Password recipe option?
In the iOS app you can customise the password recipe e.g. choose how many numbers, symbols etc are used, could this feature be added to the Windows app also?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@BrokenHope: The new 1Password 6 Windows desktop app has options to include both digits and symbols:
As far as more granular controls, it's something we'll continue to consider. Just keep in mind that the current design allows generated passwords to easily meet many websites' password requirements (e.g. "include at least one number and one symbol") with minimal negative impact on password strength (choosing a specific number of certain character types reduces the entropy for each character significantly). Thanks for your feedback on this! :)
0 -
@BrokenHope: It isn't "bad", per se, but as I mentioned it does limit entropy to some degree. If you're using the default settings, this is less of an issue. But decreasing the length to 16 characters exacerbates things. Using a 30+ character password with a specific number of digits/symbols is of course worse than a password of the same length, unrestricted in its composition...but it's still exponentially stronger than one of much shorter length.
As you can imagine, we're constantly evaluating and re-evaluating not only the settings we offer, but also the defaults, as the security landscape is ever-changing. 1Password will also "allow" us to use passwords we create with our own brains as well, but that doesn't mean it's something we should encourage.
Can you give me a specific example of where you'd need to specify a certain number of digits and/or symbols? I can't think of any sites that do this, as they usually just say you need "at least one", but it's definitely something we can take into account.
0 -
It was more a consistency thing rather than sites requiring more than 1. Both the iOS and macOS versions of 1password allow you to specify the number of specific characters used, by default I’ve noticed 1password will use 1-2 numbers in a password, I was under the impression that a password containing 4 numbers would be more secure than a password containing only 1-2? Perhaps I’m incorrect?
@BrokenHope: Nope, you're totally right about that! And I agree about consistency. We've made a lot of progress in this area, but we still have a lot more work to do. It's unnecessarily confusing that 1Password offers different settings on different platforms (except where these are platform specific, of course: Touch ID, SGX, etc.) Thanks for pushing us on this and keeping us honest. :blush:
The reason I limit to 16 is a fair number of sites don’t allow more than this and some allow even less, and 16 is still fairly secure?
Ah, the age-old problem of password restrictions. Since the web "happened" we've all been faced with this dilemma. The good news is that every day more and more websites are adopting better security practices and eliminating unnecessary hurdles to their users' security by allowing better passwords. But you're right that this isn't yet a solved problem.
I know it's tempting to pick a lowest-common-denominator setting and just stick with it, but I encourage you to persevere and push the envelope: set it to 64 characters and only lower it if you hit a wall. And if a site forces you to reduce it below 20, crank it right back up to 64 after until someone forces you to do otherwise. 20 is really the minimum we should be using at this point to ensure that our passwords don't need to be changed again in the near future, but for now 1Password still does at least need to be capable of generating weaker ones since not all websites have moved into the 21st century yet. Fight the good fight, and we'll keep fighting right alongside you! :sunglasses:
0
