How are password quality ratings determined?

Can you point me to an article or white paper that discusses password generation? I notice, for example, that a 12 character alphabetic password gets rated "Fantastic", but if I add numerals for graphic characters it is only rated "Excellent." I would think that the determination would be based on (the number of possible characters) raised to the power of the (length of the password).


1Password Version: 7
Extension Version: 7.0.7
OS Version: OS X 10.13.6
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @MikeMadden51: We don't have any public documentation for this since 1) there is no right answer — "password strength" is highly subjective — and 2) it's something we're always working to improve, making adjustments, but I can answer the question of why you're seeing what you're seeing: 1Password rates passwords that it did not create itself as considerably weaker, since it cannot know the entropy (if any) involved. For instance, when 1Password generates a password, it knows how many possibilities there are for each character based on the pool, and then it can calculate the entropy of the whole password based on that, and make a judgement as to how strong it is. When you paste a whole password into a login or just add a few characters, it doesn't know if you just read those off a bar code on a cereal box, so it treats that with more skepticism. Anyway, I hope that helps, but feel free to ask any other questions you might have. It's an interesting topic. :)

  • I have definitely drunk the Kool-Aid about how poorly humans are at randomizing. I should have been clearer in my post: the passwords I "created" and "changed" were done using the Password Generator. The specific question I have relates to the Password Generator. Using the sliders, I generated one password that was 12 characters long, no digits, no special characters — which was rated "Fantastic." I generated a second: 12 characters long, 2 digits, no special characters — which was rated "Excellent." And a third, with a length of 12, no digits, and 2 special characters — which was rated "Fantastic." BTW, I performed this exercise to see how minimally I could go and still be "Fantastic." In the real world, I use as large of a password that the hosting application permits. Thanks for your kindness in responding to me.

  • brentybrenty

    Team Member

    @MikeMadden51: Gotcha. Thanks for clarifying. This is a byproduct of the current state of password generation in 1Password for Mac, which has not yet been updated with our newest password generator. When you choose a set number of digits/symbols to add, it can decrease the strength since 1Password must limit itself to only that number of characters, rather than possibly giving you a digit for each position, etc. This will be addressed in a future update, where we'll simply have a checkbox to "include" digits or symbols, which will be more random. Definitely something we're working on. Thank you for bringing this up! :)

  • I've enjoyed "kicking the can" with you on this. Especially since I'm math-challenged when it comes to all things crypto.

  • brentybrenty

    Team Member

    Likewise, this is interesting stuff! Always fun to discuss. :chuffed:

    And if you're interested on digging into more stuff like this, you should check out Crypto101 and the Applied Cryptography course are great (free) general resources, and our security white paper has information specific to how 1Password.com works.

    I don't think I'll ever feel like I'm done learning, so it's good that I enjoy it. :lol:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file