Can the password generator be improved to create better passwords?
I have written several times about this subject. I don't know that anybody else finds this important or a problem but, I sure do. For example, I tried to create a password for a site but the generator was unable to do it. The site required upper and lower case letters, numbers and symbols. However, it would not except every little symbol there is. Well, I regenerated and regenerated but there was no way it could create a password for this site.
I like to use symbols in my passwords but, I don't even try with this generator because it uses so many symbols that no place excepts. And just using digits sometimes I can try a 20 digit password and not get one number in it. I think that's crazy. I know you'll give me some scientific reason for this but that just doesn't matter I want a generator I can create an acceptable password with. I know it can be done, I've seen it.
1PASSWORD is hands down the best password manager but can't we still improve it?
I'm really not sure why no one else seems to be bothered by this but I just hate it. PLEASE HELP!!
1Password Version: 7.0.532
Extension Version: 4.7.0.90
OS Version: Windows 10
Sync Type: Not Provided
Comments
-
I like the way it works now and I think it is correct. If a particular website is poorly designed and won't accept certain characters, my suggestion would be to uncheck the box for symbols, generate a password with letters and numbers only, and then manually type a couple of the their "acceptable" symbols in. (The password field in the generator is editable..)
I don't think it is reasonable expectation that the software could always know what characters a particular site might find "acceptable." So the alternative would be some kind of interface where you can specify the types and quantities of required and accepted characters. Then the user would have to tweak those options for every site. To me this seems like even more work than my suggestion above. (which was to simply type a $ or % or whatever in the middle of the password field somewhere.)
I believe the chance of no digits in 20 characters is just 3% per try or 99.9% chance to get a password with at least one digit within 2 attempts.. In my opinion, this is as it should be - completely random. If you want even better luck you can go more than 20 characters.
For my own rant, any site that won't accept certain characters or wants to limit the password length is immediately suspicious to me. I raises in my mind the thought that their developers don't know how to sanitize the input and possibly they aren't hashing the password before they store it. I would question my use of that site before I second guessed my randomized password generator. If their back end programmers aren't incompetent, then their user interface designers are at the least.
Anyway, I'm sure the company has its own response. I'm just another customer voicing support for how it works now and hopefully providing a helpful tip about how I'd use it.
0 -
I know you would come up with some scientific reason to justify your crazy generator. I've tried to remove symbols from the generated password with no luck. So maybe I'll figure out how to change the password that was generated. Then it comes to why not just make my own if yours don't work without having to adjust them. And by the way, there are a lot of sites that only allow 20 characters. And a lot more that don't allow all those crazy symbols. Maybe on your high tech mountaintop, you can do whatever but down here there are some rules.
Also, sometimes you must manually enter these passwords. Good luck trying to figure out what all those little characters are in that 50 character password.
Well, I'll end by saying if I can somehow tweak the generated passwords great. But I do believe the generator can be improved but for some reason, you've put your foot down and said this is mine and I like it and no one is going to change my mind. Enter ego.
All that aside I still think 1PASSWORD is the best.0 -
It's not "mine" - as I said just a customer.
I said "add" a symbol not remove it.
I agree 1password is the best. If anyone can figure it out then it is them.
0 -
Sorry, I thought you were them. I just think they could make a password generator that makes good safe passwords that have letters, numbers, and symbols but are a little more practical or should I say useable.
0 -
I'll repeat I don't work for the company. I didn't mean to give that impression if I did.
Anyway,
I'm sure it's not original, but I did have one more idea which would be to have another checkbox to "avoid _____ characters" - fill in the blank with some word to describe characters that are commonly rejected by (bad) websites. You used the word "crazy symbols" so maybe the checkbox would be "Avoid crazy symbols" and then it would limit to just the most basic symbols such as !@#$ etc.. but even then, some of those symbols might be rejected by a particularly bad website. (My educated guess is this would take about 2 minutes to code and test this feature once the list of symbols was agreed upon - so maybe this was already rejected as confusing UI.)
