How do you adjust the parameters of the "Suggested Password" generator?

I just signed up for 1Password and installed Chrome ext 1.5.0. In trying to update a password, I'm forced to included a symbol, but I can find no options for the password generator.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:no options for password generator in Chrome

Comments

  • Hi @Sunflyer,

    You joined us at just the right time! The newest beta version of 1Password X has a full-featured password generator which lets you adjust the settings to include symbols (and much more).

    image

    We're getting ready to share this crucial feature with everyone, but if you can't wait, you're very welcome to try out the 1Password X beta and let us know what you think:

    https://chrome.google.com/webstore/detail/1password-password-manage/khgocmkkpikpnmmkgmdnfckapcdkgfaf

    Cheers,
    -Mitch

  • netname
    netname
    Community Member

    Is there a reason why 1Password X and the regular 1Password extension does not have this in-line?

    Lastpass, a free competitor, had this for a very long time with deep customization. 1Password seems fragmented from product to product, even though I'm paying $3 a month.

  • Mitch
    edited February 2018

    Hey @netname,

    It's a good question why we avoid showing advanced features inline on webpages. Our approach to this comes from two places:

    1. Security: Inline components are susceptible to phishing and DOM-based attacks, and the more powerful and complex the component, the harder it is to secure. LastPass and others have been vulnerable to serious exploits involving inline frames. We take this risk seriously, and as a result, we're very careful about what we allow our inline components to do.

    2. Usability: Inline components take up RAM and CPU cycles, often on every page load and sometimes even when they're not being rendered. They can also be obtrusive and interfere with your view of a page. We aim to be a good citizen of your browser and not slow it down or get in your way, so we tread lightly here and only show inline features which we think most people will need most of the time.

    For both of these reasons, 1Password X puts features like the full-featured password generator in the extension pop-up, where these concerns don't apply in the same way. We think it's a good balance that still allows power users to have the customizability they desire.

    Would you like to see more features or customization options in the password generator in 1Password X? I'd enjoy hearing about them.

  • netname
    netname
    Community Member
    edited February 2018

    Thank you for the explanation.

    Isn't 1Password's suggested password an inline component? The only visible difference with LastPass, is that they allow the suggested generated password to be customizable.

    Security: Inline components are susceptible to phishing and DOM-based attacks, and the more powerful and complex the component, the harder it is to secure. LastPass and others have been vulnerable to serious exploits involving inline frames. We take this risk seriously, and as a result, we're very careful about what we allow our inline components to do.

    Just because LastPass' implementation is vulnerable, doesn't mean the that all inline components and features are. The link that you provided is only an issue with the Firefox extension, apparently.

    Usability: Inline components take up RAM and CPU cycles, often on every page load and sometimes even when they're not being rendered. They can also be obtrusive and interfere with your view of a page. We aim to be a good citizen of your browser and not slow it down or get in your way, so we tread lightly here and only show inline features which we think most people will need most of the time.

    I don't think this would be a huge concern, considering the fact that these inline components would only show up on registration forms and login pages. Thus impact would be minimal.

    Would you like to see more features or customization options in the password generator in 1Password X? I'd enjoy hearing about them.

    Yes, other than the fact that the non-beta 1Password X does not have a password generator (unlike the regular 1Password extension), it would be nice to have a bit more customization features. I would even want to see the suggested password be more customizable (like LastPass). Currently, it is just letters, and does not use any symbols.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited February 2018

    Isn't 1Password's suggested password an inline component? [...] I don't think this would be a huge concern, considering the fact that these inline components would only show up on registration forms and login pages. Thus impact would be minimal.

    @netname: That's a pretty bug assumption, and not one we're comfortable making. Even if you would be for your purposes, it's our job to sweat the details because they can impact all 1Password users. I think you misunderstood Mitch's point. Complexity is the enemy of security, since that can introduce bugs, and bugs can be exploited to make software vulnerable. So we're going to be careful adding anything, especially in the browser, which is a rather popular attack surface.

    Yes, other than the fact that the non-beta 1Password X does not have a password generator (unlike the regular 1Password extension), it would be nice to have a bit more customization features. I would even want to see the suggested password be more customizable (like LastPass). Currently, it is just letters, and does not use any symbols.

    That's what we started with since it 1) allows for compliance with most website's password restrictions and 2) including upper and lower alpha offers great entropy at the same time, but as you already know we're adding more capabilities as we go. Thanks for letting us know specifically what features you're looking for us to implement! :)

  • auchEnia
    auchEnia
    Community Member

    Would it be possible to retain the last config? If I open the extension and change the password recipe, close the extension and open it again, the recipe is back to the default one. Also we cannot specify the number of special characters and numbers like it was possible before the X version.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Would it be possible to retain the last config? If I open the extension and change the password recipe, close the extension and open it again, the recipe is back to the default one.

    @auchEnia: It's definitely possible, but that's intentional. We'll be listening to feedback, but this is the direction we're headed in right now: using sane defaults rather than having the extension remember settings that are either too weak security-wise or too strong for the majority of sites. You're free to tweak it as you see fit when creating a password, but, for example, retaining the settings just encourages users to continue generating weak passwords after they have to lower it for one site. Dave went into much greater detail about this in the beta thread.

    Also we cannot specify the number of special characters and numbers like it was possible before the X version.

    Correct. That has a negative impact on entropy, so we're moving away from that, to a box to either allow or disallow. After all, most sites require that you have at least one digit and/or symbol, rather than specifying an exact number. Cheers! :)

  • Ashokleyland
    Ashokleyland
    Community Member

    Hello,

    @brenty I totally understand your point but here is something confusing for the user : you set a a length of 30 characters in the extension for whatever reason and the next registering form you apply, 1passwordX is generating a password with a length of 20. At least, that's what happened to me.

    Is it a bug or intentional ? If intentional, does that mean that 1password consider 20 as a safe length even if you set it higher ?

    To me, it would be more consistent if the password generated is matching the option you chose. At least, less confusing.

    Regards

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Ashokleyland: If you're using the inline 1Password X menu's Suggested Password feature, that's very much intentional. We use sane defaults there that are compatible with most sites and strong. You can always open 1Password X using the browser toolbar (or keyboard shortcut), and the full features Password Generator there will remember your settings, completely separate from the Suggested Password feature. I'm sorry for any confusion, but does that help?

  • Ashokleyland
    Ashokleyland
    Community Member

    Well, I don't know if it's less confusing (for the average user) but now I know how it works ;)

    Thanks for your answer @brenty

  • AGAlumB
    AGAlumB
    1Password Alumni

    Well, I don't know if it's less confusing (for the average user) but now I know how it works ;)

    @Ashokleyland: Haha good point! Not long ago the Password Generator behaved the same way: you could adjust things there, but it always defaulted to the same setup as Suggested Password. That was consistent at least (and perhaps less confusing for some), but we changed this because a lot of people told us they'd rather that the Password Generator retain their settings. We'll continue to adjust things over time though, so thanks for the feedback!

    Thanks for your answer @brenty

    You're very welcome! I hope you're having a great week, and we're always here to help with anything else. :chuffed:

This discussion has been closed.