1P context menu complaint

@Vexed: Hmm. I definitely don't have large hands, and I use my right thumb to press the right ⌘ key and my right middle finger for \. Maybe we just have different keyboards. Also, keep in mind that you can choose a different shortcut in 1Password Preferences > General that would allow you to use only your left hand, for example, if that's more convenient. I don't quite understand the LaunchBar conflict you're referring to, but that may help there as well. Just a suggestion that might make your life easier. Never hurts to try it! :)

Even though you weren't specific, it sounds to me like you're referring to the old scripting addition 1Password used for browser integration in version 2 and early in version 3. This was something we did in Safari and a few other browsers which did not have extension frameworks to enable 1Password to interact. Since this was not supported, eventually Apple introduced a Safari extension API and cut off the previous integration method we were using, and other browsers simply died off (R.I.P. Camino...) You can still use this if you've got an old Mac lying around (Snow Leopard and Safari 4, I think).

The current state of things is much better than it was initially with regard to what extensions can do, but we still don't have the freedom we did back when we were injecting code into the browser. Frankly it's better for browser stability and security that this was stopped. You (hopefully) only remember the good things about those days, but literally every Safari update broke 1Password integration until we were able to figure out another hack. Exciting, but not fun.

Anyway, that's why there isn't a fancy multi-tiered contextual menu, and why we created 1Password mini to allow similar functionality. I'm sorry that you hate it so much, and we'll certainly work to improve it in the future, but it just isn't possible (or, really, desirable) to go back to the way things used to be. But I'd love to hear any of your suggestions for how we might feasibly improve 1Password mini (and the password generator, since you mentioned that as well). Cheers! :chuffed:

There are lots of users out there, and they all have different requirements. We do our best to accommodate the most we can while maintaining an app that’s great to use. And that isn't set in stone; it's very much an ongoing process. So these are things we continue to evaluate.

But at the same time, password restrictions make all of us less secure, so from our perspective it would be a poor use of our own limited time and energy (which are the only tools we have to make 1Password better for users). Being unable to handle certain characters is a hint that the site may be vulnerable to SQL injection attacks, or simply that they are not using good hashing practices on the server side. At best, they're making it more difficult for all of their users to be more secure by using a password of greater length and composition; and at worst, they have your password stored on the server so it can be obtained by an attacker in the case of a breach, rather than a salted hash that cannot be reversed.

So when you encounter a password restriction, this affects not only you but anyone else who has an account on that site. When we encounter this sort of thing, it's best to bring this to the attention of the site owner — often a company that we have a a relationship with — and encourage them to not only allow all of their users to be more secure, but to cover their own asses. Especially with all of the data dumps showing up more and more in mainstream news, both the average person and the people in power at these companies are more aware of what they each have to lose.

The question of resources aside (though anything we do means not doing something else), I feel strongly (and I know I'm not alone here) that ultimately if we design 1Password around these types of bad security practices, this is a tacit endorsement and actually helps to perpetuate these things, if only in a small way. If we get to the point where we've burned through more popular features and improvements that will help a greater number of people be more secure, then we can reevaluate the prospect of adding additional options to 1Password expressly for compensating for the shortcomings of website security. But at this time the answer is "not now".

In the mean time, you can still generate a truly random password and simply delete any banned characters. It's not ideal, but as always, any login saved in 1Password is only as secure as the practices of the site it belongs to.

There is, as of yet, no standard for websites to communicate to password managers the specific nuances of their password requirements. As a result, creating a password with a password generator involves some user interaction.

The net is vast and infinite, so the sites you frequent most aren't necessarily going to be the same as Rick or myself. Something to keep in mind.

Personally, I very rarely encounter cases where the password requirements are clearly posted. Some sites, sure; but certainly not "most", and this is often this is trial and error; I only find out that I've broken their rules when I try to save — or worse: when they accept the 64 characters I gave them, but later it turns out they'll only let me login using the first 20 of them. Yeah...

And then there's stuff like this:

Wired: 412M Accounts Breached on FriendFinder

Password restrictions. Why? Because they we're storing them in the clear. Only some were hashed, poorly. This is not uncommon. Even if we implement the changes you want in the future, it will never be within 1Password's power to protect you from websites' questionable security policies, which result in weaker passwords, perhaps only slightly as you rightly pointed out, but stem from a systemic security deficit. Thats the real issue.

It's also important to note that, in most cases, you'll only need to generate a password once for a site. Do it right the first time, and, barring a breach, you'll likely never have to change it. And when I say "barring a breach", again, having 1Password make it easier to generate a compliant password doesn't actually protect you from this security threat; this needs to be addressed on the site itself.

And honestly we can do a lot more good for a lot more 1Password users by improving 1Password's filling, which is used much more frequently, rather than adding a bunch of options to the password generator. I'm sorry that you're not pleased to hear that this isn't at the top of our priority list as a result, but no matter how rude you choose to be in your attempts to persuade us, we're still going to love you and listen to your feedback seriously. Purchasing a software license doesn't give you a license for bad behaviour or the right to demand that it change to suit you — frankly, nothing gives you that right — but it would be a shame if your honesty and passion were dismissed out of hand due to a lack of com passion. Thanks for taking the time to share your feelings with us.