Improved password requirements and usability in Password Generator

edited March 31 in Lounge

Password Requirement Options

It is not uncommon for a website's password requirements to have some arbitrary limitation on what you can and cannot have in your passwords:


Generally these limitations fall into the following categories:

  1. Must be of X-Y length
  2. Must contain at least one number
  3. Must contain at least one Uppercase and Lowercase letter
  4. Must contain at least one symbol
  5. Must contain at least one of a given set of characters
  6. May not contain any of a given set of characters

Of this list, the current Password Generator really only covers category 1. and partially covers 2. and 4. (Allow is not the same as Require, so a randomly generated password still has a chance to fail if short enough. For example: https://i.imgur.com/vPPvBzZ.png).


Proposed additions

It would be nice if we could have an 'advanced options' section that expands the Password Generator with the following:

  • Require upper and lower case.
  • Consider changing 'Allow digit/symbols' to 'Require at least one'. The differentiation between Allow and Require could be a global preference so it wouldn't need to take up additional space in the generator.
  • A whitelist of characters that at least one must be included from (would be a text field).
  • A blacklist of characters that should never be included (would be a text field).

Black and whitelisting will be useful for matching arbitrary limitations such as the one in the screenshot above, and allow you to avoid potential issues.

For example, while working in Finland for a while I had to use a Finnish keyboard, and some symbols are in drastically different locations than my US muscle memory was used to, so I'd have preferred if I could exclude certain troublesome characters from my passwords if at all possible.





Password Delimiters

On a semi-related note, It would be useful to have the option of defining a delimiter that is used to separate longer passwords into more readable chunks. So for example, if I generate a 16 character password: ABCDEFGHIJKLMNOP

I would like to be able to check an 'Add delimiter' option and specify a character, for example an underscore, which is then inserted every 4-6 characters. So the above example might instead be: ABCD_EFGH_IJKL_MNOP which is far more readable and easier to enter by hand.

I see the 'Words' option as being an attempt at addressing the readability issue, but of course many password schemes (see above) don't allow only words. I think the best approach would be to simply add 'Delimited' as a new selectable option in addition to 'Characters' and 'Words'.


Password strength

In the above example the user would have manually increased the length from 16 to 20, since in practice, this does reduce the overall entropy (20 pseudorandom characters vs 16 pseudorandom and 4 more predictable) but the the readability benefit would definitely make up for that

While the argument could be made that ideally you would always either use a browser extension to automatically enter passwords for you, I myself still often find myself having to look up a password on my phone and manually entering it somewhere where I don't have the ability to customize the machine.


1Password Version: 6.4.377d
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • I agree with this. The other day I changed my one password (hahaha 1Password) for an account, and it let me use numbers, letters, and dashes only. I wanted to use the dashes to make it easier if I typed it in, and I feel a symbol helps with strength of the password.

    How I worked around this was make a password with numbers and letters, copied it to the note section for that login, replaced some of the letters with a dash (-), and copied it back to the password area.

  • I would also like to see this. The main thing I encounter is the list of symbols allowed. It would be trivial, and I would be satisfied, to have the option to type in a list of the symbols that I want to allow, as opposed to the originally proposed request of having a black/white list of characters.

  • brentybrenty

    AgileBits Team Member

    @jeffreydwalter, @prime: Thanks for letting us know! :)

    @JohannesMP: And thank you so much for taking the time to share your suggestions for improvements to 1Password's strong password generator! Even though it's pretty gross that websites make us use weaker passwords by doing this, we really want to do something in this area to give more control over the process. It isn't something we're working on now, but I'll share all of this with the team. I'm not sure frankly what a manifestation of all of this wold look like in practice, or that it's feasible to include all of this and still keep it user-friendly, but there's definitely room for improvement, and some great ideas here. Cheers! :)

    ref: OPM-1378

  • +1

    Just ran across this list of password requirements - and I need to edit the generated password to fulfill them - What A PAIN!

    In particular the "words" method (which I like) doesn't have a way to change case, add a number or use any of the listed special characters!

