Strong Password Generator. {#2564}

    If you need a password with symbols and digits, i'd recommend the Memorable password type with the "Digits and Symbols" separator selected.

  • verdi1987
    verdi1987
    Community Member

    @rudy, Yes, in the main window.

    Thanks, I will try the Memorable option.

  • titanred
    titanred
    Community Member

    Why was the option for this removed? I understand wanting the default password generation to use an improved algorithm, however I would still like to be able to set my own complexity requirements. Not only defining how long a password should be, but also how many numbers and symbols. It seems like a trivial feature to include for those that want stronger passwords with custom complexity requirements, especially since the feature used to exist.

  • Specifying a specific number of digits / symbols generally causes a reduction in entropy. The more influence one has over the makeup of the password, the less random it will be. That is why we're moving in the direction of checkboxes to either allow or disallow digits / symbols, instead of sliders to specify a specific number of them.

    Ben

  • tewha
    tewha
    Community Member

    I hope you're eventually able to read the site's password rules, too. I would like to not have to think of any of this. ;)

  • @tewha,

    The inline menu in Safari already does that when using the inline menu's generate password field, it is also hooked into Apple's GitHub repository of known password requirement quirks. I'm hoping to bring similar functionality to the full 1Password mini password generator in the future.

  • tewha
    tewha
    Community Member

    Good stuff, Rudy. :)

  • :+1: :)

    Ben

  • titanred
    titanred
    Community Member

    on the topic of entropy, I'd like to make a feature request. In the password recipe, can there be a display that show the bits of entropy? Similar to what keepass does?

    While I understand the password generator recipe has its own algorithm, there are times where one generated password could potentially have significantly less entropy than another. Also something that I've noticed with the new generator in 7.7 is that there are times where a password will only be generated with 1 symbol and 1 number, even for a 25 character password

  • ag_ana
    ag_ana
    1Password Alumni

    @titanred:

    Thank you for the feedback! I have passed your request to the developers for consideration :)

    ref: dev/projects/customer-feature-requests#177

  • random_commenter
    random_commenter
    Community Member

    Sometimes I don’t necessarily want the most secure password if it’s for a site that I’m rarely going to use or doesn’t contain important personal information, I just want a password that’s unique so that if the site is compromised, they can’t use the same password to access sites that I do care about. In these situations, I thought the ability to choose the numbers and symbols and the unambiguous character options were great, because sometimes for less well-designed sites, I need to type the password on an iPhone keyboard and it’s easier to do when I don’t have to enter too many symbols or digits and it’s easy to read. For this use case, I was disappointed that this feature was removed, and it would be great if it could be restored. Thx!

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @random_commenter! For reasons already stated in this thread and others, I can say pretty definitively that we won't be bringing back that kind of granular control over password composition. However, you'll find overall that the number of digits and symbols tends to be considerably fewer than the number of letters in a given password. You can also always manually edit the created/suggested password yourself, before accepting it, or you can continue to generate until you find one that's to your liking. I might also suggest turning off both symbols and numerals, to make typing easier on any sites you've determined have lower security needs/requirements.

  • random_commenter
    random_commenter
    Community Member

    Ok. But a lot of sites require 1 digit and occasionally one symbol, which is why this was useful.

  • Lars
    Lars
    1Password Alumni

    @random_commenter - I understand, and I'm sorry this will inconvenience you on those times when you want to choose a more-configurable password. I would always go with the stronger option in such cases, but if you're still interested in doing it the way you described, I'd just keep hitting generate until you get one that's close enough for you, then manually edit the symbol/numeral or two until you have something that suits you.

  • random_commenter
    random_commenter
    Community Member

    Thx. That’s what I do, but it’s pretty annoying, which is why I took the time to set up this account, because I actually like and care about your product, so that I could complain, and it looks like you’re aware that other people are unhappy about this decision too. If there’s something magical about the new algorithm that wasn’t supported in the old, why not run it in a loop until the generated password meets the user-specified criteria, that they know is less secure, instead of forcing the user to do this manually and check the result visually. It seems like something that a computer would be good at. Not to be snarky, but it’s like going to a restaurant that serves burgers and kale where people are enjoying both, but then forcing everyone to eat kale because a nutritionist thought it would be healthier if everyone ate kale even when people just want a burger (and then asking them to add a bunch of seasonings to make it palatable).

  • Lars
    Lars
    1Password Alumni

    @random_commenter - Thank you for taking the time to share your perspective with us on this. We’ll continue to look for ways we can increase/maintain security while also making it more likely that generated passwords will be accepted on the first shot.

  • titanred
    titanred
    Community Member

    Wanted to chime in here as I've been testing the new password generator more since 7.7 went GA..

    1. With a 25 character password, there are still times when a password is only generated with 1 symbol and 1 number, the rest of the password being alphabetical characters
    2. With regards to symbols, I've noticed that only the most common symbols are now being used. With v7.6, more obscure symbols were being used for generated passwords and I no longer see those in v7.7 (e.g. less than, greater than, brackets, carrots, tilde, and more...)
  • Lars
    Lars
    1Password Alumni

    @titanred - both of these things are intentional. There are very few sites out there which require users to include more than one symbol or digit. A great many require one or both of these, but don't specify how many (or explicitly specify just one or more if desired). And yes, we consciously reduced the symbols to a smaller subset of the most-commonly required ones, since that is one of the major pain points where users would have to either regenerate a password multiple times or manually edit to remove an "illegal" symbol that was generated by 1Password's generator. You can read some of the thinking behind this in this post by our Chief Defender Against the Dark Arts (AKA: Security Team Lead), Jeff Goldberg.

This discussion has been closed.