1Password - Intelligent password same pattern and length

Hey @element ,
Great question :)

When the entropy is strong enough, patterns are not as important. You can have a predetermined pattern in 16-18 characters long passwords and it will be uncrackable if the passwords are randomly generated with strong entropy in mind, it would take hundreds/thousands of years to crack with current day technology.

We update our smart passwords recipe from time to time according to how well they're being accepted on most websites. Up until recently, it was around 20-21 characters long, and we've reduced it to comply with even more websites, when we can't read the specific requirements of the website, we fall back on our default which is now a 19 characters long password.

You are correct that patterns in passwords could weaken them, but that is only of they were not randomly generated, short and do not contain a mix of lowercase+uppercase+digits+symbols. For example, if you generate passwords that are 12 characters long and contain 4 lower case letters, 4 digits and 4 lower case letters, that would be considerably weaker due to it being shorter and with lesser entropy. You can strengthen Entropy by adding other types of characters (mix uppercase/lowercase, add symbols etc).

You can also find password strength calculators online and paste some of these smart passwords in it to see how the passwords perform there, just make sure not to use these passwords for real later on :)

Hey @element and @ag_yaron,

Cracking randomly generated passwords is all about time, specifically the time it would take to try every possible value. Lucky for us we can calculate how long it would take to crack a password through brute force by counting all the possible passwords and dividing that number by the time it takes to crack 1 password. As I read it, your question is essentially, since there is a pattern in the generated password, does it reduce the security of the password? Let's find out.

The intelligent passwords are generated from four character sets, uppercase letters (26), lowercase letters (26), numbers (10), and a subset of symbols (6) that we have found to be safe for most sites, which is a total of 68 unique characters. For a 1-character password we have 68 possible passwords and for a 2-character password we have 68 * 68 possible passwords. Following that pattern we see that to calculate the number of passwords of length 19, we need to multiply 68 by itself 19 times (68^19), which is approximately 6.57 * 10^34.

Now, to calculate the number of passwords of length 19 that match our pattern we use a similar technique. For the first three values of our pattern we choose from only 52 characters, the total number of uppercase and lowercase letters. For the fourth value we choose from one of 16 characters, the total number of digits and safe symbols. So for a password of length 4 we would multiply 52 * 52 * 52 * 16 to get the number of possible passwords. Following this pattern, our 19 character password would end up with 15 letters and 4 numbers/symbols so to calculate the total number of passwords we would multiply 52 by itself 15 times (52^15), multiply 16 by itself 4 (16^4) times, and then multiply those two numbers. This comes out to be approximately 3.6 * 10^30.

All we have to do now is figure out how many passwords can be cracked in a second and we can estimate the strength of our two passwords. A really good password cracking rig can bruteforce approximately 500 billion passwords each second. Let's assume our attacker has nation-state resources and has 1000 of these cracking rigs to dedicate to our password. Now, we are talking 500 trillion (5 * 10^13) passwords per second or 1.58 * 10^21 passwords per year. To crack our truly random password it would take approximately 41.6 trillion years and to crack our patterned password it would take approximately 2.28 billion years. While it would take significantly less time to crack the patterned password, it is still essentially impossible.

This is a long winded way of saying the generated password, even though it has a pattern, is still very strong but has the added convenience of matching the common password requirements for many sites.

P.S Keep in mind the password cracking speed assumes the site storing your password is using a simple hash called MD5. If the site is using a proper password hashing algorithm like scrypt, bcrypt, or Argon2, with a sane configuration, the number of hashes per second is a billions of times fewer, yes billions with a B.

Large numbers are often not easily comprehensible for us, but yeah, we're talking about astronomical numbers here so even with a certain pattern it is still not feasible to crack a password like our smart passwords generator suggests.

Seems like the generator could still strike out by chance if it produced all lowercase (or all uppercase) letters or if it produced only numbers and no symbols or vice versa. Not likely but possible.

The pattern in the smart passwords generator dictates there has to be a mix of lowercase and uppercase letters, digits and symbols, so it will not generate one without all of these requirements.

Furthermore, the smart passwords generator will attempt to read the website's requirements, if such exists in the HTML code of the password field, and will adjust the smart password accordingly.
Not only that, but the smart passwords generator also relies on open databases of websites passwords requirements such as Apple's password manager resources and our own database to tell whether a website has unique requirements, what they are and how to adjust the suggested password accordingly.

So if you get to a website that does not provide 1Password information from any of the sources above, 1Password will fall back to the default pattern you initially wrote here. But you will probably encounter some websites where it offers a completely different random password without that pattern if that website is affected by the above resources. That is why it is called the smart passwords generator :)

Glad we could help :)