Such a change also raises the chances of running into the problem you already mentioned (about not getting any symbol when you want it) If there are too few symbols available after removing the _____ ones, then there is a higher chance of not getting any symbols. So now you may need another option to force a minimum number of symbols from each category. I don't know if it is a slippery slope, but there is potential. If it isn't an option to have the symbol, but it is forced to have representatives from each category then it's somehow not as random and I think random is better.
For picky sites, both of these issues are solved by my initial suggestion to generate alphanumeric only and then add your own symbols into the password if they are required but the site is too picky to allow 1password to make arbitrary symbols. So I still like that suggested approach I mentioned when I have to deal with this type of site. I really thought it to be a helpful suggestion.
Anyway, many people do like having more options and toggle buttons, etc. I know I would play with them if they were there. (even knowing random is better.) Someday, I imagine there could be a way for the password generator to use AI and read the page to figure out what it wants. Some sites have a box that explains the rules if you're lucky. (My bank does not explain it in advance - they just reject a password and only say the reason after the fact! Even worse is when a bank DOES take the password, and then quicken won't let me use same password for automatically connecting to the bank because quicken thinks the bank wouldn't like the symbols (outdated rules in quicken?)... annoying!) I think it would be better for sites to just accept your password is your password, maybe enforcing only a minimum length.. but assuming that won't happen then this is the next best thing.
Anyway, my 2 cents - do wait to see what the company says. Although I did go and read their response on your other post which was that they appreciate the feedback and are thinking about these issues on some level already. For all I know, something may be in the works.
0 -
All I'm trying to say is that I would like a PW generator that will make passwords I can use. And the fact is if I want to make a password for my bank accounts and have symbols in the mix this generator can't make one the bank will accept. Call them what you want but these are the kind of sites I use. And there are many, many other sites the same way.
So I really don't care if the passwords are pure scientific marvels, I just want them to be good and usable.0 -
Put like that, it sounds good to me. Probably someone smart will figure it out.
Obvious tricky part is that every website is different about what they will let you use for a password. If a site will let you use a great password, I want to be able to generate that great password. But then some other site won't let you use it. So it seems there must be a way to make "just okay" passwords too.
For now, that means I start with simple alphanumeric and then add some symbols myself. Now I'm warming up to think another checkbox could also help, probably. ("allow crazy symbols / no crazy symbols")
The hardest part of that seems like researching to figure out the list of crazy symbols to remove that gives you compatibility with highest number of websites while still having a good number of symbols. And accepting the fact that some websites will still have trouble because they won't agree with each other. (e.g. one site allows only #%$() and another site allows only @!*^?.. Then you can't please both sites with just a checkbox.)
I think its a very small number of symbols that are allowed on "almost all" websites. Some questions to agilebits if they have done such research.
- What % of websites will accept passwords from some mode of the current password generator?
- What % of websites is "good enough" as answer to #1?
- How many symbols can you allow with a checkbox to cover N% of websites? Higher N means fewer symbols. My guess is for high enough N it might be only 3-5 symbols that would work for all of them.
- Should we / how can we encourage websites to adopt better policies long term while accommodating their policies with flexible tools in the short term? (Some sites still won't let you paste a password, same thing!)
Already the options present (customized length, toggle for digits, toggle for symbols, toggle for ambiguous) show there was thought put into this. And most likely there are other threads if I bothered to search :)
Anyway, I've clearly put too much thought into this for a Saturday night. I'll try to remember and check back tomorrow to see if someone from agilebits added anything.
[[ Last idea would be a checkbox and "Limit symbols to: ________" where the user can type or paste the list of acceptable symbols. Borderline complicated but should cover everything I can think of at the moment.. ]]
0 -
I know I’ve seen them comment that the new design Is currently their preferred approach. High entropy passwords only. for the most part I am ok with it, if I find a site that gives me grief (too many oddball chars or too many rules) I just generate a longer alphanumeric and add what I need (a special and a cap), so it becomes a little longer.
special chars don’t buy you much when you are willing to go longer. 8 character password with full keyboard is much smaller (fewer possible keys) than alphanumeric at 9. Crazy, but true. Get crazier as you get longer.
