Memorable Password Generator

Any plans to beef up the memorable password generation algorithm? I generally much prefer the output I get out of the built-in Mac password assistant for memorable password, but it doesn't integrate directly into 1password. Aside from the wide array of separators, I'm not quite sure how their algorithm differs from yours. Thanks very much!

Comments

  • khad
    khad
    1Password Alumni

    I know we've been big proponents of Diceware for master passwords. Perhaps that would be a good fit in the future. It's something I'd personally like to see, but I can't comment on future plans. :)

    I'll pass your vote along to the developers. Thanks for your feedback!

  • khad
    khad
    1Password Alumni

    I use Diceware for security questions myself, but I will pass your vote along as well. Thanks, Jim!

  • khad
    khad
    1Password Alumni

    There are other cryptographically secure sources of entropy. :)

    For my purposes, I find http://www.random.org suitable.

  • khad
    khad
    1Password Alumni

    It's really hard to figure out the correct level of paranoia with this stuff.

    Haha! I appreciate that sentiment. I am pretty satisfied with my workflow, but only you can decide your own level of paranoia. LOL

  • MrC
    MrC
    Volunteer Moderator

    Security tip: never provide a truthful or meaningful answer to a security question.

    Q: What is your favorite color?
    A: Jumpin' Jim-Jack Smith

  • khad
    khad
    1Password Alumni

    Indeed. We have an entire blog post devoted to this practice:

    My father’s middle name is vR2Ut1VNj

    :D

  • benfdc
    benfdc
    Community Member

    I have requested a diceware-ish passphrase generator in another thread, but I'm happy to +1 it here as well.

  • khad
    khad
    1Password Alumni

    While only one vote per person is counted, I may bend the rules and add your vote twice, Ben. I would love to see a Diceware option in the generator. :)

  • laken
    laken
    Community Member

    Getting back to the OP's question: I too prefer OS X Keychain's style of creating memorable passwords to the 'pronounceable' option in 1password. Perhaps I'm still hung up on this because even though I've used 1password for years now, I've never switched over to making all my passwords (besides master) super-secure and random. Sometimes I need my gmail password on a friend's machine (I know I could look it up in the iOS app, but re-keying a 16-char random password is a PITA), and sometimes I need to enter a password in Safari on iPhone – so I've kept many as 'memorable' and generate them from Keychain Access.

    1. Got any tips/suggestions how to feel comfortable moving to fully random pw for all but a few master ones? (I did upgrade to iOS 1password v4 today which should help)
    2. I think I've had a false sense of security with the 'memorable' algorithm – this article freaked me out! Do you have any docs or blog posts on comparing security of various algorithms?

    Thanks!

  • [Deleted User]
    [Deleted User]
    Community Member
    edited August 2013

    Dropbox is your savior here. If you sync 1Password with Dropbox (make sure you pick a memorable password, with Diceware for instance, for Dropbox and memorize it. I can't get Dropbox to ask me for the password every time until I memorize it, so I just check myself every time I think about Dropbox to see if I remember it), you can access 1Password with any Web browser, including on your friend's computer. And I have only once, so far, had to manually enter a password stored in 1Password, for the StumbleUpon app on a Windows 8 tablet. I have always been able to paste passwords from 1Password for iOS into iOS apps, though occasionally it has taken several tries or a device reboot.

    However, there's still the possibility that I will have to manually enter a password someday (I was in the Army for a long time; I know some military computers only allow access to .mil sites, for instance), so for that reason I usually turn "allow ambiguous characters" off, have my passwords be no more than about 20 characters, and for the sites that I most fear I'll need to manually enter the password someday, use 1Password's "pronounceable" function, which creates passwords that are less secure than random numbers and letters, but should still be sufficient for any normal purpose. I don't find them very hard to transcribe from my phone to a computer screen. Unfortunately, of course, the sites I do this for are those that really need to be most secure, such as Google, ecommerce, and banking sites. But I don't see a better way, and besides, a 20-character "pronounceable" password should still be uncrackable with the technology available to today's civilian hackers.

  • khad
    khad
    1Password Alumni

    Hi @laken,

    Good questions.

    Got any tips/suggestions how to feel comfortable moving to fully random pw for all but a few master ones? (I did upgrade to iOS 1password v4 today which should help)

    Do one at a time. Take it slow. There is no hurry. It's not a race. :)

    I think I've had a false sense of security with the 'memorable' algorithm – this article freaked me out! Do you have any docs or blog posts on comparing security of various algorithms?

    For passwords you need to remember, we recommend the same method that we suggest for Master Passwords:

    Toward Better Master Password

    The math behind it:

    Better Master Passwords: The geek edition

    And @Calion offer some great advice about using 1PasswordAnywhere too.

    Keep in mind that even a 23 character alphanumeric password (randomly generated) provides you with 128-bits of entropy.

    If we can be of further assistance, please let us know. We are always here to help!

  • laken
    laken
    Community Member

    Thanks, good resources!

  • khad
    khad
    1Password Alumni

    It's my pleasure to help. Enjoy the rest of your week. :D

This discussion has been closed.