Change the Password Generator recipe?

The password generator doesn't work for some sites that require numbers and/or symbols in the password. Is there a way to change the formula for suggestions?


1Password Version: Not Provided
Extension Version: 0.9.7
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • beyerbeyer

    Team Member

    Hey @twonine,

    We've just started generating passwords and creating new login items with 1Password for Chrome. I'm pretty delighted to see the progress made thus far, but there's certainly a lot more work to go. User selectable password recipes is a feature that will be added in a future version of 1Password. Our design team has some awesome looking mockups, we just need to get the actual coding done. :)

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • Since we're on the subject, how about adding the ability to choose a random number from 0-9 as the word separator (in addition to the usual options of hyphen, period, space, etc)?

  • Uh . . . I guess I'm stupid, but I can't even find the Password Generator feature. What am I missing? Thanks.

  • beyerbeyer

    Team Member

    @multiplatformuser: No promises yet since we are designing the new password generator from the ground up, but including at least one number is something that will help on many websites that require a number in a password.

    @shopthor: You're not stupid! It's a feature that we are still perfecting (the password recipes being a good example) and therefore less discoverable. You can generate a new password by clicking the 1Password logo while in a Password field. Then select "Use Suggested Password" from the displayed inline menu. If you already have a Login item for the website your using, you may need to toggle the inline menu by clicking the 1Password logo. It should look something like so:

  • Yeah I never would have figured that out! How do I change the suggestion parameters? As I'm sure you know, many sites can't handle a password as long as the default! They should, but they don't. And we have to live in the world that we live in.

  • beyerbeyer

    Team Member

    @shopthor: The short answer is you can't yet, but we are working on it. :) :+1:

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • Isn't that also the long answer? :)

    Thanks for letting me know.

  • beyerbeyer

    Team Member

    You're welcome, stay tuned for updates. I hope you have a pleasant weekend. :) :+1:

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • Hmm. I have encountered a situation where I don't have the option to set up a new password.

    (1) Share some passwords with wife through common vault
    (2) Wife logs into service X, doesn't do a login, so there is just a free-floating password
    (3) I try to login to to service X
    (4) My only option is to enter her password, which obviously I don't want. I can't generate a new password.

    Bleah! If you can replicate, please put it on the list. Thanks so much!

  • MitchMitch

    Team Member

    Hi @shopthor,

    If you click the 1Password icon to dismiss the list of logins and then click the icon again, you should see the options to save a password or use a generated password in the list. They’re a bit hidden right now while we work on better form detection, so we don’t show them automatically if you already have logins. Sorry for the confusion. :)

  • No problem but I'm glad I asked because I never would have found that!

  • beyerbeyer

    Team Member

    We are glad you asked too because it means others will as well. We don't want our inline menu to be too aggressive until 1Password can better evaluate a website and show you the best options to interact with that site. I truly believe you'll see this improve with time as we improve the background logic that happens. :)

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • Do you have plans to allow password generation outside of the of the 1password icon in forms?

    I have the icons disabled as I don't want them, so it's not possible for me to generate passwords with the extension

  • beyerbeyer

    Team Member

    We sure do @defiant because you won't be the only one with inline filling disabled.

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • Forever not alone then :)

  • brentybrenty

    Team Member

    :) :+1:

  • A feature that allows for user customized character sets (down to single character granularity for symbols, not groups of symbols for example) and user defined max password generation length restrictions, on a site-by-site basis, is very important to me. For example, I believe gmail can accept up to 100 character long passwords with few if any restrictions on the special characters (symbols); however, most other sites I use limit the password length to various shorter lengths and often impose restrictions on the symbols that can be used. With dozens to hundreds of accounts a user might have, keeping track of the various site rules from a user perspective is nightmarish, to say the least, when one is trying to maximize password entropy for critical accounts (bank, mail, social security, IRA, etc.).

    There is an app for iOS that allows such saved customized templates (at least for the character sets, but not the length), and it's about the only software I have found that mostly fits my use case need; however, it appears to have some randomness issues and a few other bugs that make me want to use a better alternative. To me, this would be a fantastic feature, IMHO. However, being a developer myself, I understand the types of issues you are up against regarding UI complexity and trying to satisfy the masses that have varying levels of security experience. Still, I think this is an area that would greatly benefit users with a well-thought flexible design.

  • brentybrenty

    Team Member

    A feature that allows for user customized character sets (down to single character granularity for symbols, not groups of symbols for example) and user defined max password generation length restrictions, on a site-by-site basis, is very important to me.

    @Ryzon: Thanks for taking the time to let us know!

    For example, I believe gmail can accept up to 100 character long passwords with few if any restrictions on the special characters (symbols);

    Okay, can I just say, I've loved Gmail from the start. Google can get a bit weird at times, but let's just take a moment to appreciate that Gmail not only revolutionized email, but they've got really solid security and no silly password restrictions. <3

    however, most other sites I use limit the password length to various shorter lengths and often impose restrictions on the symbols that can be used. With dozens to hundreds of accounts a user might have, keeping track of the various site rules from a user perspective is nightmarish, to say the least, when one is trying to maximize password entropy for critical accounts (bank, mail, social security, IRA, etc.).

