Good password ranked as terrible?

1Password7 on my Mac is ranking an auto-generated password (not generated by 1Password, but still) as "Terrible":

And yet the same password is considered good by 1Password Web:

(don't worry - we've changed to a different password, so there's no security problem sharing it here).

Any idea what's up?


1Password Version: 7.0.3
Extension Version: Not Provided
OS Version: 10.13.4
Sync Type: Not Provided

Comments

  • I've got EXACTLY the same issue - my password was just the same as yours (in type) - I think it's a safari generated password - same pattern. Maybe something to do with the dashes? But here's the REALLY weird thing - I had the password stored twice for some reason, with slightly different descriptions - and in the other record, it's "excellent". I wonder if it's "terrible" because it's duplicated in my 1Password list (although it's for the same actual login...)

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @paulbutcherelit and @JMT! Thanks for your question about the password strength meter. You're correct, it's a function of whether WE created it or not. There are a few issues to smooth out with the Password Generator, but it's also not as easy as you might imagine to give a definitive answer: there are MANY ways to calculate password strength, and not everyone agrees what the "right" way to do it is. We've tried to use a conservative approach that includes making sure we don't give you a false sense of security by telling you a password is stronger than it actually is.

    For instance, in the example from Paul's post, a copied password may LOOK strong, but we don't know how it was generated, so it may not be that strong at all, so it's assigned a lower score. When we generate a password, we can calculate much more precisely the strength, as we know how it was created. Nevertheless, certainly a long-and-strong password shouldn't have a near-zero strength, and this is a bug we're working on.

    If you want general advice until we have a more solid fix for this out, once you hit 23 random characters (alpha/numeric/symbol), you're at 128 bits of entropy. That's enough to foil even the fastest cracking tools currently available.

  • Thanks for the reply @Lars. I'm not sure that it explains why the discrepancy between the local and web versions of 1Password? I would (naively perhaps) have expected them to use the same algorithm?

  • Greetings @paulbutcherelit,

    I don't have an answer for you I'm afraid but I do agree with you, expecting the two to be consistent is a pretty reasonable expectation.


  • Yes I have the same problem. I have a password that is considered very very strong on password meters on the web (it's 19 characters, w some symbols, some caps, no recognizable words etc...), and it says "terrible" on the desktop 1password app. Then on the 1password website it says it's good (or the green bar is about 2/3s filled like on @paulbutcherelit 's)

    If the password strength meter were faulty on say the Netflix website or something I wouldn't care as much. But this is all you guys do, passwords, passwords, passwords. This is what we are paying you for, to help us with our passwords, to remember them and tell us if they are strong or not!

  • BenBen AWS Team

    Team Member

    Thanks for the feedback, @BayUno. Was this password generated by 1Password? Did you type or copy & paste it into this item or was it put there by the generator?

    Ben

  • Hi @ben I typed it

  • BenBen AWS Team

    Team Member

    @BayUno

    That's why. One of the major factors in the way 1Password scores passwords is entropy. With a password you've typed in the entropy is assumed to be zero.

    Ben

  • @Ben ok so even if it was a very complex very strong password, if I typed it in, it would show as zero entropy and be labeled as terrible?

  • BenBen AWS Team

    Team Member

    @BayUno,

    1Password will still try to make an educated guess about the password strength, but it will assume zero entropy (as it has no reason to assume otherwise or any data to calculate actual entropy). I just created a new login item and typed in the password t8Ss8hased#@asd and even though that is a typed password with zero entropy 1Password estimated it was "excellent." If your password is similar there may be a problem with the calculation. I'd suggest troubleshooting by creating a new login item for this password and typing it again there (don't copy & paste). If it still comes up as 'terrible' then it would seem that is indeed 1Password's assessment of it.

    Ben

  • @BayUno please see my comment at the start of this thread about the discrepancy between the way that 1Password web and 1Password Mac rate passwords. It seems that 1Password does not have an opinion about passwords, it has multiple divergent opinions depending on where you look.

