Feature Request - PW requirements for words recipe (length, capitalization, alpha and symbol chars)

Ben.SBen.S
edited May 19 in Lounge

Okay... Here’s a picky request, in brain dump fashion. :)

The random password recipe allows you to choose the length of characters. I would like to suggest the ability to, at the least, see how many characters are in the generated password when using the words recipe.

Also, a few other suggestions that would make this idea better, in my opinion - The ability to choose character length within the words recipe, and the ability to add upper case (I usually upper case each word or one or two words), and add in a set of numbers.

Okay okay. After writing this down I see that my request/idea could arguably add a bit of complexity to 1Password’s great UX. The problem I have, that is like to see solved, is the ability to use the words recipe, while conforming to password requirements from a website, as many website require a range of characters and or symbols and numbers. I know the random recipe solves my issue, but it’d be nice to meet certain requirements and have a readable password as an end result.

Edit: looks like someone recently suggested, basically what I was asking for. Whoops.

https://discussions.agilebits.com/discussion/88532/feature-request-improve-password-generator-for-words#latest

Comments

  • brentybrenty

    Team Member

    The random password recipe allows you to choose the length of characters. I would like to suggest the ability to, at the least, see how many characters are in the generated password when using the words recipe.

    @Ben.S: That's an interesting idea. I'm actually surprised, as it hasn't come up before to my knowledge. I can't promise anything, but we can certainly consider that. :)

    Also, a few other suggestions that would make this idea better, in my opinion - The ability to choose character length within the words recipe, and the ability to add upper case (I usually upper case each word or one or two words), and add in a set of numbers.

    That, unfortunately, is a less-than-great idea. First, restricting the character length of a word-based password will make it considerably weaker, as 1Password will then be excluding a lot of things, decreasing the entropy. And with uppercase, that makes the words harder to type and doesn't add any real security benefit: the entropy is from the number of possible combinations based on the size of the Wordlist (about 18000) and number of words used. Certainly in some cases it may be necessary to add a capital letter, number, or symbol, but it's something you can do yourself without hurting anything. But it's also worth pointing out that the "words" option is meant for cases where you need to memorize and/or type a password. In all other cases, it's best to use "characters", as you'll not only have complete control over the length without compromising strength, character-for-character this will always be stronger than a word-based random password.

    Okay okay. After writing this down I see that my request/idea could arguably add a bit of complexity to 1Password’s great UX. The problem I have, that is like to see solved, is the ability to use the words recipe, while conforming to password requirements from a website, as many website require a range of characters and or symbols and numbers. I know the random recipe solves my issue, but it’d be nice to meet certain requirements and have a readable password as an end result.

    Usability is definitely a concern, but we always need to prioritize security. If we can get that down, it frees us to focus on making it intuitive. An intuitive design is great, but with 1Password we can't start there. And similarly, "readable" passwords are nice looking, but should only be used when necessary, as they will be easier to guess than a random character-based password of the same length. We're in the process of trying to learn definitively just how quickly (or not) a three-word password can be brute forced with current technologies.

    Edit: looks like someone recently suggested, basically what I was asking for. Whoops.

    No worries! Honestly this is a slightly different take, and I do think it could be helpful to show the length of the word-based password, especially since we don't want to limit it. Cheers! :)

  • That, unfortunately, is a less-than-great idea. First, restricting the character length of a word-based password will make it considerably weaker, as 1Password will then be excluding a lot of things, decreasing the entropy.

    You are absolutely correct. The only reason I suggested being able to choose character length, was because there are unfortunately a lot of sites that have a max character limit on passwords, including some financial institutions. I'm not sure if you'd agree, but perhaps displaying the character count of word-based passwords (mentioned in original post), would solve this issue. I'd be happy with just that. As a user, I could then choose a word count, and click re-generate until a length comes up that falls within the password range requirements of said website. Correct me if I'm wrong, but I don't see any compromisation of passwords due to 1password, but due to the requirements of the website.

    The same reasoning also applies to my request for uppercase letters and numbers. Some websites require it. Clarification, I never imagined there being random uppercase letters or numbers through-out the word-based password. I manually do any of the following combination that would be simple to read out loud or in head on the spot, but not for long-term memorization, like so:

    • Uppercase of first letter of 1 or more words - Ex: Cat.Dog.Fish
    • Uppercase of last letter in 1 or more words - Ex: caT.doG.fisH
    • Uppercase of all letters in 1 or more words - Ex: CAT.DOG.FISH

    It could be simplified, and only allow the option to uppercase the 1st letter in all words, or make them all lowercase, however, you may consider this a violation of how you prioritize UX.

