Bug: Same Password in Two Logins Show Different Password Strength

Today I used the browser extension to generate a password and also got a one-time password at about the same time. These were for the same account, but I temporarily had them as two separate logins in 1Password.

Later, I copied the password from the first login to the login that had the one-time password. I saved. I clicked back and forth between the two a few times to make sure I didn't miss anything.

I noticed that in the login where the password was first, the strength bar is filled all the way to the right. For the second login, where I just pasted the password in, the strength bar only goes about 90% of the way over.


1Password Version: 6.8.1
Extension Version: 4.6.11.91
OS Version: 10.12.6
Sync Type: Dropbox

Comments

  • Hey @Logic Bus! The password strength calculator takes how the password was created into account when calculating password strength. It knows that we humans are incapable of creating truly random passwords. Even if we just slam our face on the keyboard, our biases play a role in precisely where we slam our faces and our faces are only so big on average meaning we can only cover so much keyboard surface area with our face limiting character options. As such, a password that 1Password perceives as user-generated (like a password you copy and paste from another entry) will be rated as weaker than one it knows was generated by the Secure Password Generator, even when both passwords are exactly the same. In this case, the strength is technically displaying incorrectly due to how you created your login items, but I hope this helps to explain why the strength calculator works as it does. :chuffed:

  • "technically displaying incorrectly"

  • LarsLars Junior Member

    Team Member

    @Logic Bus -- the more-serious matter in play here is that we take security very seriously, and when there's no way to properly analyze the true strength of a password, we err on the side of conservatism. There are many other password strength meters available on the web, and while I wouldn't use - and we don't recommend - any of them for real-life passwords (since pasting a password you actually use into such a web form is itself a security risk), if you're truly interested, it is indeed illuminating to see how a given password (say, one generated from 1Password's SPG as a test) is scored differently depending on the algorithms used to assess its strength at different sites.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file