Password generator differences

2»

Comments

  • BenBen AWS Team

    Team Member

    @prime

    I'm not sure the example of your mother-in-law is a valid argument here. I could counter with the fact that my mother and father use 1Password and have absolutely no idea or care what any of their passwords are comprised of. 🤷🏻‍♂️ But I don't really think those sorts of arguments are productive. I think the take-away is that 1Password is not a niche product anymore used only by specific types of people. It is used by companies who roll it out to their entire diverse employee base. It is used by families who have members of all sorts of different backgrounds. And it is used by individuals who never would've thought of doing so even 5 years ago. Everyone needs and deserves a better chance at being secure, not just those who care how many digits are in their passwords.

    I do think it is absolutely ridiculous that in 2019 websites still have asinine password requirements and as folks who are aware of that it is our duty to call out these practices and to use whatever leverage we may have to encourage better options when we see them.

    Long story short there is still a lot to be done with the password generator. We don't have uniformity across platforms yet, there is still disagreement (even internally) about what controls should be exposed, etc. As is our usual stance I can't make promises about the future. But I can say we'll continue to listen to all of the feedback, combine it with our own thoughts, and then roll out our best effort. And then we'll probably iterate on that some more.

    Ben

  • @ben, my point was... people who use password managers are a different breed. You cannot deny that. We pay attention more with what we use as a password. We don’t use password as our password.

  • brentybrenty

    Team Member

    Ben's point was that just isn't the case today. Certainly that was true for a long time, but after years of high profile security breaches being featured on network TV, there are a lot more folks who don't self-identify as tech people using password managers for their work and/or personal security. We know this only because we talk to them every day. :)

  • @brenty but you see my point about turning off numbers or having numbers left at 1? People will forget either one.
    You said

    The real concern is that most people (though I suspect not you) who encounter something like this once would set their digits to "1" and leave it there indefinitely.

    Yes, people may forget and leave it at “1”, but there are cases when a site can’t use numbers, so a person will turn off the numbers part. Then they forget the numbers is off, then what? See my point?

  • brentybrenty

    Team Member

    @prime: Sorry, I misunderstood earlier because that's getting away from the topic of this discussion. You're not wrong, but that's of course why 1Password defaults to having digits enabled. And, given that most websites require some digits in the password nowadays, even if the user has disabled digits, when the user inevitably has to re-enable them, they'll be "stuck" with it on again. I don't see how that's a bad thing. Users need to be able to disable digits sometimes still. There's no getting around that. But they'll inevitably have to enable them again, so it's not the case that they will end up with them disabled indefinitely; and that's beside the point: an indeterminate number of digits is better than limiting them, which is why the new password generator is designed this way. The alternative you're arguing for -- setting a specific number of digits -- still has the option of disabling them completely, and that still has the same "downside" you're suggesting; so, on balance, users will still get better passwords with the current options as opposed to the old way.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file