    In regards to numbers, my solution involves adding a random (well, I bash the numbers on my keyboard :)) set of numbers somewhere in the password. Ex: cat.dog.1234.fish

    I'm interested in hearing your thoughts about this, and where you see what is given up in terms of security.

    Ahhh! Very cool. Thanks for sharing. I will be watching for this!

  • brentybrenty

    Team Member

    You are absolutely correct. The only reason I suggested being able to choose character length, was because there are unfortunately a lot of sites that have a max character limit on passwords, including some financial institutions. I'm not sure if you'd agree, but perhaps displaying the character count of word-based passwords (mentioned in original post), would solve this issue. I'd be happy with just that. As a user, I could then choose a word count, and click re-generate until a length comes up that falls within the password range requirements of said website. Correct me if I'm wrong, but I don't see any compromisation of passwords due to 1password, but due to the requirements of the website.

    @Ben.S: I think we're in complete agreement here. I'm uncertain about if or when we'll do something like this because our todo list is very, very long. :)

    The same reasoning also applies to my request for uppercase letters and numbers. Some websites require it. Clarification, I never imagined there being random uppercase letters or numbers through-out the word-based password. I manually do any of the following combination that would be simple to read out loud or in head on the spot, but not for long-term memorization, like so:
    Uppercase of first letter of 1 or more words - Ex: Cat.Dog.Fish
    Uppercase of last letter in 1 or more words - Ex: caT.doG.fisH
    Uppercase of all letters in 1 or more words - Ex: CAT.DOG.FISH
    It could be simplified, and only allow the option to uppercase the 1st letter in all words, or make them all lowercase, however, you may consider this a violation of how you prioritize UX.

    Thanks for the clarification! Indeed, I am not able to get on board with the second option since that would largely obviate the key benefit of word-based passwords: memorability. But you make an excellent point about typability. Something to consider.

    In regards to numbers, my solution involves adding a random (well, I bash the numbers on my keyboard :)) set of numbers somewhere in the password. Ex: cat.dog.1234.fish
    I'm interested in hearing your thoughts about this, and where you see what is given up in terms of security.

    The problem with that is the numbers don't really add much in the way of entropy if they're grouped together like that. I do get your meaning though, and maybe there's something similar we could do in the future. I think this enters more into the human realm. A person may want an easy-to-read password. A website may demand that it contain numbers, whatever. While 1Password can generate a word-based password and a character based password, the user would have to do those separately and add them together. So I can appreciate the desire to have 1Password do it all at once in those cases. The problem is that a lot of people will see cat.dog.1234.fish (or non-union Mexican equivalent) and think this is an AWESOME password, and they would be less likely to use a more repugnant-looking (humans + randomness = no bueno) password with greater entropy. It's something we'll keep in mind, especially if more websites become worse about stuff like this. But at least for the last while things have been improving in that space. If we can avoid making changes that could lead to weaker passwords, I think we should.

    Ahhh! Very cool. Thanks for sharing. I will be watching for this!

    Me too. Still waiting! :eh:

  • I think we're in complete agreement here. I'm uncertain about if or when we'll do something like this because our todo list is very, very long.

    I completely understand you there! Been there, done that, currently there, currently doing that, got the t-shirt, and getting more. :)

    Indeed, I am not able to get on board with the second option since that would largely obviate the key benefit of word-based passwords: memorability.

    You make a good point there. I agree for now, unless someone were to have a solution to the problem that would include enough entropy, while also keeping the password memorable. And I don't know, but perhaps this is a problem that only I, or a small percentage of 1Password users have. You guys know your users better than me. :)

    I think this enters more into the human realm. A person may want an easy-to-read password. A website may demand that it contain numbers, whatever. While 1Password can generate a word-based password and a character based password, the user would have to do those separately and add them together. So I can appreciate the desire to have 1Password do it all at once in those cases. The problem is that a lot of people will see cat.dog.1234.fish (or non-union Mexican equivalent) and think this is an AWESOME password, and they would be less likely to use a more repugnant-looking (humans + randomness = no bueno) password with greater entropy.

    That's understandable. I will say that cat.dog.1234.fish is extremely better than someone just adding 1, year, birth date, anniversary, etc to the end of their generated password because they couldn't auto generate a number or a couple of numbers and place them within their password somewhere.

