Web developer question: Can we communicate password requirements to 1Password in semantic HTML?

IntlOrange
IntlOrange
Community Member

I make websites. Is there a way to specify my password requirements on my account creation page (ideally via semantic HTML)?

For example, "your password must be at least 15 characters, but no more than 50, and must contain…"

I would love a way to make these requirements available to 1Password (and other password managers), so anyone using the password generator functions could be spared the tedious dance of iterating on new passwords until requirements are met.

Related web dev information (but only regarding enabling 1P login fills, not defining new passwords):


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @IntlOrange: It's a good question. There isn't a standard for that as far as I know, and ultimately limiting password composition is not recommended at all for security. Specific characters can become a problem if you're storing actual passwords, but hashing them is better for security and also avoids those kinds of complications. We would like 1Password to be able to detect length in the future though, and you can use minlength and maxlength for that. That's probably something you're aware of, but you may be surprised how many websites will accept a certain length on one page but not another. Very confusing for users. But I do think it would be cool in the future for a website be able to declare what they will allow as far as creating the strongest password possible -- though it would be better to just set a minimum and maximum and not be finicky about the rest. :)

  • IntlOrange
    IntlOrange
    Community Member

    @brenty Super, thank you! This is so helpful. I will be sure to implement those, hoping for future extra smarts to be built into 1Password. :)

    I see there's also a 'pattern' attribute — interesting! Even though it isn't best practice to introduce bonkers requirements ("include at least one capital letter and five nonsequential numeric digits") I'm happy to see a potential path forward here. I mean, I wouldn't ask my users to invent crazy passwords, but of course I would love to be spared the headaches as an end user myself on those other sites that have weird rules. :p

    For my future self, note specs on minlength and maxlength here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/password

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ah yes that's great! Thanks for having your users' backs. We'll continue to evaluate what makes sense for us to do, and web standards will continue to evolve as well -- perhaps meeting in the middle in the future. Cheers! :)

  • Apple has also proposed a syntax for specifying password rules: https://developer.apple.com/password-rules/

  • IntlOrange
    IntlOrange
    Community Member

    @rudy Fascinating! Very nice.

    It occurs to me the downside of specifying one's password rules in machine-readable form is making it slightly easier for automated attacks… But I suppose if your rules are flexible enough (allowing for or requiring enough randomness/entropy — did I get that right?) then the risk is negligible. I mean, you could theoretically train a machine to interpret the unstructured instructions provided in the UI, anyway. (The password rules aren't themselves secret information — usually.) 🙂

  • I think that pretty well sums it up, @IntlOrange. Would it perhaps make it slightly easier to determine password requirements for the bad guys as well? Yes. Is that far outweighed by the benefit to the good guys? I think so.

    Ben

This discussion has been closed.