missing "Allow characters to repeat" checkbox in password generators

Hi there -- I just noticed that the "Allow characters to repeat" checkbox is missing from the password generator in 1password. Updated to the latest beta, restarted and nothing happens. This appears in the app and the "mini" app. Any thoughts?


1Password Version: 6.5.BETA-27 (650027)
Extension Version: Not Provided
OS Version: 10.11.6
Sync Type: dropbox

Comments

  • jpgoldbergjpgoldberg Agile Customer Care

    AgileBits Team Member

    Well spotted @andybatt!

    Now we always allow characters to repeat. Here is something I just generated that illustrates this. So what we have done is make the previously default behavior the only behavior. The default behavior of allowing characters to repeat generates stronger passwords.

    Password Generator in action

    Back in the old days, there were an annoying number of websites that tried to stop people from creating passwords like zzzzzzz123 by banning repeating characters. Fortunately sites with such restrictions are now few and far between, and so we thought it was time to remove an option (disallowing repeating characters) that only added confusion and made generated passwords a little bit weaker.

    So removing the option not only makes our strong password generator create stronger passwords, it makes it easier to use. It's not a huge difference in strength, but the combination of both stronger and easier to use is a clear win.

    A tiny bit of math

    If anyone is curious about who much disallowing repeats weakens generated passwords, let's go through the math:

    Suppose you are looking at generating a password with letters only. That gives us an alphabet of 52 characters. Now suppose that we want to make our password twelve letters long.

    Allowing repeats

    The first character of the password can be any of 52 letters, giving us 52 possibilities. The second character can be any of the 52 letters. And so for the first two characters of the password we have 52 × 52 possibilities (522). For the third character we also have 52 possibilities, as we do for all of the twelve characters in our password. This gives us a total of 5212 possible passwords.

    Because 5212 is too big a number to write out (and because we prefer addition over multiplication when comparing things), we take the base 2 logarithm of the number of possibilities and call it "bits of entropy." So a password generated this way would have about 68.40 bits of entropy.

    Disallowing repeats

    Let's work through the same thing, but this time disallowing repeating consecutive characters. As before the first character can be any one of the 52 letters of our alphabet. So that is 52 possibilities. But the second character can be any of the 52 characters except the first one. So that leaves 51 characters. The third can be any of the 52 characters except that it can't be the same as the character before it, so again we have 51 possibilities. Each character in the password can be any of the 52 letters except it can't be the same as the letter that came before it in the password.

    So for our password of length 12, there are 52 possibilities for the first character and just 51 for the remaining 11. The number of possibilities will be 52 × 5111. That works out to about 68.10 bits.

    The difference in strength between the "allow repeats" and the "disallow repeats" case turns out to be very small. (If it had been substantial, we would have made this change sooner.)

    I could contrive an example using just digits instead of letters where the effect would be a bit more noticeable, but I will leave that as an exercise to the reader.

    The psychology of complexity

    I'm not entirely sure where the disallow repeating characters rule came from in the first place. The rule was common enough when we first built our strong password generator that we put in a option. I am guessing that it was to prevent passwords like zzzzzzz123 .

    But there is something else that could also have played a role. Passwords without repeating characters might simply appear stronger.

    Which of these sequences of heads and tails appears to be more random?

    1. THHHTHHTTHHTHHHHTHHHTTTTTHTTHHHTTTTHHTTTTTTTTHHTTT
    2. TTHTHHTHTTHTHHTTHTHHHTHTHTHTHHTHHHTHHTTHTHTHHTHTTT

    Most people (if they don't know they are being set up for a tricky question about perceptions of randomness) will find that the second one is what they would expect from flipping a fair coin while the first one appears to have "too many" long streaks of heads or tails in it. Yet it is the first one that is generated through a "fair" coin, while the second one has a 66% chance of making each coin flip different than the one in front of it.

    So although 2 appears more random then 1, it is actually less so. But perhaps the psychological mechanism that makes 2 appear more random has contributed to sites and services trying to reject passwords with repeated characters.

  • Unfortunately, many of us still have the misfortune of dealing with legacy systems, which have shortsighted password complexity rules (around consecutive repeating characters). My Oracle password expired today and when I went to generate a new one with the "Allow characters to repeat" unchecked, as I have always done before, I found to my chagrin that this valuable feature had been removed. A number of my colleagues have also purchased 1Password to manage their credentials and are in the same boat. I find it extremely aggravating that you would remove valuable functionality that was already in place for dealing with these annoying legacy systems. This may not impact a large percentage of your users who have the luxury of mostly dealing with modern systems with well-thought out password policies, but for those that it does impact, the loss of this feature adversely impacts the usability of 1password.

    I can guarantee you that a 64 character password with some constraints placed on its randomness would be a lot more secure than the shorter password I'll end up generating, so I can remove the repeating characters manually. At a minimum, please have a flag in the advanced tab to turn this functionality back on.

  • I agree with @darylrobbins regarding the need for the option in the support of legacy systems.

  • jpgoldbergjpgoldberg Agile Customer Care

    AgileBits Team Member
    edited January 5

    Hi, @darylrobbins and @paulsmiller, Let me start out with a practical point before delving into the general challenge we face. I'm quoting from @darylrobbins in what follows.