    I see where there are a lot of things to consider here. One thing that I didn't think to mention is that this only a pain point for me on iOS. In the mac app and firefox addon, I can easily click into the password field and it'll turn into to a text field revealing the password. Now, I can move the cursor to certain places in the password and can proceed with manually fixing my password to meet requirements of certain websites. However, on iOS, you don't know where you're moving the cursor to, because the cursor is in the password field, which is masked, instead of the visible password. The visible password appears to be a label, so is changing the password field to a text field, when "show password" is enabled something that would be considered? Especially, considering that it currently happens in the mac software and possibly other clients.

    Unless you or someone else throws an angle in here that I'm not seeing, this solves the issue. It doesn't outright give users the ability to generate insecure passwords thus giving the false notion that they have an amazing password, which seemed to be a concern of yours. It should be and hopefully improves, that the idea of manually modifying your password, should be avoided if possible. There are also a few easily identifiable ways you can implement great UX.

    I'm okay with manually modifying the password. Yes it's not the most secure, yes it's not recommended, but it's my way and the only way to remedy the issue using word-based passwords. Are others not having the same issue? Maybe they just stick to random character-based passwords.

    Side note: on ios devices with 3D/force touch support, you cannot use on the keyboard to move the cursor. Not a big deal. Just a tiny pet peeve :)

    Thank you for taking the time to hear and respond to my comments. It's greatly appreciated and not many companies excel in as many areas as you guys do! Thank you

  • brentybrenty

    Team Member

    I completely understand you there! Been there, done that, currently there, currently doing that, got the t-shirt, and getting more. :)

    @Ben.S: Thank you for this! :lol:

    You make a good point there. I agree for now, unless someone were to have a solution to the problem that would include enough entropy, while also keeping the password memorable. And I don't know, but perhaps this is a problem that only I, or a small percentage of 1Password users have. You guys know your users better than me. :)

    Honestly, I 'd bet that most people run into something like this occasionally. What's rare is websites that do this, and also even rarer that they agree with each other. There's just too much variation for there to be a good one-size-fits-all solution, but it's something we'll continue to evaluate.

    That's understandable. I will say that cat.dog.1234.fish is extremely better than someone just adding 1, year, birth date, anniversary, etc to the end of their generated password because they couldn't auto generate a number or a couple of numbers and place them within their password somewhere.

    Hey, if you have a long, random, unique password generated and the site is like, "No! You must add a symbol! The Great Old One wills it!" adding a * or whatever doesn't make your password weaker. Not ideal, but doable.

    I see where there are a lot of things to consider here. One thing that I didn't think to mention is that this only a pain point for me on iOS. In the mac app and firefox addon, I can easily click into the password field and it'll turn into to a text field revealing the password. Now, I can move the cursor to certain places in the password and can proceed with manually fixing my password to meet requirements of certain websites. However, on iOS, you don't know where you're moving the cursor to, because the cursor is in the password field, which is masked, instead of the visible password. The visible password appears to be a label, so is changing the password field to a text field, when "show password" is enabled something that would be considered? Especially, considering that it currently happens in the mac software and possibly other clients. I'm okay with manually modifying the password. Yes it's not the most secure, yes it's not recommended, but it's my way and the only way to remedy the issue using word-based passwords. Are others not having the same issue? Maybe they just stick to random character-based passwords. Side note: on ios devices with 3D/force touch support, you cannot use on the keyboard to move the cursor. Not a big deal. Just a tiny pet peeve :) Unless you or someone else throws an angle in here that I'm not seeing, this solves the issue. It doesn't outright give users the ability to generate insecure passwords thus giving the false notion that they have an amazing password, which seemed to be a concern of yours. It should be and hopefully improves, that the idea of manually modifying your password, should be avoided if possible. There are also a few easily identifiable ways you can implement great UX.

    This bothers me too. Unfortunately we don't have a good native way of doing this on iOS. Secure Input and "password" fields come hand in hand. This is one case where it would be nice if that wasn't the case, hence the sort of hacky password + display field combo you referenced. But it would be great if we can figure out a solution. Thanks for bringing this up!

    Thank you for taking the time to hear and respond to my comments. It's greatly appreciated and not many companies excel in as many areas as you guys do! Thank you

    Hey, no problem! Thanks for taking the time to share your thoughts with us. Hopefully we'll be able to surprise you with some things in the future. :)

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    This outstanding conversation tells me that I need to get back to working on our new/forthcoming password generator. I can report that it does have the ability to randomly capitalize words (as that part is written and tested already), and it does have the ability to use random digits as separators between words.

    As for what features will be exposed in the UI is a different question, but we want the underlying generator engine to be flexible. But we found no way to fix a length in characters for the wordlist system while keeping the output of the generator uniform, so that isn't a feature to expect.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file