Password Strength Inconsistency
I was changing some passwords and noticed the strength went up, even though the length remained the same. I thought it was a bit odd. When I edit an item and change the password with the graphical tool I noticed it only took 20 characters not even using numbers or special to max out strength.
While still editing I then inserted a special character at the end, so length was 21 with a special character. If anything, making it more secure instead the strength went down.
Seems like the manual entering a password vs using the graphical tool generates two different levels of strength.
More of an FYI as certain websites have low limits and I'll never make them "strong" but thought I'd share.
1Password Version: 6.6.1
Extension Version: Not Provided
OS Version: 10.12.3
Sync Type: None
Comments
-
Hi jcarroll,
Depending on the length and the other use of numbers and characters, I too have noticed it will determine your strength. I think it takes all of that into account and I am sure they have tons of data and algorithms that have proven this and so the creator we use takes all of those factors into account.
Cheers,
Conor
0 -
Hi @jcarroll,
I think you're noticing a change we've made in 6.6. The strength of a password is determined not by the length of it, but by something called the number of bits of entropy : basically how random is this password. The change that was made is that now when measuring the strength of the password we properly take into account the number of bits of entropy where before there was more estimation. In some cases the old formula and the new formula disagree with the result, and in all cases that I can think of, the new formula will report a higher strength than previously. Meaning our old formula was slightly underreporting strength.
The other thing you noticed is that as soon as you edited the password, its reported strength decreased. This has been the case in 1Password for a long time, and the reasoning is really interesting. In the example you used, there was a strong generated password, and you added a space to it. From our perspective something can't be "mostly random." It's either truly random from our generator, or it's a string that you've provided. So as soon as you edit it, we treat it as a password that you've generated by hand and we have to disregard the fact that it's actually really closely related to the random password we generated. Once we've determined that it's a password that you generated, then we put it through our strength formula for human generated passwords. The strength of a human generated password is never going to have as much randomness as a machine generated password, and so we have to take that into account.
Strength calculation is really fascinating stuff. The changes in 6.6 will be laying groundwork for changes we want to there in the future to provide better measures of strength.
I hope this helps explain things.
Rick
0 -
I see your, point adding a human factor does affect its randomness.
Thanks for the update, good to know!
0 -
On behalf of Rick, you're very welcome! I'm glad that helped explain what's going on - it was helpful for me too. ;)
If you need anything else, don't hesitate to let us know. Cheers! :)
0
