Good password ranked as terrible?
Comments
-
:+1: :)
0 -
I'm not sure if this covered by any of the points raised above. Today I saw 1Password indicate that a saved password (not randomly chosen by 1Password) was "excellent" and then later in the day this was changed to "terrible". I was surprised to see the strength indicator change like that.
0 -
That's definitely not one I've heard of before, @Michael Mercurio. To clarify: the password hasn't changed? There is nothing recent in the password history at the bottom of the item? Was the item modified in any other way?
Please let me know.
Ben
0 -
Thanks, @Ben, It was a new password that I recently changed for an existing entry. When I entered the new password it was "fair." I then modified it slightly (made it longer) and saved it again and got "excellent." I know it was "excellent" because I was playing around with changing the password trying to get a higher indicator rating.
When I happened to notice it a few hours later it indicated "terrible."
I did also make some other changes to the entry. I modified the notes field and added new text fields to note security questions.
Cheers,
Michael0 -
Thank you for the additional information. I have tried to reproduce this but I couldn't so far. Please let us know if you notice this another time too, or if you find a way to trigger this on demand. I will keep testing, but I would be happy to test any steps you think might be causing this :+1:
0 -
Here's exactly what I did, which I'm able to reproduce. The steps are a bit lengthy because all of the attempts to simply it have resulted in me not able to reproduce it. I suspect it has something to do with duplicate password detection and resolution.
Steps:
1. create a test login entry with any password. This is the entry I intend to change. I used https://example.com as the website, but I don't think it matters.
2. create a new password entry. This is the password I intend to change the previous entry to. The password is typed (not random.) The password I used is 18 characters long, it doesn't have any correctly spelled English words, it has numbers, and and 3 non-alphanumeric characters. Once saved, this password is indicated as "Excellent."
3. Copy the password created in step 2 to the original login password created in step 1. Both passwords are now flagged as duplicates.
4. Move the password entry created in step 2 to the trash. Now the original login password in step 1 is indicated as "Terrible."In step 4, I've also tried modifying the test password entry to a different password to resolve the duplicate, which has the same effect.
0 -
Definitely, there is an error in the algorithm. I would not rely much on automatic ways to detect a good or bad or terrible passwords. In the end, a good password would be the one that stands against breaking attempts.
0 -
Thank you for the steps! I actually got a slightly different result after I followed them: the login item shows no strength at all, so there is definitely something strange happening here. Since this involved creating a separate Password item (which is one of the original scenarios where this bug appeared), it is very possible that this is related.
0 -
I would not rely much on automatic ways to detect a good or bad or terrible passwords. In the end, a good password would be the one that stands against breaking attempts.
Thank you for your feedback! How would you suggest doing this, without doing it automatically?
0 -
Well, what I was saying is more for people who take security seriously and give it sufficient time and effort. Of course, automatic password strength checks should be there (and they should work smoothly :) ), but the person using them needs to understand what s/he is doing and why.
If I enter a long (10+ chars, or better 20 chars) and it contains A-Za-z0-9, and no dictionary words, and then the program tells me it is TERRIBLE, I know it is something wrong with the program, not the password. That's what I meant by "not rely too much". Let's change it to "not blindly trust".
0 -
Got it, thank you for the clarification :+1:
If I enter a long (10+ chars, or better 20 chars) and it contains A-Za-z0-9, and no dictionary words, and then the program tells me it is TERRIBLE, I know it is something wrong with the program, not the password.
Indeed, this is a bug with the password strength meter itself: the password is strong, but the meter is not updated accordingly :+1:
0 -
So here's a new one I haven't seen before: I changed the password which was previously identified as "Terrible" to something different. The new password is unique, but again not randomly chosen by 1Password.
The password strength is indicated as.... well, actually there is no password strength indication. Weird.
0 -
We'd like to investigate this case in more depth. Could you please do the following for us:
- Enable Preferences > Advanced > Copy JSON
- Select the item in question, with the missing rating
- Select Item > Copy JSON from the menu bar and paste it somewhere temporarily for safe keeping
- If this is a password that you're actually using for a service, change the password prior to sending us the JSON (as it will contain the password)
Then I'd like to ask you to create a diagnostics report from your Mac:
Sending Diagnostics Reports (Mac)
Attach the diagnostics to an email message addressed to
support+forum@agilebits.com.With your email please include:
- A link to this thread:
https://1password.community/discussion/comment/577881/#Comment_577881 - Your forum username:
Michael Mercurio - The JSON from the item
That way I can "connect the dots" when I see your diagnostics in our inbox.
You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here so I can track down the diagnostics and ensure that this issue is dealt with quickly. :)
Once I see the diagnostics I'll be able to better assist you. Thanks very much!
Ben
0 -
Thanks, @Ben!
For your reference, the Support ID: [#GAV-56423-815]
0 -
Thank you!
Ben
ref: GAV-56423-815
0
