Characters password generator security

edited July 2016 in iOS

Hi.

The characters password security gives the option of choosing how many symbols and digits are to be in the password. Isn't that counter-productive for security? To get the security of a larger alphabet, the user should only specify how big the alphabet is (tick allow/disallow for digits and special symbols, maybe). The password should then be a completely random selection for that alphabet space.

If the user gets to choose how many of the characters are digits and how many are special symbols, the password is not so random anymore, and therefore weaker.

I realize there are many horrible websites out there that pose password requirements. Like for example at least one digit, or at least one letter. So to allow for that you might change the slider from setting digit count to setting minimum digit count. That too weakens the generated password, but a tad less.

Comments

  • PilarPilar

    Team Member

    Hi @wilhelmtell

    Thank you for writing to us with this idea and concern about the password generator. There are a few different points to explore about this issue. First of all, so many sites have so specific or sometimes even a bit ridiculous requirements for passwords that most of our users concerns about the generator are to add more chances to control the output: otherwise they simply can't use 1Password's generator on some accounts, and that is inherently worse than giving up the option to have some control on what goes in the password. Even having a minimum instead of a set number often doesn't work in sites with strict rules for how passwords should look like :frown:

    There are two very important factors to take into account when checking for password strength: the set that you're using but also the length of the password. If your password is long enough and random, would you may be losing a bit of entropy by having those options? Maybe, but in a real world scenario a password that would "only" take 25,000 years instead of 40,000 with a super computer to crack is still as secure as it could be. Now, as a disclaimer, these two numbers right now are just made up, but if you're interested on looking behind the real math, I would be more than happy to go into detail about, just say the word! :chuffed:

  • edited July 2016

    Good morning @Pilar !

    Sure. Correct me if I'm wrong, but I can't see how I'd get 1Password to generate me a random password of length L of, say, letters and digits.

    What I do see is how to generate a random password of length L consisting of A letters and D digits. I don't think that's the same..

    Correct me if I don't get the math right:

    digits=10, letters=26*2=52

    1. A password of length L of letters and digits has entropy log2(62^L)=L*log2(62).

    2. A password of length L of A letters and D digits has entropy log2(52^A*10^D)=A*log2(52)+D*log2(10).

    This looks to me like a big hit on the entropy, made worse by the fact there's no way in 1Password to generate a password of case 1 above. Or, I don't see any..

  • PilarPilar

    Team Member
    edited July 2016

    Hi @wilhelmtell

    You are correct, the formula for the entropy is log_2(S^L) where S is the number of symbols and L is the length. While it would have a real effect on short passwords, when we increase the length we end up on a very secure place.

    Lets fix L=20 (it's not even too long) and compare S=52 and S=62. In other words, considering uppercase, lowercase only for the first one, and for the second one also digits. Note that it is even less strong than the second option that you present. Now, 20*log_2(52)= 114, while 20*log_2(62)=119. The entropy is a bit lower, however if you take a look at this chart you'll see that you're still pretty safe, to say the least. If you're still concerned about increasing the security of your passwords, you can try to make sure to have even longer passwords, the generator can create passwords of up to 50 characters, I will let your imagination go wild on how long it would take to break that password, considering what you can see on the chart that I linked earlier!

    I would love to hear your thoughts on this, as you can see this is a topic that fascinates me and I'm highly invested in :chuffed:

  • edited July 2016

    @Pilar Alright, thanks. Yeah this is well past the point it matters. If anyone cares for someone else's password, somewhere past the one or two hour brute-force threshold they'd change gear to social. That's how you change the pitch from a strong password protecting a human to a weak human protecting a password..

  • khadkhad Social Choreographer

    Team Member

    On behalf of Pilar, you are quite welcome. :)

    I always tell folks that even a randomly generated 23-character alphanumeric password (without a single digit or symbol) is already an uncrackable-in-the-age-of-the-known-universe 128 bits.

    If you have any additional questions, please don't hesitate to let us know. We love talking security.

    Have a fantastic weekend!

  • khadkhad Social Choreographer

    Team Member

    @wilhelmtell,

    I almost forgot! You may also be interested to read @jpgoldberg's post about "exactly n digits" vs. "at least n digits":

    https://discussions.agilebits.com/discussion/comment/81609/#Comment_81609

This discussion has been closed.