Long, mixed password that shows poor strength in 1Password??

diitto
diitto
Community Member

Hi, Today, I had to make some changes to a login based on things that had changed on the website. I actually made an entirely new login for this site but rather than use the password generator, I edited the login and pasted my own password.

The password is 16 characters long with 8 letters (caps and lower case), 6 numbers and two special characters. And when I saved the login, the "strength" bar shows it as a tiny red bar, in other words about as weak as one could make. Whoa!!!!... What's up with that??? Why would such a long, mixed password show such a poor strength???

thanks.... bob


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • learning_1pw
    learning_1pw
    Community Member

    Interesting. I also have one 16 character password that was generated by 1Password, and it shows 0 strength. I just ignore the strength indicator on that one.

  • Lars
    Lars
    1Password Alumni
    edited August 2017

    Hi @learning_1pw -- one of our fantastic security team, Julie, wrote a post on our blog not long ago about how 1Password calculates password strength, and that's the best place to get a sense of how we do it (it's not the same as many online "password strength" tools).

    To be clear, there are quite a number of factors to consider in assessing the relative strength of a particular password, and the relative weight given to various considerations is what accounts for the difference in assessed strength using various tools. So it's not as if how we do it is The Ultimate Authority™. We think our formula is pretty good, but there are certainly other ways to calculate password strength.

    If you're getting a very low rating for assessed password strength, that doesn't sound right unless you've used a very common password that would be in any "rainbow table." If it bothers you, I'd try jotting down the item information, deleting the item in 1Password and re-creating it. Or just create a new item in 1Password using the same password, and see if you still get the low rating. Let us know what you discover!

  • diitto
    diitto
    Community Member

    OP here. I did a bit more research and the 16 character password I described above WAS created using 1Password's password generator. And when I first made it and used it in a older login, it scored it with a green bar filling about 80% of the overall bar length. Now, I've taken that same password and edited a new login whereby I pasted that same password in to the password field. And it scored it with a barely filling (tiny, 5% tops??) red bar. So generating from within 1Password gives one very different score than pasting precisely the same password into a new Login. I read part of the article you linked, Lars, and I guess the key point is contained in,

    "However, when 1Password is evaluating the strength of a password that you have typed in manually, including a password which was generated in a truly random fashion on another device, the strength meter cannot know whether it is looking at a password that was created through a truly random process or created by a human."

    That seems to be indicating you are going to get a bad score for a typed in password no matter how truly good the password might be. ?? So I know the password is a good one because once upon a time 1Password DID generate and thought it was good. I pasted it in to a new Login and it now called it poor. So I think I just need to remember to not pay attention to the password score for any passwords I might paste into a Login, no matter how good they might be.

    Is that the right takeaway or am I missing something???

    thanks... bob

  • Lars
    Lars
    1Password Alumni

    Hi @diitto -- That's sorta the proper takeaway. If you generated the password using 1Password's built-in strong password generator, the estimate of the strength will be accurate. But because we don't know where you got a typed-in password, it's more difficult to assess the strength accurately, so a lower score is assessed than would be the case if you had randomly generated that same password (as you indicated was the case for you in at least one instance).

    I wouldn't have expected it to be as low as you and @learning_1pw indicated, but we've made adjustments over time to what results the strength bar returns, and this may be the new, tighter assessment in your particular case. I just tried to duplicate your results by changing a password on an existing item to a not-great string of characters I typed out, then copied to my clipboard and pasted in to the password field, and got a decent-but-not-great result (which is about what I'd have expected). Did you try creating a new item with the pasted-in password that received a good score when it was first generated? If not, can you try that and let us know what you discover? Thanks.

  • diitto
    diitto
    Community Member

    Hi Lars, Maybe I'm confused but you said,

    "...Did you try creating a new item with the pasted-in password that received a good score when it was first generated? If not, can you try that and let us know what you discover? Thanks."

    Yes, if I'm understanding you correctly, that is exactly what I did. I created an entirely new login with a "pasted in" password, a password that had previously been created by 1Password for an older version of the same Login. I still have both the old and the new login so it was easy to go look at the strength bar for both. And while I was at it, I did confirm that the 16 character password, with upper and lower case, numbers and special characters as defined in my OP, is exactly the same in both Logins. Assuming I can attach pictures, to show it more dramatically see two screenshots of the strength bars from the original and the pasted version.

    thanks... bob

  • Ben
    Ben
    edited August 2017

    Hi @diitto

    Thanks for that additional information. I believe what you're seeing is working as expected.

    When you paste or type a password into a password field 1Password assumes it has an entropy of 0 (no randomness) as we have no way of knowing how you came up with that password. If you generate the password with the Secure Password Generator we can calculate the entropy. This is why the exact same password, generated by the SPG, can have different strength values in different situations.

    Thanks.

    Ben

    ref: OPM-5256

  • diitto
    diitto
    Community Member

    Ben, Thanks. Makes sense. Good to know. bob

  • Lars
    Lars
    1Password Alumni

    Thanks for the question, @diitto! :)

  • diitto
    diitto
    Community Member

    Sure, I love 1Password. Use it many times every day. Always good to learn new stuff.

    bob

  • Lars
    Lars
    1Password Alumni

    :+1:

This discussion has been closed.