    Password Creation Guidelines

    Must be 8 to 16 characters long
    Must contain at least one letter
    Must contain at least one number
    Must also contain one or more of the following special characters: @ ! $ % ^ * ( )

  • BenBen AWS Team

    AgileBits Team Member

    Hi @Sorastro,

    Thanks for the feedback. If you have any suggestions on how we could make the words recipe work within these types of requirements, without having an "options" section that is huge, we'd definitely be interested in hearing that.

    In the mean time the characters recipe may be more suited for sites that set these sorts of requirements.

    Ben

  • Some possibilities of the top of my head: Since sites have length limitations, add a number of characters slider, (let the app choose the number of words or keep the number of words ine.. Have an "integrated Caps" line with a dropdown menu choice from 0 to x characters and the same for "integrated Numbers". Change the separator to a dropdown list and add the missing ones. That would do it for me.

  • brentybrenty

    AgileBits Team Member

    Thanks for the suggestions! We've got a few ideas as well, so it helps to get a sense of what you're looking for as we develop future versions. Cheers! :)

  • The password generator needs to be able to conform to the websites' requirements. I find it generally useless and use my Keychain generated passwords (unless they also violate the website rules). I find that length and required symbols are the biggest problem. 1Password needs more IQ for site sign-ins, particularly big company ones like American Express, etc.

  • BenBen AWS Team

    AgileBits Team Member

    Hi @joethewrangler

    The difficulty with that is that there is no standard for websites to define what their requrements are. The only somewhat reliable way for us to do that would be to manually create and update a database with the requirements of, say, the top 1000 companies. But even then that would only cover a very small percentage of the internet, and could very easily become outdated as websites change their requirements. As such this makes this approach fairly unrealistic and impractical.

    One thing we could try would be to offer different options in the password generator that would make it easier to conform to the requirements defined by the website. We have made some improvements there over the years but there is of course still room to improve.

    Thanks for the feedback. It's something we'll keep thinking on.

    Ben

  • primeprime

    What websites should do is tell you the requirements for a password. I don't know how many times I made a password and I couldn't use it. Then the website tells you after it doesn't work. Why couldn't it tell me before. Jerk websites lol

  • BenBen AWS Team

    AgileBits Team Member

    Indeed. That makes this problem especially difficult to solve. :(

    Ben

  • primeprime

    @Ben I had one site all went well making the password, and I used 30 random numbers, letters, and characters. So I go back in to the site and said the password was wrong. I tried a few times, nothing. So I did the recovery and when I made a new password, then it told me "must be 8-20 characters long". So what happened was, I made it 30 characters, but it only accepted the 1st 20 characters. When I logged in, it then counted the full 30 characters prompt the site telling me it was the wrong password.

    Again if they site told me upfront 8-20 characters, I would have known. Nothing you at AgileBits can do, but I wish the websites would tell us right away.

  • BenBen AWS Team

    AgileBits Team Member

    Indeed! That is especially frustrating. I don't recall any first hand experience with something like that but it reminds me of this story:

    Schwab password policies and two factor authentication: a comedy of errors – Jeremy Tunnell

    Sometimes websites just don't handle these things well. We can't fix that for them.

    Ben

  • brentybrenty

    AgileBits Team Member

    Ha! I don't recall when they changed their password policies, but I do remember Khad being super excited about that. Less enthusiastically, I also changed my password to something stronger at that time. But that's a fantastic case study. Schwab may no longer be an offender, but you can swap in the name of many other financial institutions today and tell similar tale. :angry:

  • primeprime
    edited May 8

    Wow @Ben interesting read! Thanks for that link.
    @brenty I read an article a few weeks ago how some banks don't have any restrictions on a password. The password could be "password" and it will be fine in the banks eyes. I think that's what we were talking about the SMS thread about 2SA I posted. How people have that "security" and use poor passwords, because they think they are safe due to 2SA.

  • rickfillionrickfillion Junior Member

    AgileBits Team Member

    That was a super interesting read. Thanks for sharing, Ben. :)

    Rick

  • BenBen AWS Team

    AgileBits Team Member

    :+1: :)

    Ben

  • One other password requirement I've run into issues with: no repeating characters. I set the Password Generator to the maximum length a web site allows. Seems that at 50+ characters, MOST passwords 1Password generates contain a repeating character. Example (my first try):

    A4voMXTPqB6i+sZJWALKRgxAA{+FKdygRyRJjZWCqmmNyX7TkQ

    Here, I have an AA and an mm.

