Tweak password generator recipe

I recently came across a website which in addition to requiring the password to be long enough also put an extra restriction that only lower case letters and numbers could be used. I know that the recipes can be modified to take some restrictions into account but is there a way to fine tune which characters are allowed so that these arbitrary restrictions can be satisfied? Some sites have not only restrictions on what character classes may be used but may list specific characters which are allowed (for example letters, digits, or any of "@ ", "-", ".").

I tried to work around it by choosing the memorable password recipe with digits as separators but then I ran into the password length restriction of the site.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @kuriboshi ,

    You didn't mention which 1Password version are you using, but there's no option to use only lowercase or only specific symbols when generating passwords because that's just messing with the entropy of the password and making it weaker.

    My suggestion to you is to edit the generated password while you're in the generator:
    1. Get to the generator.
    2. Generate a new password.
    3. Click on the password itself while in the generator and edit it as you see fit.
    4. When you're done, click on Autofill or copy-paste it into the website.

    Hopefully we will see less and less of these weird requirements on websites as time goes by :)

  • kuriboshi
    kuriboshi
    Community Member

    Thanks @ag_yaron, I ended up doing something similar. Copying the password to somewhere where it was easier to edit and then copy and paste back to 1Password.

    It can be especially frustrating when a site doesn't specify the limitations of a password until you actually generate and enter one, sometimes requiring multiple roundtrips before successfully entering a password.

    And for completeness: 1Password 7.7 (70700016), macOS 11.2, Safari 14.0.3.

  • ag_yaron
    ag_yaron
    1Password Alumni

    Thanks for the additional details.

    In that case, no need to copy the password somewhere else and edit it - just edit it directly in the password generator.
    I hope that will do for now.

    And I agree that websites should specify requirements before a failed attempt, unless they have no requirements (except for minimum length) which is the best case scenario!

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @Naxterra ,

    We used to have something like this long ago, but it was so darn confusing for most of our customers (as they are mostly not as tech-savvy as you) and therefor we have simplified things as much as possible.

    We've also learned that the more rules and restrictions you apply on a password recipe, the more it affects the password's entropy and randomness, which eventually results in weaker passwords. Any human intervention in a truly randomly generated password reduces entropy. However, I might agree with the argument that from a certain length (e.g. 18 characters and higher) this might be negligible.

    Thanks for the suggestion and feedback! As always we will stay tuned and if many users asks for such features we will consider them if possible. :+1:

  • williakz
    williakz
    Community Member
    edited February 2021

    @ag_yaron, the way to approach this problem, IMO, is to default to (more or less) random generation to produce the most robust passwords but with a user-selectable option to go "Manual" when needed and as @Naxterra showed above. I would also suggest that any entries with such user-restricted or modified passwords be clearly indicated so users can periodically recheck site restrictions with a view to going "full Auto" (random) to restore password robustness if and when site restrictions are eased.

  • ag_yaron
    ag_yaron
    1Password Alumni

    Thanks for the suggestions here @williakz .

    1Password already shows you how strong a password is (e.g. Terrible, Bad, Good, Strong, Excellent etc). If a password is marked bad and below, Watchtower will notify you that it is bad whenever you look in Watchtower or when you open that login item.

    Is that more or less what you are expecting to happen?

  • williakz
    williakz
    Community Member

    Hi @ag_yaron,

    I suppose I'm asking for an indicator of how a password was generated in addition to the measure of its robustness that Watchtower currently provides.

    In my case, I was given 30 days to come up with a new password for a financial site (I know, I know — I already sent them your "Bad Bank" letter). I figured I'd just let 1Password's password generator do its thing (I haven't used it much other than for "don't care" sites, I know, I know—that's backwards). Problem was I was site-restricted to a maximum password length of 15 characters. I received guidance here on how to conform the generator to produce password(s) of shorter length than the default. Everything from that point worked fine.

    However, in reviewing that length-limited password, Watchtower shows it as "Fantastic" (I like my own cooking as well!) with no indication that the password is shorter than the default length the password generator "wanted" to use. My assumption here is that the longer 1Password-generated password would be to some degree "Fantastic-er" than the shorter one. Therefore, the shorter one should carry an indication that it was produced with limitations relative to what the 1Password generator would've come up with on its own. Such an indication would permit me to periodically review site-restrictions with a view to creating new, unrestricted passwords when and if possible.