    Random passwords are stronger than you think

    I can guarantee you that a 64 character password with some constraints placed on its randomness would be a lot more secure than the shorter password I'll end up generating, so I can remove the repeating characters manually.

    I would like to point out that a 14 character randomly generated password using mixed case letters and digits (so 62 possible characters in each position) is going to be stronger than anything the NSA can break. So while there is a sense in which a 64 character password is enormously stronger, going for such a long randomly generated password doesn't actually improve your security in a meaningful way.

    For details about this argument (though applied to key size instead of password size) take a look at Guess why we are moving to 256 bits

    The need to block consecutive repeating characters remains

    Unfortunately, many of us still have the misfortune of dealing with legacy systems, which have shortsighted password complexity rules (around consecutive repeating characters).

    Yeah. That sucks. We are aware that these things are still out there, but they are much less common than they used to be. But we were facing a problem of people being confused by an option that an ever smaller portion of users would still find useful. But if you generate a 16 character letters and digits password (95 bits), you've got better than a 3 out of 4 chance of having no repeating consecutive characters.

    Where this gets difficult

    At a minimum, please have a flag in the advanced tab to turn this functionality back on.

    This is where we face our most difficult problems. How many advanced options are we going to support. It is always possible to add "just one more" advanced option without doing any harm. But "just one more" can really add up. Let me make it clear that I am not saying "no" to your request. I'm saying that if we say "yes" it must be weighed very carefully.

    We are looking at ways to improve how choices for the strong password generator are presented. And perhaps we may offer an advanced screen in which full control is presented. But I'm not promising that at this point. These sorts of things are under discussion, but most of that is of the form of what the problems are instead of clear solution we are happy with.

    Anyway, in conclusion, I think you will find that using, say, a randomly generated password of about 15 characters will be as strong as you could possibly need while you should be able to get one without repeats on the first or second try.

  • bora89bora89
    edited November 12

    It is horrible that you removed that kind of functionality, I have bought 1password recently and I am disappointed. What is the point of explaining to us how is cool to have repeatable characters, even if those kind of posswords are 10 times stronger: I do not care, at all. There are a lot of systems that have the rule of NOT having repeatable characters. It is not about old or new systems, even new can be created liked that, not all developers made that deep analysis what is stronger or opposite. Otherwise you have to travel all over the world preaching your philosophy what is right and wrong, mathematic not mathematic etc. Guess what is simpler?

    So in conclusion, please bring back that functionality, I like your software so much, I advised it to all my friends. That it huge inconvenience for us even, as you said, "a small group of users".

  • brentybrenty

    AgileBits Team Member

    It is horrible that you removed that kind of functionality, I have bought 1password recently and I am disappointed. What is the point of explaining to us how is cool to have repeatable characters, even if those kind of posswords are 10 times stronger: I do not care, at all.

    You may not care, but many 1Password users do...and it is our job to care.

    There are a lot of systems that have the rule of NOT having repeatable characters.

    I have not encountered one in the last decade. That would almost certainly mean that they are storing your password in plaintext, if they care about the composition.

    It is not about old or new systems, even new can be created liked that, not all developers made that deep analysis what is stronger or opposite. Otherwise you have to travel all over the world preaching your philosophy what is right and wrong, mathematic not mathematic etc. Guess what is simpler?

    You're right. Bad security is often much simpler. But you don't need a password manager for that.

    So in conclusion, please bring back that functionality, I like your software so much, I advised it to all my friends. That it huge inconvenience for us even, as you said, "a small group of users".

    We don't have any plans to do that. That checkbox was removed more than a year ago. And, as you can tell from this discussion, there just hasn't been a lot of interest in that. It is only an issue in very limited cases (which you outlined above), and creates weaker passwords to boot. There just isn't a win there.

  • jpgoldbergjpgoldberg Agile Customer Care

    AgileBits Team Member

    Hi @bora89, I'd like to focus on just one of the points you made

    There are a lot of systems that have the rule of not having repeatable characters.

    Can you point me to some examples where you are encountering that? If we have substantially underestimated the numbers of sites that have such a restriction in place, we need to look at how best to help users of those sites. As you see from this discussion, a few people have encountered problems, but we have no strong sense of how common it is.

    A broader point

    (I guess I was wrong when I said above that I just wanted to focus on one point.)

    One of the problems with success is that a feature that is useful to, say, only 1% of users is still useful to a whole lot of people. So even if we are correct that only a very small portion of users are running into the problem you and other posters on this thread have encountered, that still is a lot of people who could really do with having that option back. On the other hand, keeping features and options that are each useful to only a small portion of users leads to a horrendous accumulation of advanced options.

    It's always easy to say "one more advanced option isn't going to hurt too much." And while that might be true in any individual case there are lots of individual cases that add up to a whole lot of complexity and confusion. So while you may like your needs are being ignored when we reject or eliminate an option/feature/setting that is useful to you, we make up for that serving your needs every time we some other feature or option that you don't need. There may be a dozen options that are as useful to some people as the no repeats option is to you. But I'm hoping that you see that you would suffer if we offered all of those.

Leave a Comment