password generator with words is not always acceptable

(I am not sure this is the right forum, but I did not find any that is "simply" on general technical issues.)

I have began to systematically use the password generator. I use the "words" alternative with "hyphen" as a sub-option. However, in many cases, the generated password is not acceptable by sites, because they often require two features:

  • passwords should include both lower and upper case characters
  • passwords should also include numerical digits

As a result, what I do is to change one of the characters to upper case and add some random digits to the words before using it. No big deal, but a big of a drag; I wonder whether it is not possible to extend the password generator by mixing upper case and lower case characters and include random digits, too?

Thanks


1Password Version: 7
Extension Version: 7.2.4
OS Version: macOS 10.14.2
Sync Type: iCloud
Referrer: forum-search:password generator

Comments

  • ag_sebastianag_sebastian 1Password Alumni
    edited February 9

    Hello, @iherman!

    If you're not sure where to post a question, make your best guess (just as you did), and we'll move it if need be. :smile:

    I know what you mean, as I tend to add upper-case characters and numbers often myself, and it can become a bit of a drag. I've filed this as a feature request for us to look into, but I can't promise when and if we'll get to it.

    ref: xplatform/targets#13

  • Thanks @ag_sebastian! Getting this on your radar screen is the first step:-)

    Happy new year to the whole team!

  • ag_sebastianag_sebastian 1Password Alumni
    edited January 6

    Always happy to listen to constructive feedback. :) Happy New Year, @iherman!

  • I'm piggybacking on this thread because my issue and my usual solution (manually tweak the suggested password) is the same as the original poster's. But I'd like to add a feature request, or more accurately a request for feature restoration, as well:

    In both the Windows app and the old 1Password Chrome extension, I'm able to edit the generated password in place (in the Password Generator popup's textbox) before clicking the "Copy" button. In the 1Password X extension, that textbox is read-only, so I have to click "Copy", then paste it into something I can both see and edit, and then copy the modified password to the clipboard.

    In a future version of 1Password X, could the Password Generator's password textbox be made editable, to avoid the extra paste-and-recopy steps?

  • ag_sebastianag_sebastian 1Password Alumni

    That's a solid suggestion, @vorlonscout! :) I'll make sure to pass this along to the rest of the team, but I can't make any promises when and if we'll make the Password Generator text box editable.

  • I'd like to see this as well. I find it curious that your Android app supports mixed-case "memorable" passwords while your Mac app does not. The Android app also supports both full words and non-dictionary, but pronounceable wordlets, while again, this option is missing from the Mac app. This is a requirement for some of the more secure systems I use that prohibit dictionary words. Neither support required numbers and I'd really like to see all of these issues fixed. I've just started using 1Password and am really impressed with some of it's features but frustrated by really simple oversights like this. Functional consistency across platforms should be a given.

  • BenBen AWS Team

    Team Member
    edited March 18

    @zenzic

    We agree, and are (slowly) moving toward a more consistent experience with the password generator across platforms. In the mean time you can try the password generator on our website:

    https://1password.com/password-generator/

    I hope that helps!

    Ben

  • Thanks, Ben. It does help, but I was surprised that, rather than integrating with my account, it prompts me to sign up for a 30 day free trial every time I copy a generated password.

    You might also want to check your word database. I laughed at this suggestion, but some might be a bit offended by "Penile-surcease-liar-organdy".

  • brentybrenty

    Team Member

    Thanks for the feedback. Hopefully you didn't just share you password though! :lol:

  • Didn't want to start a new topic - this seems quite relevant. I'm all for an updated password generator too. I prefer using words like @vorlonscout and @iherman have indicated.

    Like them, I'd like the option to add capital letters, numbers and symbols. I'd also like to add the option of specifying how long the password needs to be - just specifying words doesn't work very well when you need a password of a specific length.

    I don't like the Characters generator, and would prefer to use words as they are much easier to type - and I'd think that adding random changes like caps, numbers and symbols would introduce enough entropy to resist dictionary attacks.

    (FYI, the generator on your website seems to have a flaw. Every password it generates (and I've tried over 10 times) capitalizes the first letter. I'd think that would lead to a vulnerability.)

