Request: Mask random passwords by default

A Feature request
I don't see any reason why a password should be displayed on screen in the random generator.
If I was sitting in a public location, someone could see the password I was generating on my screen
as I set up an account. I don't need to know what the random password is, just that 1Password is creating one
for me and storing it. I think this field should operate as password fields do elsewhere in the UI: masked by default,
but displaying the password when clicked.

Comments

  • khad
    khad
    1Password Alumni
    While I think that any onlooker would have a very difficult time recording — let alone memorizing :-) — one of the 50 character strong passwords generated by 1Password, I will definitely pass this long to the developers for consideration. Thanks for letting us know you are interested in this.

    Please let me know if there is anything else I can help with.

    Cheers,
  • khad wrote:

    While I think that any onlooker would have a very difficult time recording — let alone memorizing :-) — one of the 50 character strong passwords generated by 1Password, I will definitely pass this long to the developers for consideration. Thanks for letting us know you are interested in this.

    Please let me know if there is anything else I can help with.

    Cheers,


    Thanks for the quick reply!

    Do you generate a lot of 50 character passwords? I don't, I'm not sure many people do. Isn't the default 1Password length like 12 or 14 characters? Many
    sites have a max password length of about 20 chars. Most people have camera phones these days, it would be trivial to discretely get a shot of someone's screen that way.

    Regardless, I agree that it is unlikely. However, I think it behooves security software to err on the side of increased security (I really needed an excuse to use the word "behooves" ;-). Especially when there isn't a strong case for needing to see the password. I'm not saying never show it, but mask it by default.
  • thightower
    thightower
    Community Member
    edited March 2011
    The only counter points I would have would be that some of us prefer to tweak the passwords and such. Some times I don't like a given GPW as its not got enough special characters etc for my liking or even has characters I don't want in a PW.

    Also what would happen if the PW generator broke and started using the same PW over and over, how would we ever know there was a problem.

    Personally I can adapt provided we can show the GPW with the option key like any other concealed PW. However I have concerns as noted, but I will let the team decide on the best course of action.
  • anemo42
    edited March 2011
    @thightower:

    I suppose that as a beta tester, you need to verify things like this.
    However, as an end user, I generally trust software to do the right thing.
    With security software, especially, there is always a chain of trust
    that goes back, at least in part to the developers (no pressure guys ;-) ).

    Perhaps you want to leave the generated passwords unmasked by default in
    pre-release builds, and just mask by default in production builds. Not knowing
    how you make your builds, I dont' know if this is practical.

    @brenty:

    I also had that strange compulsion to verify generated passwords for a long time.
    Mostly this was due to the fact that the software I used before did not have good
    controls over the amount of numbers / special characters to include, and different
    sites have different rules for what they allow. Eventually I got tired of always
    double checking everything and just let the generator do its job.
  • khad
    khad
    1Password Alumni
    Thanks for the additional details! While we never say "never," I want to be honest that this is not at the top of our priority list at the moment. We have to factor in viewing pronounceable passwords, etc.
This discussion has been closed.