    Yeah, no one can keep track of per-site restrictions — including us. So our focus is on sane, secure defaults. I remember a number of big names over the years who have removed or relaxed password restrictions, so there is hope. It's getting better. :)

    There is an app for iOS that allows such saved customized templates (at least for the character sets, but not the length), and it's about the only software I have found that mostly fits my use case need; however, it appears to have some randomness issues and a few other bugs that make me want to use a better alternative. To me, this would be a fantastic feature, IMHO. However, being a developer myself, I understand the types of issues you are up against regarding UI complexity and trying to satisfy the masses that have varying levels of security experience. Still, I think this is an area that would greatly benefit users with a well-thought flexible design.

    We're in complete agreement. This sucks for users, and though it's a challenge to find a good way of doing things that gives people more flexibility without making the experience worse, that's exactly the kind of challenge we love, and we're determined to find a solution. Thank you for your feedback on this, and the encouragement. :)

  • Thank you so much for the quick response and the desire of the group to work to find a useable solution to help people...very much appreciated!! :)

  • brentybrenty

    Team Member

    Likewise, thanks for your passion! Have great weekend! :chuffed:

  • Will we be able to set "default" settings for the generator and make adjustments on a case-by-case basis?

  • brentybrenty

    Team Member

    @kth_singing: Saving settings is something we'll continue to evaluate, but you can already tweak them on a case-by-case basis now:

    They just return to sane defaults that not only provide plenty of entropy, but will also work with most sites.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • I did find that. But I'd like my default to be longer and include symbols. And I definitely like the idea above of being able to select which symbols.

  • brentybrenty

    Team Member
    edited April 23

    I did find that. But I'd like my default to be longer and include symbols. And I definitely like the idea above of being able to select which symbols.

    @kth_singing: We're in agreement that it would be nice to be able to exclude certain symbols, but setting the default to be longer is doesn't offer much security benefit at this point due to dishing returns: we're dealing with infeasibility with regard to brute force attacks either way. Certainly though, if you're making up passwords yourself, longer would be better. Fortunately none of that is necessary with 1Password. ;)

    I'm sorry to do this to you, but I recently wrote a fairly in-depth post which is only peripherally related, but still relevant in many ways to this discussion:

    20 characters is a much better "standard", since even if you're only allowed capital and lowercase letters that's very good entropy:

    (52)log2=5.7004397181 <- bits of entropy per character
    5.7004397181(20) <- length of password
    = 114.0087944 <- bits of entropy total

    Most websites will also accept a password like that, so it's the default we're using now in 1Password X. That really future proofs things so you don't need to worry about changing all of your website passwords (unless they're compromised). Or you can use a word-based password composed of 8 words for similar effect:

    log2(18000) = 14.135709286 <- bits of entropy per word
    14.135709286(8) <- length of password (words)
    = 113.08567432 <- bits of entropy total

    You'd probably balk at a suggestion to generate 8-word passwords for websites (and, in fact, many websites wouldn't allow that because of the length anyway), but making a character-based password longer is equally unnecessary, even if it doesn't feel that way. What you get with the default alone is not only more compatible, but ludicrously strong. And flipping the switch to use symbols as well on a site which allows it will get you an even stronger password, even though it really isn't needed at that level. Cheers! :)

  • la1passla1pass
    edited November 20

    Hi - small Bug / Issue report:

    Changing the 1Password Menu > Password Generator settings doesn't change the passwords generated by 1Password in the Edit Box fields of the website - those are still way too long with random characters, which can make them unusable for various reasons (e.g. if you have to enter on a phone) - after all 20char pw with complex symbols are not warranted for a discussion forum.

  • brentybrenty

    Team Member

    @la1pass: That's interesting. Usually we get the opposite feedback: people want passwords longer than 20 characters. 20 random characters is more than sufficient though, security-wise, and compatible with most websites' policies, so that's the default we're using for now.

    Anyway, this is a discussion in the 1Password X category of the forum, about 1Password X. But it sounds like you're using 1Password for Windows or 1Password for Mac. It won't apply to those. You can use the 1Password desktop extension instead if you want it to share settings with the native app:

    https://support.1password.com/1password-extension/

    1Password X operates on its own, solely within the browser. It has no connection to apps you use elsewhere. Its Suggested Password feature always uses the same preset. If you want to create a password with different criteria, you can open 1Password X from the toolbar icon in your browser and use the Password generator there:

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • Thank you for getting back - I am using 1Password X 1.12.3 for FF.
    " Its [1PWX] Suggested Password feature always uses the same preset." I think that this the critical sentence - i.e. the suggested PW ignores the user settings in 1PWX Password Generator?

    Here are my Password generator settings:

    But the suggested passwords are still very long e.g.:

  • brentybrenty

    Team Member

    @la1pass: Right. Like I said,

    Its Suggested Password feature always uses the same preset. If you want to create a password with different criteria, you can open 1Password X from the toolbar icon in your browser and use the Password generator there:

    The Password Generator will remember your last settings, and you can tweak it if you need to before clicking "copy" or "fill" as well.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file