Can the password generator be improved to create better passwords?

edited January 2018 in Windows Beta

When using the password generator I've noticed that the passwords it produces are not very good. When you allow digits it doesn't always put them in and if it does its just 1 or 2. When you allow symbols it goes crazy and adds lots and lots of the craziest symbols I've ever used. Then I've tried the allow ambiguous characters and it really doesn't seem to do much. I think that the generator needs to be improved. I'm not sure what would be the best way. Either to just improve it to make better passwords or to give us more control over the making of them. For example, if when allowing symbols we could pick which ones are used or when allowing digits we could say pick a percent of digits to letters. I'm really not sure how to fix it but it definitely needs some improvement. I was going to start changing my passwords when I got this password manager but now I like mine better.

6.8.492

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    When using the password generator I've noticed that the passwords it produces are not very good. When you allow digits it doesn't always put them in and if it does its just 1 or 2.

    @helpmeifyoucan: Thanks for getting in touch! The important thing to remember is that random is truly random: if you flip a coin 100 times, it is possible — however improbable — that you'll get 100 heads. More likely you'll some long strings of only heads, where heads-tails-head-tails- would feel more natural, but if you repeat the experiment enough times you'll eventually get all heads.

    That said, I notice pretty much the same thing you do. It's something we'll look into, but from testing here it appears that this is the result of using only 10 digits (that's all there are, after all) compared to 52 letters (capital and lowercase). So, in most cases, unlike a 50/50 coin toss, odds are much lower of getting digits when combined with a pool of letters (and symbols as well). Our brains see patterns: letter, letter, letter, number; 1Password is using the whole character set available to it when selecting one for each position at random; it doesn't care if it's already got X number of letters: each digit gets no higher or lower a priority than any other character.

    When you allow symbols it goes crazy and adds lots and lots of the craziest symbols I've ever used.

    We're using the standard ASCII set, but what I hear you getting at is that some websites just don't like some of these. ;)

    Then I've tried the allow ambiguous characters and it really doesn't seem to do much.

    It's hard to even notice visually, since the option is to use characters which look alike: capital i, lowercase L, and so on. The benefit is that a larger character set yields higher entropy, and therefore stronger passwords which are harder to guess.

    I think that the generator needs to be improved. I'm not sure what would be the best way. Either to just improve it to make better passwords or to give us more control over the making of them. For example, if when allowing symbols we could pick which ones are used or when allowing digits we could say pick a percent of digits to letters.

    That's one thing we can agree on! it can certainly be a pain to deal with websites that place arbitrary restrictions on password composition, so we're exploring ways to make these easier to cope with.

    I'm really not sure how to fix it but it definitely needs some improvement. I was going to start changing my passwords when I got this password manager but now I like mine better.

    Not to put too fine a point on it, but passwords don't need us to like them. I know what you mean, but it's important to keep in mind that randomness is something that humans are not only incapable of, but also we find it repugnant. For example, studies show that we prefer symmetry in faces and objects. These are not random. So we're always going to prefer something distinctly un-random, as it appeals to our aesthetic sense. With security, we need to let go of that a bit — or just not look at the passwords we use. And fortunately, with 1Password, we don't have to memorize or type them, so we pretty much don't have to see them at all.

    I hope this helps. Be sure to let me know if you have any other questions. And thank you for your feedback on this! :)

This discussion has been closed.