    Hope that helps explain my earlier message.

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @williakz .
    Thanks for clarifying further.

    I think in this particular instance, your concerns might be misplaced. A 15 characters long random password is extremely strong. If the password is completely random, even a 12 characters long password is wonderful and will be considered uncrackable unless someone would be willing to invest a ton of money and resources on cracking it - and that only happens if you're someone super important or have access to very sensitive and wanted data.

    We've had bounties in the past where we paid the community to try and crack such passwords, and even though the prizes were in tens of thousands of dollars, most of them weren't cracked without us having to give out some clues as to what the passwords may or may not contain. So again - to put things in perspective, a password that was generated by our generator is super strong even when it is short. If it is too short or if you mess with the password manually in a way that hurts the entropy (e.g. only letters and some letters repeat themselves more than twice in a row etc...), then 1Password will let you know that the password's strength is less than fantastic.

    If you are a very important person or if you have data that is extremely sensitive, then you should use the generator to generate longer passwords, but for the vast majority of users, the suggested passwords are way more than enough, and even passwords that are a bit shorter are :)

    There are a lot of calculators out there that will demonstrate how weak/strong a password is that you can find and play with. Here's one from the top of Google's search results. Feel free to generate passwords in the generator and test them there. Do not use real passwords that you actually use though!

    I hope that clarifies why most passwords you generate will show as fantastic, while some passwords you create manually might be weaker :)

  • williakz
    williakz
    Community Member

    Thanks for the explanation (and new toys to play with), @ag_yaron. You folks are the greatest!

  • ag_yaron
    ag_yaron
    1Password Alumni

    Glad I could help :chuffed:

  • upupcreative
    upupcreative
    Community Member

    I've noticed that the passwords generated by 1Password tend to get a "Very Good" rating within 1Password, whereas all of the passwords I had previously generated using Keychain in Safari are all rated as "Excellent" or even "Fantastic" in 1Password. I'd love to be able to edit the password generator recipe in 1Password so that all of those passwords would also rate as excellent or fantastic, too.

  • [Deleted User]
    [Deleted User]
    Community Member

    @upupcreative If you are using the latest version of 1Password in the browser, formerly known as 1Password X, then you can choose the default recipe for suggested passwords. Click on the 1Password extension icon then the '+' symbol then Password Generator. Here you can generate passwords according to a number of pre-defined recipes, adjust the recipe, manually edit the resultant password and choose the default recipe for suggestions.

  • Thanks for helping out, @missingbits. Let us know if you need further assistance on this, @upupcreative. :smile:

  • upupcreative
    upupcreative
    Community Member

    Thanks @missingbits :)

  • ag_ana
    ag_ana
    1Password Alumni

    :)

  • CCAAG
    CCAAG
    Community Member

    I miss the now-deprecated password recipe feature! Specifically, modifying the recipe to specify the exact amount of special characters or digits in the password. Is there any way this feature can make a comeback?

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @CCAAG ,

    We don't encourage manually messing with the recipes, since that often hurts the entropy and randomness of the password generated.
    However, if the password generator is not creating a very specific kind of password you're trying to generate, simply click the generated password with your mouse and edit it with your keyboard as you see fit.

  • davemacdo
    davemacdo
    Community Member

    I find this response to be very unsatisfying and yet another reason to dislike the new browser-based 1P apps. As @ag_yaron acknowledges above, memorable passwords can be functionally as secure as more random-seeming passwords if they're long enough. Sometimes I have to view a password on my phone and type it in at another computer. In this case, a 30-character "memorable" password is far more convenient than a 18-character "random" password.

    Regardless, if I want to choose to create a "less secure" password, either so I can remember it or because the system I'm using has very particular constraints, I should be able to create the password I want, and I should be able to make that decision each time a create a new password. I know what kinds of passwords I need for different circumstances. You don't.

  • [Deleted User]
    [Deleted User]
    Community Member

    @davemacdo The password generator in 1Password in the browser allows you to generate 4 different types of password: a Smart Password which aims to automatically meet the requirements of the website, a Random Password using letters/numbers/symbols, a Memorable Password based on dictionary words and a PIN using only numbers. The generator allows you to choose one as the default for suggestions and all but the Smart Password can be adjusted in length. Click on the 1Password extension icon then the large '+' symbol then Password Generator.

