Many web sites want specific symbols in passwords

1Password's password generator lets you control whether your password should contain "digits" and "symbols". The problem is that in my experience, most sites that ask you to include symbols in your passwords really want you to include some limited subset of symbols. Furthermore, every site has its own idea of what the acceptable symbols are. This dramatically reduces the usefulness of the 1Password password generator.

In practice, what I usually do is to have 1Password generate a password; copy it into a text editor; go through it, replacing the symbols that 1Password chose with symbols in the site's acceptable symbol set; copy the password back out of the editor; and paste it into the web site's password entry fields. Ugh.

What is really needed is an additional field in the password generator to let us optionally specify a restricted set of acceptable symbols.

Yeah. ugly, It makes an already complicated dialog even denser. But: is a simpler interface that only works half the time really better than a more complicated, more general interface?


1Password Version: 6.5.3
Extension Version: Not Provided
OS Version: OS X 10.11.6
Sync Type: iCloud

Comments

  • littlebobbytableslittlebobbytables

    AgileBits Team Member

    Hello @NeilFaiman,

    We have a feature request filed for this and I've added your support for seeing something better than what we have. Pages that insist on symbols from an accepted list are a pain and I understand your annoyance here.

    While it won't offer much in the way of relief it is possible to reduce the steps you make at the moment. When you use the Password Generator from inside the 1Password mini menu it is possible to directly edit the password in the displayed text field. It comes with the benefit that when you either click copy or fill 1Password will make a record of the edited password rather than the one it generated. It will save switching to a text editor, a small gain but hopefully still a gain.

    I can imagine a number of things that I would personally find useful but there is always the consideration of risking making something too complicated. Still, I would hope there is a design that would allow people better control whilst not moving the entire feature out of reach of people that wouldn't consider themselves power users of 1Password and I don't think we're going to see these silly password restrictions on the sites we need to use go away any time soon either.

    ref: OPM-1378

  • One half-way suggestion ... Go survey a batch of sites with silly special character restrictions. See if there is a useful common subset across the vast majority of them. If so, offer one additional checkbox: Restricted symbols. It might be only half a dozen characters by the time you were done, but if "Unrestricted symbols" worked for half of all sites, and "Restricted symbols" worked for 90% of the remainder, it might be worthwhile.

  • jxpx777jxpx777 Code Wrangler

    AgileBits Team Member

    That's certainly an interesting idea. We have been discussing this situation for a while and hopefully we'll arrive at an elegant solution that works for everyone. In the end, though, it's my hope that we see improved password policies more widely adopted. I would recommend that you reach out to sites that are overly restrictive about their password requirements and encourage them to remove them. If they're properly escaping the special characters and using hashing algorithms for storing their passwords (Sadly, not two practices that we can assume for every site…), then there should be no reason to arbitrarily limit the length or character content of the passwords. Whenever I see arbitrary password rules, I immediately suspect the site is not properly protecting my data. Whether that's true or not is unknowable without more information, but it sets off my spidey sense very time.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

  • Agreed, 100%. I have exactly the same negative perception of anyone with a password character restriction: "What, they don't know how to sanitize web input? What else don't they know?"

    But you'll notice that most of them make it remarkably difficult to send web site feedback. They really don't want to know. (I use a website for a major investment company what requires an eight-to-ten alphanumeric character password — and then recommends that you should use ten characters for maximum safety!!! Web site feedback link orphan number? Not a chance.)

  • littlebobbytableslittlebobbytables

    AgileBits Team Member

    We'll have to be careful about starting down this path, I'm sure we can all bring dozens of horror stories and I've got a handful that instantly spring to mind :lol:

    I hope we can do something better though given 1Password does need to help you and us work with websites as they are rather than an ideal website of which there aren't nearly enough.

  • I brought up the special character issue a while back and it has been asked a number of times since. It would be nice if there was a editable password list in the preferences so this could be controlled. Maybe list them all with a check box next to each one?

    My solution is to keep clicking on the generate password until one comes up with an =, $, or % character that is almost always safe. I usually only use one or two. I have gotten use to doing this so I rarely have an issue and they go through on the first try.

  • littlebobbytableslittlebobbytables

    AgileBits Team Member

    Hi @doctormo,

    It has been an ongoing request and we make sure every person's comments are noted to highlight this is still very much in demand. While the interface isn't perfect by any means I quite like PwGenerator for their take on this. The word Symbols is clickable and brings up a small editable field. Now it's just a personal thing but something it nor 1Password does that I really want is for the generation of a password with no character bias. The ability to allow the symbol set to be altered and random selection from the pool of allowed characters would be great. Even if we don't see my hopes being filled I do hope we can find something to help all the people that have contacted us about this.

    I've added your comments to the feature request as way of a record to show the continuing interest in this.

  • Thanks for keeping it alive.

    I agree with "randomness of selection" but sometimes this is out of our control since too many characters are reserved for other things. We can thank DOS for some of this.

    I suggested at one time just having a toggle for a "safe set" of symbols that would work on 95% of the sites. It seems that I always find one somewhere that has a very restricted list of characters and I have manually deal with it.

  • As a safe set example, I found this list on an IBM site for "Under normal circumstances a valid user ID and password can contain the following characters..."
    Exclamation point {!}
    Open parenthesis {(}
    Close parenthesis {)}
    Dash {-}; this character is not supported as the first character in the user ID or password
    Period {.}; this character is not supported as the first character in the user ID or password
    Underscore {_}; this is the only supported special character in IBM i
    Grave accent {`}
    Tilde {~}
    Commercial at {@}
    Hash mark (or pound sign) {#}

    I normally think of the symbols above the numbers on a keyboard as being safe but they are more restrictive by leaving out a few more.

  • brentybrenty

    AgileBits Team Member

    I normally think of the symbols above the numbers on a keyboard as being safe but they are more restrictive by leaving out a few more.

    @doctormo: That sounds about right, though I'd add an addendum: "A U.S. English keyboard". It gets a lot more complex when we take into account other layouts and the various accented characters that are very common in other languages. :dizzy:

Sign In or Register to comment.