  • brentybrenty

    Team Member

    "Words" is never going to be our priority or general recommendation because they offer less bang-for-the-buck, security-wise, and only offer a benefit if you're going to memorize and type them. We'll keep iterating on the generator, but it's important to maintain perspective. :)

    Also, I'm getting both upper and lowercase letters using either the "random" or "memorable" options on the page:

    https://1password.com/password-generator/

    Are you encountering this only in a specific browser/version?

  • FogCityNativeFogCityNative Junior Member

    I have been asking 1Password to do this for over a year. I just sent them another request to try to resurface the issue.

    For whatever reason, they don't seem to like the idea as it never makes it onto the list of enhancements and fixes that 1Password regularly releases.

    Since adding a few more preferences to the Password Generator isn't a monumental change requiring hundreds of manhours, I really wish the folks at 1Password would explain why they do not like the idea and won't implement it. I get that you do not like word-based passwords. But I have valid reasons for using them.

    I hear you when you say there are a multitude of password requirements at different websites and you cannot make 1Password compatible with all of them for both password generation and auto-filling of web forms. I really do understand.

    But as I have said many times before, these days most web sites want a combination of letters and numbers, some want at least one uppercase letter and a rare few want a symbol like # or *.

    I understand the long term goal is for 1Password to automatically give the website what it wants in a super secure password but implementing that probably is a monumental task.

    I also understand that a gibberish password is more secure than a series of unrelated words.

    But if I use any public computers where 1Password isn't installed it is a lot of effort to open my vault via a web browser. Because I have a set of complex passwords on my 1P account. So I have to go to my cell phone anyway to look up that info and type it in.

    So it is super easy instead of going to 1Password on the public computer via a web browser to instead go to 1Password on my phone and look up and type in the password for any site when I am not using my own device. I can remember wolf2.seaweed.Tent long enough to type it in. CXy236#rSu4# isn't so easy.

    So to me, the former random word-based password is secure enough. Again, I realize that pasting in a password is more secure than typing it in. But just to get to my vault via a web browser to look up a password so I can paste it in requires typing in my 1P credentials. I only ran into an Internet café using a keystroke recorder once in my life, in 2007, in Brazil. And the bank caught the attempt to pay $8,000 to some random duped dude in New Jersey.

    So if there is a keystroke recorder on a public computer would I rather compromise one single password to one web site or the password and key to every password I have? So I am not going to switch to gibberish passwords. If I use a public or alien computer and need a password, I will continue to grab it off my phone and type it in.

    So implementing the ability to add some uppercase letters and a number or two before or after the word only makes a word based password more secure, not less. Much harder to hack by brute force.

    So if you really don't like word-based passwords, I'd think you'd be gung-ho to add anything that would make a word based password more complex.

  • brentybrenty

    Team Member

    @FogCityNative: To clarify, no one said we "do not like word-based passwords". If we didn't, we wouldn't have bothered to create the 14k+ Wordlist that we're using, or add it to the password generator. ;)

    Anyway, I think you're missing my earlier point: a word-based password will always be weaker than a random character-based password of the same length. That's just math. Word-based passwords are useful in situations where it is necessary to memorize and/or type the password. But in any other case you're giving up a huge security gain for no real benefit. That's what I'm talking about. :)

    Also,

    But if I use any public computers where 1Password isn't installed it is a lot of effort to open my vault via a web browser. Because I have a set of complex passwords on my 1P account. So I have to go to my cell phone anyway to look up that info and type it in.

    It's totally up to you if you choose to put your data at risk, but it's not safe, we're never going to recommend it, and we're not going to design 1Password around that use case because it's security software and there is no security on a device someone else controls. I'm glad if it's inconvenient for you to do the insecure thing. 1Password exists to make doing the secure thing easier, not the opposite.

    So if there is a keystroke recorder on a public computer would I rather compromise one single password to one web site or the password and key to every password I have?

    Agreed. In an emergency, I'd probably make the same call. Fortunately I'm not often in a position where making a bad security decision is the lesser of two evils. I hope the same for you.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file