Suggested feature - selectable / assignable password recipes

We deal with lots of different sites and applications (I've got about 1100 items in 1Password), many of which have idiotic .... errr.... oddly specific, in an entropy-limiting way, password requirements (apparently properly sanitizing inputs and then hashing them is an obscure art, but whatever). 1Password always defaults to whatever recipe we used to create the last password. What we would really like is the ability to create a few generic presets (great for standardization), and have 1Password remember which recipe was used to create each password on a per-item, per-field basis. Additionally, an advanced option to specifically exclude certain characters in a recipe would be helpful for dealing with systems developed by those who lack the confidence to deal with certain punctuation symbols and live in dread fear of visits from the mother of Little Bobby Tables. And finally.... an option to Just Go The Full Random - pick whatever quantity of letters, numbers, and symbols that makes the random number generator happy.


1Password Version: 6.8.8
Extension Version: 4.7.0.90
OS Version: MacOS 10.13.4
Sync Type: Not Provided

Comments

  • Greetings @ecarlseen,

    I believe I was summoned? :tongue:

    I completely understand your point of view. I would personally love a more configurable password generator as well and even just a small handful of customisable presets would likely help in the majority of cases. This topic is one that seems to generate all sorts of opinions and much debate within AgileBits and we still haven't settled on what we should do. One counter is we shouldn't encourage bad password restrictions but I can't help and feel that we're unlikely to have a noticeable impact here so wouldn't it be better that 1Password helps you create a strong a password as each site allows - accept the reality of how things are but always hope the future may be better. If we ever reach that glorious moment where all sites have zero password restrictions we could then happily remove this but until then I would love to see 1Password do more to help.

  • ecarlseenecarlseen
    edited April 2018

    Ok, first of all, creating a littlebobbytables identity makes this the Coolest Vendor Response Ever.

    In a sense this started out as an efficiency issue (having to change the password recipes constantly), but on reflection it's a security issue as well. We want to put the maximum reasonable amount of entropy into a password. Since the current best practices is to store passwords as salted hashes and limit guessing attempts I tend to assume the worst when it comes to sites and systems that start placing lots of weird rules that limit entropy but not guessing attempts. We still regularly (in 2018!) see reports of hacks where lists of passwords are stored as plaintext and I still get password reset emails containing my plaintext password. If everyone even put a minimal effort into following best practices (sanitizing inputs is easy, hashing is easy - these are library functions in almost every dev case) then it wouldn't really matter (and it shouldn't), but they don't and therefore we do what we can to make up for the shortcomings of others. And this would make it much more convenient to do so.

    Also, in fairness, we deal with some systems where it would be a bad idea to limit guessing attempts, and we want to encourage the use of very strong passwords there.

  • ecarlseenecarlseen
    edited April 2018

    I suppose my next request will be to W3C to create an extension to the HTML option for password inputs:

    Then we could automate everything!!!

    (I'm assuming that if sanitizing isn't happening then parameterizing database queries is waaaaaaaaay out there).

  • brentybrenty

    Team Member

    Haha W3C does great work, and accessibility-focused web standards also help 1Password a great deal...when people follow them. :lol:

    You're not wrong about the rest, but keep in mind that even a 20 character generated password using "only" capital and lowercase letters has a level of entropy that pushes brute force attempts way past infeasible, since there isn't yet enough power available to accomplish this on a human timescale. And, if it were my server, I would want to throttle login attempts anyway just to keep things running smoothly. Cheers! :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file