Password re-assesed from "Fantastic" to "Terrible" by Watchtower

Options
jmach_jim
jmach_jim
Community Member
in Mac

Hello,
This message is rather meant as information for 1Password users than a question (as the topic was discussed this week with 1Password support via email).

Last year I created a password for my broker account using 1Password engine. Because at least 1 number and 1 capital letter were required, I have added a number and changed one letter to a capital. This week I recognized that the password is assessed as "Terrible" by the 1Password Watchtower (see the screenshot
The initially generated password was "qigwu-rizxev-kapcun". After modification, it changed to "qigwu7-rizxeV-kapcun". In this case, the modification should keep/upgrade the password, not downgrade it to "Terrible" (in my opinion).

I have contacted the 1Password support and got a reply "...if you type your own password, modify a generated password, or even copy a generated password from another source and add it to 1Password yourself, the rating will go down because 1Password has no way of knowing that it's truly unique and random." I am not of this opinion in this particular case. To be assessed as "Terrible" you need a password like "house" or "123456". That's far away from "qigwu7-rizxeV-kapcun"

I believe there are 3 options:
1. 1Password engine generates weak passwords, and Watchtower correctly assesses low password quality (that would be scary)
2. Modifying or inserting your own password leads to an assessment of a "Terrible" because 1Password has no way of knowing that it's unique and random.
3. There is a bug in the Watchtower assessment algorithm - even strong passwords are assessed (at least in some cases) as "Terrible".

I am not a crypto expert, but I think the 3rd option is correct. Still, it was not confirmed by 1Password team (although I raised it). I have created a test login in 1Password and inserted my "Terrible" password "qigwu7-rizxeV-kapcun". It was assessed as "Fantastic" (see below). The same password is assessed (at the same time) as "Terrible" and "Fantastic". I guess there is some improvement opportunity. If so, users should not be automatically stressed if password is assessed as low-quality.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • MrC
    MrC
    Volunteer Moderator
    edited August 2022
    Options

    If a reliable quality password metric cannot be presented, then perhaps indicating "Unknown" would be a better choice?

    I don't recall this password metric ever being useful or reliable, so I've just routinely ignored it. And that has always felt like the wrong behavior. And yet it seems inconsistent, as security software, to provide user feedback that is unreliable and incorrect, such that this form of (bad) behavior is reinforced.

  • ag_andrew
    ag_andrew
    Options

    Hi @jmach_jim, I'm sorry you ran into trouble with password strength indicator (and Watchtower alert). This is something we worked hard on in 1Password 8, but there are a few cases where we still run into problems. Let me explain…

    To keep 1Password responsive, we record the strength of your password when you change it (either by using our Strong Password Generator or by entering your own password). Doing this means that we don't have to re-calculate the strength of each Item's password every time you unlock the app. However, if (for example) an old version of 1Password had a bug that prevented a password change from also recording the correct password strength, you'd end up with an item whose actual password strength was quite different from the indicated strength.

    I'm not 100% sure if such a bug existed in previous versions of 1Password, but it's certainly possible via some edge case.

    As you've already discovered, getting things back in line is fairly straightforward:
    1. Edit the item and change the password to something else (even a one-letter change is fine)
    2. Save the item
    3. Edit the item again and change the password back, if desired, and save

    That will record the correct password strength and should also do away with the Watchtower alert.

    Sorry for the inconvenience, please let us know if those steps don't work for you, or if you run into any more trouble 💜

This discussion has been closed.