Feature Request: Special characters allow list for password generation

viet
viet
Community Member

Problem

Many websites allow or require special characters, but only from a defined subset. There is no consistency across websites on what this list is, but usually it is shared to the user.

1password allows generation of passwords with n number of special characters. The collection of special characters used is defined by 1password and can include special characters not allowed by the website.

Solution

Allow the user to define an allow list of special characters to be used in the password generator


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @viet!

    Thank you for the feedback! My understanding is that this is something that we don't plan to do: we are trying to generate passwords that are as random as possible, and I was told that selecting specific items for the generated password gives you a lower password entropy.

    You can read more about this from our security team here, if you are curious :)

  • viet
    viet
    Community Member
    edited September 2020

    I understand the reasoning and I agree with you the best password is one of highest entropy.

    But if the website’s password validation does not accept the password because it denies certain characters then the random generator is useless. For example, lets say one website only accepts special characters from the following list: %#^?. It won’t accept a password with the character $. If the password generator outputs a password with the disallowed character it won’t be accepted by the website because it fails their validation.

    The best approach to this situation is to generate the best random password with the allowed characters that pass the website validation. Is it the most secured password? No it is not. But it is the most secured password allowed and validated by the website.

    Not allowing this forces the user to manipulate the randomly generated password to remove denied characters, which reduces the effectiveness of the password.

    I understand the stance you are taking, but I think it is a very rigid one that is not practical to the (what I believe) actual goal and purpose of the random password generator feature: to generate the most secured password which is validated by the tool/website/et cetera.

  • ag_ana
    ag_ana
    1Password Alumni

    @viet:

    I can say that in the latest 1Password for Mac beta we are exploring using the password rules information provided by Apple to make this automatic, so you still have the randomness while still following the rules of the specific website ;)

    Unfortunately some websites still decide to put these rules in place instead of just allowing all characters, but with the new rules database at least things will be easier for us users :)

  • viet
    viet
    Community Member
    edited September 2020

    I see. That is great to hear. Looking forward to seeing how well it addresses the case.

    Just from my personal viewpoint it is quite frustrating to generate a 64 character password string with x number of digits and y number of special characters, and then having to comb through the string to replace the denied special characters with one that is acceptable by the specific website.

  • ag_ana
    ag_ana
    1Password Alumni

    Understood, thank you for the feedback @viet :+1: :)

  • C_Welch
    C_Welch
    Community Member

    Upvote this request for viet’s! I have this problem all of the time. Thanks!

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the feedback as well @C_Welch :+1:

  • jjjjacob
    jjjjacob
    Community Member

    Bump. Has this been added, and I'm not seeing it?

    This is a legacy limitation of 1Password that needs to be addressed and is quite long overdue. Since first using 1Password in 2008 to now, this issue has always been limitation of the software. I need this tool to serve my needs, even when those needs are at odds with software designer's intentions.

    The password constraints are, after all, not my decision, but a decision which has been made by the website's policies makers. I am forced to bypass the functionality of this generator about 40-50% of the time (3 times this week), and that probably isn't making better passwords. The use-case for this feature in the pw generator is so frequent and solution so obvious. Please add a text box within the special characters section which can pass a discrete special character list in place of the default special character list.

    Thanks for any insights. Hope the feedback is truly being considered.

  • Hi @jjjjacob

    We don't have plans to go in that specific direction, however we have begun using Apple's password manager resources repo. This repo collects details about the requirements of various websites including which special characters are allowed in passwords so that all password managers can comply. You can read more about the repo here:

    apple/password-manager-resources: A place for creators and users of password managers to collaborate on resources to make password management better.

    When using the Smart Password option in the password generator within 1Password in the Browser, 1Password will suggest a password that is acceptable to the site, assuming it is in the repo:

    If there are sites where an appropriate password is not being suggested, it can be suggested for inclusion in the repo. You can either make that suggestion directly yourself, or we can do that on your behalf.

    Ben

  • jjjjacob
    jjjjacob
    Community Member

    Thanks @Ben for the prompt response. I will investigate that option. Certainly glad there is a solution implemented.

    ///jjjjacob

  • I'm glad Ben could help. Have a great evening!

This discussion has been closed.