0 -
@helpmeifyoucan: Sorry it's taken so long for any of us to follow up here. You folks have been having such a great discussion without us that it kept getting pushed up the top most recent posts. So, kind of a mixed bag. Thanks for your patience. :)
Anyway, the short version for anyone who wants it is that the way the password generator works in 1Password for Windows now really is the "correct" way, since it will give the most secure passwords, which will be harder to crack. And generally the best advice I could give in cases where website policies make things tougher than they need to be is this: start with an "ideal" password and then adding something to it if absolutely necessary... But of course nothing is ever that simple. So, if you'll indulge me, come along with me now and we'll dig deeper.
You and others here have raised a lot of good points, but I think this is the fundamental question here:
1PASSWORD is hands down the best password manager but can't we still improve it?
"Correct" doesn't mean it's the only way, or that it can't be built upon. We like to think 1Password is the best because of how much passion and effort we put into it, but ultimately that's subjective. What means the most to us is when someone like you, as our customer, has not only such positive feelings for our work, but also that you care so much about making it better. 1Password isn't perfect because neither are we. And perhaps we see its flaws more than anyone. Our work will never be done, so it's really helpful to us to get feedback like this about pain points so we know what areas might require our attention. So, thank you. :)
I know you'll give me some scientific reason for this but that just doesn't matter I want a generator I can create an acceptable password with. I know it can be done, I've seen it. I'm really not sure why no one else seems to be bothered by this but I just hate it. PLEASE HELP!!
You're definitely not alone. But as @dmds99 noted,
I like the way it works now and I think it is correct. If a particular website is poorly designed and won't accept certain characters, my suggestion would be to uncheck the box for symbols, generate a password with letters and numbers only, and then manually type a couple of the their "acceptable" symbols in. (The password field in the generator is editable..)
I think the rest of their comments there are worth a read too for anyone else who visits this discussion, and I thank dmds99 for saving me a lot of typing (yet still I will probably fill this box)...
However, I think it's important to acknowledge that this situation isn't ideal, and we're very much aware of that. As mentioned already, the root of this problem is the terrible practice of "password requirements" that some websites continue to institute even in 2018. But, at the same time, the flipside of that is that since we cannot change them, it would be nice at least if 1Password could do more to help in these cases. That's problematic on a number of levels though, since no two sites are alike, both with regard to length and composition, and there is no way for 1Password to really compensate for that on its own. It's our problem because it's your problem though, since you're our customer as a 1Password user. But it's also our problem as we have trouble with these kinds of websites too — and, arguably more than most, since we often live in our browsers and test this stuff constantly.
So, while for now your best bet is to generate the best password you can using 1Password and then add something to it if you need to, I appreciate that may seem a bit unsatisfying, perhaps even scary. But let's take a step back an consider a few important points you raised:
Then it comes to why not just make my own if yours don't work without having to adjust them.
Having 1Password generate the password to begin with means it can be truly random, and the most difficult to guess for its length and composition. If you create a password yourself, it's going to be weak, not because there's anything wrong with you personally, but simply because you're human, and humans are not capable of true randomness; we have biases. That's why social engineering is so popular — and successful. We can bend the rules, cheat, or just plain give in and say, "Oh okay, you don't remember your password so I'll reset it for you this time." Similarly, I found that when I create passwords or PINs myself, I prefer some letters, numbers, and symbols more than others. Computers don't do that. They just pick a character at random from the complete pool for each position, and repeat until it's complete.
And by the way, there are a lot of sites that only allow 20 characters.
