strength BUG

Sensel
Sensel
Community Member

I went to use 1P to log into a web account. For some reason, a pretty common reason, it did not paste the username (an email) and password into the field correctly. The web site defaults to "did not recognize…” So, like many times before when this happens, I opened 1P and proceeded to copy and paste both in individually. It also affords me an opportunity to check to make sure the password is long or convert it to the way more secure sequence of words (if the web site will allow, which, sadly, almost all do not!)
Looking at it said the “strength” was as LOW AS IT COULD GO! Like a red dot on the bar.
Thinking this might be a neglected site with a too short password I had not updated, I check it. NO! It was an 18 character, random with letters and numbers upper and lower. (Usually the number of characters is a limit of the web site, not my choice.)
When I clicked on the Edit button, the strength bar SHOT UP to green and nearly all the way (I guess missing the $%^& characters caused it to be short of perfect.)
So, THAT is the bug. In non edit state, it says this long password is no good. In Edit mode, it says it is strong.


1Password Version: 6.8
Extension Version: Not Provided
OS Version: 10.10.5
Sync Type: I dunno, you guys messed this up so much

Comments

  • Lars
    Lars
    1Password Alumni

    Hi @Sensei -- thanks for reporting this. What you've experienced is not really a bug, it's a choice of how to measure password strength. Contrary to what you may have expected, there is no one "right way" to measure password strength -- in fact, although there are certainly some overall guidelines that are commonly followed, each site or app which attempts to provide you an estimate of your password's strength may calculate it a little differently.

    In our case, since we're actually responsible for helping you make sure your passwords are indeed strong and secure, we take a pretty conservative approach. As you've discovered, you can check by editing the password, and if you change it, you'll get our estimate of the password's true strength. Hope that helps explain things. Cheers!

  • sjk
    sjk
    1Password Alumni

    1Password Version: 6.8

    Current version is 6.8.2, so make sure to keep 1Password up to date to get future fixes and other changes we make related to measuring password strength.

  • Sensel
    Sensel
    Community Member

    Lars: this is a bug. A UX bug. How are users supposed to know all that? (Also, what is really happening as described does not really match your explanation but, OK, so whatever.)
    Agile bits needs to decide and go with that one method for all display occurrences.

    sjk: Really? You had to tell, anyone, that?

  • What you're seeing is in fact a bug (OPM-4897). We're still trying to track down exactly what's going on there. There are two bugs here:

    1. As you state, there are inconsistencies about how we measure the strength of a password. When in edit mode we force recalculation of the password as if you had chosen it yourself and display a value for it. Meanwhile when not in edit mode, we use the last computed strength for that password. This bug causes some items to have a computed strength of 0.
    2. The more important bug (to me) is why we're computing a strength of 0 for some passwords.

    Rick

    ref: OPM-4897

This discussion has been closed.