    Perhaps a checkbox for no repeating characters can also be added when this utility is improved?

    Thanks,

    Dave

  • brentybrenty

    AgileBits Team Member

    @dsovereen: Are you saying you've encountered many websites that forbid repeating characters? That's a new one to me. I'm not sure what the point of that would be. It's an option we can consider, but if we add an option for every little restriction out there that websites come up with, I think you can imagine the result. And disallowing repeating characters means less entropy, which makes generated passwords weaker. So it's not something we'd do on a whim.

  • Not many, maybe a half dozen that have complained out of ~300. So maybe 1% of the times where I have wanted 1Password to generate a maximum strength password (as allowed by the site) but could not meet their criteria using the password generation tool.

    The interface that is there now generates maximum strength passwords for maybe about 85% of web sites with ease. It seems to me that maybe an Advanced button or slide could be added that then expands and offers these additional settings for those of us that want the maximum strength password.

    An issue that was mentioned above and accounts for the majority of times that 1Password does not generate a maximum strength password meeting the web site's requirements is the symbol whitelist and blacklist. If a web site says it requires one of the following [insert list here] symbols, and I tell 1Password to generate a password with symbols, it inevitably will contain a not allowed symbol. So then its a matter of Regenerating until a permissible symbol is put in, or editing the symbol to one allowed. Being able to paste in a list of allowed or disallowed symbols, which normally appears right on the web site and can easily be copied and pasted, would remedy the vast majority of password generator requirement failures.

    Dave

  • Drew_AGDrew_AG

    AgileBits Team Member

    Thank you for your feedback, @dsovereen! Indeed, although our hope is that more and more websites will stop forcing silly restrictions on their users, there will probably always be some sites that have odd (perhaps even nonsensical) and/or insecure password requirements. The password generator won't be able to conform to the password requirements of every single website out there unless we add so many options that it becomes a confusing, unruly mess. But I think there are certainly some improvements we could make that would help with a large number of sites while still keeping the interface simple and user-friendly, and we'll definitely consider and look into some options for that.

    Thanks again, and have a great weekend! :)

  • If I can hop onto this thread with a comment: My preference is to use the "words" format for the 1Password password generator, but maybe 8 times out of 10 I get rejected for not including a number and/or not including an uppercase letter. Usually I create a "words" password, say "Yes" to 1password saving it, then after being rejected by the website, go to the 1Password entry, edit the password by sticking a digit into a random spot, and resubmitting the form. This makes the whole process much more cumbersome than it should be. A check box for "add complexity" which would uppercase a random letter and insert a random numeral would be really nice.

  • brentybrenty

    AgileBits Team Member

    @genec00000: It's really best not to use the words option unless you specifically need to (for example, if you have to memorize and/or type a certain password regularly). Character-based passwords of the same length will always be much stronger, and you'll also find that it's easier to meet most sites' password requirements this way as well. So I don't think we want to design around that specific scenario, and this can help you avoid trouble in many cases. Cheers! :)

  • I agree wholeheartedly with the need to improve the current iteration of the password generator to make it easier to satisfy the various wants and needs of all websites (regardless of how silly or arbitrary they may be).

    At the very least, I would dearly love to see the current version of the password generator returned to the same functionality that exists in 1Password4 -- that is to say, a slider to set the number of digits and/or special characters rather than a check box that gives me an indeterminate and random number of them.

    When I finally switched from my beloved 1Password4 to 1Password6, this loss of functionality hit me almost immediately and I gnash my teeth every time I have to generate a new password now. I think I like 6 but I've considered reinstalling 1Password4 just to get that old password generator back.

  • brentybrenty

    AgileBits Team Member

    @Croptop: It isn't something we're able to work on right now, but it's certainly something we can take into account as we do in the future. We want to improve this and also make it more consistent between platforms. But one thing we don't want is for people to significantly weaken their passwords by setting symbols and/or digits to "1". Having these enabled to produce a password with at least results in much stronger passwords (each character can potentially be one), and it also satisfies common silly password requirements like "must include at least one number and one symbol" without limiting it further.

Sign In or Register to comment.