That sounds bad, but we're in pretty good shape even in that case. 20 randomly-selected characters from a pool of capital and upper-case letters alone is enough to push the difficulty of brute forcing a password far out into infeasibility, so if that's the best you can manage with a site, you're still okay. If you can also add digits and symbols into the mix — randomly, using 1Password — that's just icing on the cake. And adding a symbol or something manually to it to satisfy a requirement doesn't leave you any worse off at least.
And a lot more that don't allow all those crazy symbols.
Indeed. That's more problematic since some sites want to have their cake and eat it too: they require some symbol(s) but only allow certain ones. There's just no way for 1Password to automatically detect anything, so it's going to be incumbent on the user to manage this regardless of the method. We have some ideas about how we could offer an exclusion option, but presenting it in a way that's helpful is challenging.
Also, sometimes you must manually enter these passwords. Good luck trying to figure out what all those little characters are in that 50 character password.
There's an app for that! Seriously, word-based passwords are perfect in those cases, and 1Password can generate those for you too. And, whether you're using a character- or word-based password, you can use the Large Type option to view the password on most platforms. :)
I just think they could make a password generator that makes good safe passwords that have letters, numbers, and symbols but are a little more practical or should I say useable.
Agreed. There isn't a practical solution to this problem since it's really many, many problems across different sites, but we'll see what we can do to offer some more control without making everyone's experience — and passwords — needlessly worse. :)
0 -
special chars don’t buy you much when you are willing to go longer. 8 character password with full keyboard is much smaller (fewer possible keys) than alphanumeric at 9. Crazy, but true. Get crazier as you get longer.
@AlwaysSortaCurious: Can you rephrase it? I think you're making an interesting point here, but you lost me halfway through. :sweat:
0 -
I'm sure it's not original, but I did have one more idea which would be to have another checkbox to "avoid _____ characters" - fill in the blank with some word to describe characters that are commonly rejected by (bad) websites. You used the word "crazy symbols" so maybe the checkbox would be "Avoid crazy symbols" and then it would limit to just the most basic symbols such as !@#$ etc.. but even then, some of those symbols might be rejected by a particularly bad website. (My educated guess is this would take about 2 minutes to code and test this feature once the list of symbols was agreed upon - so maybe this was already rejected as confusing UI.)
@dmds99: I pulled this from your other comments because it's an interesting way of approaching it. We've mostly discussed this in terms of "allowed characters". Some websites present it that way. But you're right that some also say "you can use the following..." Agreed 100% about confusing UI. We've got a lot of design work to do on 1Password 7 yet, but perhaps after that we can find some time to hash something out i this area. Thanks for the suggestion! :)
0 -
Sure,
8 character passwords with all special characters allowed in a password don't really increase the total number of possible passwords as dramatically as people think when compared to adding a single extra character and making it 9 (or 20 vs 21 or whatever. A single extra character in length does more to improve security than all the extra characters on the keyboard). And its why I don't care about special characters anymore. I don't mind them, but they are not a show stopper for me when I can make my password longer instead.
So If I generate ufjjm769 and it asks for a special character and an upper case it goes from 8 character length to 9, no grief ufjJm*769 and is much more secure, for example, than the 8 character version,
An eight character password with all printable and standard special characters allowed (95ish) is
95^8 = 6,634,204,300,000,000 possible passwords
A nine character password with upper/lower alphanumeric only with one extra character in it has twice as many possibilities [A-Za-z0-9]is
62^9 = 13,537,087,000,000,000 possible passwords
No, I am not going to get into the math where one column has a special character option, and it is a given part of the formula, its beyond my skills.
0 -
@AlwaysSortaCurious: You're not wrong, but...
So If I generate ufjjm769 and it asks for a special character and an upper case it goes from 8 character length to 9, no grief ufjJm*769 and is much more secure, for example, than the 8 character version,
If you're choosing the character and where to insert it, the security benefit it adds is questionable. So I think it's best to discount it entirely. Add the character if needed, but don't assume it provides a benefit apart from meeting the site's demands. The entropy you get from an additional character is substantial, but only when it is completely random. Cheers! :)
0