  • brentybrenty

    Team Member

    @paulbutcherelit: I've (un)fortunately been doing a lot of testing in the area of differences between platforms and know what you're talking about. There is no right answer when it comes to password strength, but we're working to improve it and also make it more consistent across the board. Thanks for your feedback on this.

    However, I do think there's something else going on in your case. Like Ben, I'm not able to reproduce what you're seeing. I wonder if that login is simply damaged, or was created when there was a bug with the password strength. If you create a new login with the same password, does that give you a better result, more in line with your expectations?

  • I've just tried creating a new password entry with the same password as is ranked terrible, and this time it's ranked excellent.

    So it looks like you're right, there's something about the existing record that's "damaged" in some way.

  • brentybrenty

    Team Member

    @paulbutcherelit: I don't recall the details, but there was a bug with password strength. Since this is saved as part of the item, it was still hanging around there. Sorry for the trouble that caused, but I'm glad that creating a new item resolved it — and that we squashed that bug so it was possible. :)

  • It's April 2020 and this issue still persists. I used a 24 character password generated via 1P Chrome extension and it's showing as "Terrible" password in the Mac OS X app.

  • BenBen AWS Team

    Team Member

    Hi @harpal

    Did you edit the password at all, or is it straight from the password generator?

    Ben

  • Thanks for your response, Ben. It's straight from the password generator.

    I rarely create my own passwords - always use long complicated passwords directly via the generator.

  • BenBen AWS Team

    Team Member

    Thanks @harpal. That's interesting. I wish I had a better answer off-hand for why that might be the case, but I'll speak with the team and do some brainstorming. Thanks for the report.

    Ben

  • Hi @Ben, any update on this issue you committed to look into back in April? I too am having the same problem. Auto-filled a 1Password generated password with the Chrome extension in Brave browser, then if I go and look in the 1Password app the password is "Terrible". However, if I expand the Saved Form Details on the same vault item, the exact same string in the password field down below is "Very Good". This is happening with many different sites.

  • I see that this seems to be related to a post I made a few hours ago today. What ever it may be worth, the password in question in my other post is 15 characters long. I did edit the 1PW generated suggestion by one character to make the symbol it contained conform to the web site’s limitations. But in my case, the result is sometimes Terrible, sometimes Very Good, even in the same entry record in the Login category. There is a screen shot in my recent post showing the same password with two different strength assessments in the very same record.

  • ag_anaag_ana

    Team Member

    @hawkmoth:

    Thank you for sharing your experience as well. I have added your feedback in the internal issue we use to track this :+1:

  • ag_anaag_ana

    Team Member

    @codybj:

    We don't have any updates to share at the moment, our developers are still looking into this.

  • Hi @ag_ana - I am experiencing this issue as well (Used 1Password to generate a password, 1Password rates it as "terrible"). It's specific to one, government website. Do you need any additional details from me for your issue log?

    Thank you!

  • BenBen AWS Team

    Team Member

    @amenges

    Thank you for the report, and for the offer. I don't believe we need any additional information at this time. Our plan going forward is to use shared code for rating passwords, so the code currently in use in 1Password for Mac is likely to be going away in future generations of the app. Unfortunately that does mean this isn't likely to be addressed in the short term, but should make it much easier to resolve any issues once implemented.

    Ben

  • magic890magic890
    edited July 30

    Hi @Ben, same issue here, password generated via 1Password and after copied again it's rated as Terrible.
    Any plan to fix it soon?
    Do we have a remediation in the meanwhile?

    Moreover, if I edit the password adding a single character, and after restore it to the previous state, the ranking is Excellent.

  • BenBen AWS Team

    Team Member

    @magic890

    Any plan to fix it soon?

    Unfortunately this is not a quick / short-term project.

    Do we have a remediation in the meanwhile?

    I think what you highlighted is the best I could offer:

    "Moreover, if I edit the password adding a single character, and after restore it to the previous state, the ranking is Excellent."

    I'm sorry there isn't a better answer for the moment, but it is something we're aware of and plan to address as we move forward.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file