  • williakz
    williakz
    Community Member

    @rootzero, what's been your experience been with Smart Password?

    I'm working my way through the process of systematically "hardening" my login passwords and haven't found Smart Password to be of much value on many of my stored sites. I still get invalid password messages due to Smart Password's suggestions being overlong and/or using prohibited symbols. I've found restricting the generator's passwords to 15 characters generally works well, but I don't like giving up 1Password's preferred length (even though I've been assured even 12 characters provide adequate security). Thoughts?

  • davemacdo
    davemacdo
    Community Member

    @rootzero yes, but those options are not available in the suggestions when creating a new login. Going to the manual login creation through the path that you described is considerably less convenient, as there is often a need to make tweaks to the recipe to accommodate various service-specific requirements. This was very easy to do in the previous versions of 1Password, and much more tedious (and error-prone) in the current version.

  • [Deleted User]
    [Deleted User]
    Community Member

    @williakz I have not found the Smart Password particularly useful, perhaps because the Apple database doesn't yet have all the European sites I use and maybe because I was put off using the suggested password when it always seemed to be based on words.
    I tend to leave the default for suggestions set to Random Password with a length of 18-20 characters. This works for most websites and I only occassionally need to add/remove symbols and/or reduce the length to 12-16 characters to accommodate the outliers. But as @davemacdo points out, this can lead to quite a few more clicks, especially as many websites don't tell you all the constraints until they reject your first attempt!

  • davemacdo
    davemacdo
    Community Member

    The biggest issue I have with all the extra clicks is that it’s far too easy to save a different password in my vault than the one that is actually used.

  • [Deleted User]
    [Deleted User]
    Community Member

    @davemacdo That's part of the reason I don't like the suggestions menu and go directly to the password generator. You can see the generated password and, when you click copy or autofill, it gets added to the generator history.

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey guys, thanks for all the input and feedback here.

    @davemacdo You don't need to manually create a login item when you want to generate a different password. You just need to get to the Generator in the extension, like so: https://support.1password.com/getting-started-browser/#create-a-custom-password
    Also, if you're on your phone and you need to put your password into a website/app where autofilling doesn't work, simply copy the password from the 1Password app and paste it into the field instead of manually typing it (unless that's impossible too for some reason?).
    As mentioned here already, you can adjust the default recipe of the suggestions so it would always suggest memorable passwords instead of smart/random passwords, I hope you'll find it useful.

    @rootzero Indeed, Apple's database of passwords requirements is still in its infancy, but we hope it to grow into the leading database in the world, which would improve passwords suggestions across the board! Feel free to contribute to their repo when you encounter a website who's passwords requirements are not met by 1Password or any other password manager to help grow the database: https://github.com/apple/password-manager-resources

    @williakz Indeed, a 15 characters long password that was randomly generated is more than strong, so don't feel too bad about reducing its length. We hope that some day websites will adhere to a certain standard and will allow choosing passwords with no length limit at all, making it a lot easier for users and password managers to provide and choose the strongest passwords in the easiest method! I hope you'll finish changing all of your passwords soon and get done with it. I know how long and tedious of a process it can be :angry:

  • davemacdo
    davemacdo
    Community Member

    @ag_yaron I understand how to generate a different password for a new site. My point is that the recipe used to be available from the initial suggestion in the old extension. Furthermore, the issue of having to type it is because I'm on a computer that doesn't belong to me, which is a frequent occurrence on a college campus where I work. Changing the default recipe is also not acceptable, since it can't easily be changed at the point that it is suggested at the popup attached to the form.

    All of these used to be trivially simple in the old extension and have been needlessly complicated by the new one.

  • ag_yaron
    ag_yaron
    1Password Alumni

    Thanks for the additional info @davemacdo ,

    The old extension did not suggest new passwords at all. You had to click the extension's icon on the top right corner of your browser to open it, then you had to click the "+Generate Password" button there to reach the generator, at which point you'd be able to generate new passwords and edit the recipe - this works almost identically right now, except that the new extension suggest passwords automatically inside "New Password" fields. If you need to edit the recipe, you need to click the extension's icon to open it, then navigate to the generator just like the old extension, OR, press CMD+G (on Mac) / CTRL+G (on Windows) which will get you there faster.

    You can still get the old classic extension if you'd like to give it a try and see if you prefer working with it: https://support.1password.com/cs/1password-classic-extension/

This discussion has been closed.