Two identical passwords generated !!!!

I have spent much of the weekend adding all of my passwords from about 200 accounts to 1Password and generating new random passwords for all of them. I am up to 145. When I generated the 145th, 1Password told me the new password was a duplicate! I checked and it indeed matched one that I had generated last night. I can't see how this is pilot error. This is wildly improbable given even a sortta good random engine.

Has anyone else seen this?


1Password Version: 7.3.1
Extension Version: Not Provided
OS Version: OS X 10.14.5
Sync Type: Default (dropbox?)

Comments

  • Ooops - just figured out the pilot error on my own.

    When I changed the password on the web site, it offered to update the existing stored password. I did not need to click yes but I did - somehow I had wrong item selected - probably carelessness when bringing the 1Password window in the foreground.

    Nevermind</Emily Litella voice>

  • BenBen AWS Team

    Team Member

    I'm glad to hear you were able to sort out what happened here. :) It would indeed be incredibly improbable to generate two of the same password unless using a very short password length.

    Ben

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Ooops - just figured out the pilot error on my own. When I changed the password on the web site, it offered to update the existing stored password.

    Whew!

    That is actually what I expected. We've had similar cases in the past, and they've all turned out to be something like this.

    It would indeed be incredibly improbable to generate two of the same password unless using a very short password length.

    I haven't done the math, but I think that for four digit PINs we shouldn't be surprised at a collision after 145 generated passwords. But even for four character (letter, digit) passwords it would be a surprise (though not an astronomical one).

    [Now looking at where I may have saved things up for performing such calculations ... Never mind, it is built into R's standard stats package.]

    So for PINs, there is nearly a 2/3 chance a collision in a pool of 145:

    > pbirthday(145, classes = 10000)
    [1] 0.649735
    

    and for four character passwords, it is about a 1 in 1400 chance.

    > pbirthday(145, classes = 62^4)
    [1] 0.0007062879
    > 1/pbirthday(145, classes = 62^4)
    [1] 1415.853
    

    But for normal passwords, say with default settings in the "new" generator with 118 bits, the numbers really are beyond astronomical, and they go beyond the range of R's birthday calculator.

    > 1/pbirthday(145, classes = 2^118)
    [1] Inf
    

    So yes. Something would have been very very wrong if our generator came up with the same password twice.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file