Suggestion for improving word based password generation in 1Password

FogCityNative
FogCityNative
Community Member

I like the idea of using Password Generator to create word-based passwords. If for some reason I need to login on a public computer, words are easier to memorize than a random string of characters and symbols.

However, I suggest you do need a few more options to the Password Generator (Words) because quite a few sites require at least one uppercase letter and one symbol.

The symbol requirement could be met by adding a user-defined separator to the list you have pre-defined, allowing the user to type in a $ or & or * or # or ! that will be used as a separator to meet the requirement. (I am not sure that UNDERSCORE is always considered a symbol by every website. Symbols in my mind being the characters above the number keys. Are hyphen, underscore, equal sign and plus sign considered symbols that meet the requirement? If so, then underscore works and the suggestion is only a nice to have, not a need to have)

Then add an option to CAPITALIZE WORDS and now you have this:

Random&Password&Generator

which will meet the requirements of the website.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:password generator

Comments

  • Lars
    Lars
    1Password Alumni

    @FogCityNative - Thanks for the suggestion! We're always looking at ways to adjust the password generator, so I'll pass along your comments to the dev team.

  • romazhuzha
    romazhuzha
    Community Member

    Hi!
    I personally like Enpass' generator very much!
    And they took a lot of your designs and ideas, time to take theirs ;-)

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @romazhuzha! We don't usually spend a lot of time here discussing competitors' product(s), but thanks for the input. :)

  • romazhuzha
    romazhuzha
    Community Member

    @Lars, I decided that it is easier to show once than to explain.
    But I can also summarize feature request:

    • Use TextBox instead of EditBox, so the whole password could be seen. If a user doesn't want to copy/paste.
    • Make it possible to add numbers to words, not as a separator.
    • Add case transformation options: lower, upper, sentence, mixed.
    • Add option to use a custom separator.
    • Add option to use random separators inside one password.

    But still, thanks for the awesome product! It's a pleasure to use it.

  • Lars
    Lars
    1Password Alumni

    @romazhuzha - thanks for the clarification, and we're glad you enjoy using 1Password. :) I'll pass along your suggestions.

  • mnkyby66
    mnkyby66
    Community Member

    Let me preface by saying...long time 1Password user and big fan!

    Regarding word-based passwords - apparently they are even harder to hack than random character passwords. The article below goes into much better detail than I could ever hope to: https://www.baekdal.com/thoughts/password-security-usability/ It's a good read.

    As such, as @romazhuzha and @FogCityNative are saying, it would be great to have more flexibility with the generation of word-based passwords using the 1Password password generator so we could generate passwords like fluffy86-is19-puffy33 as example, which, according to the article, would be almost infinitely secure yet somewhat easy to remember when flipping between 1Password and apps or sites. Words (common or uncommon) + Numbers + Characters. Today we just have Words + Separators.

    Thanks for listening.

  • Lars
    Lars
    1Password Alumni

    @mnkyby66 - Glad to hear you're a 1Password fan, and thanks for the kind words. :) There are a number of factors that go into it, but in general, if you have a set number of characters you can use for your password (perhaps because the website in question limits you to a certain number), a password made up of random characters including upper and lower case alphabet plus symbols and numerals is going to be stronger than a password of the same length made up of random words. You can get a sense for the difference in the chart in this recent post.

    We're always looking at ways to meaningfully expand the functionality and security of the password generator without overloading users with options they must set, so thanks for the input regarding what you'd like to see. :)

  • mnkyby66
    mnkyby66
    Community Member

    Thanks Lars. I think more sites - recognizing the importance of security - are rapidly allowing users to create long passwords. Within 1PW...allowing users the ability to combine symbols and numbers and words (common and uncommon) to generate extremely strong passwords doesn’t seem like it would be a big lift. I look forward to seeing it in 1PW - hopefully in the notso distant future. Best!

  • Lars
    Lars
    1Password Alumni
    edited March 2018

    @mnkyby66 - I'm glad every time I see a password field at a site that's not limited to sixteen characters and letters-only (or with arcane rules about what must be included). Security is a moving target; what may be good advice one year might be outdated and even discouraged the next year, due to developments in the meantime. We don't tend to pre-announce new features or versions, but I can give you a little insight into our general thinking: we value every bit of feedback we receive from users, because after all, you folks are the ones out there in the real world, experiencing real situations with 1Password (so thanks for being a part of that! 😊). What we don't always do is pursue every feature request, for various reasons. One of the main ones of these is security. We're committed to making 1Password as secure as we can, with a focus also on usability.

    One thing we won't do is jump on the latest "security theater" bandwagon, no matter how popular it gets. There are many ideas out there which we don't feel add much - or any - meaningful security for most users. Changing passwords frequently is a great historical example of this. We've been telling people for years that if you have a strong, random password for a given resource, and you have no reason to suspect it's been compromised, then it isn't a necessary to change that password frequently. For most of that time we've been giving this advice, we'd get the occasional person who referenced the original NIST guidelines from years ago that advocated regular password changes. We didn't feel it was helpful (and we were far from the only ones), so we stuck with our convictions -- and in August of 2016, NIST issued a new set of guidelines, updating and in some cases superseding the old one, and among the new rules was: don't force users to change passwords without reason.

    I bring up this example to illustrate that while we always listen to our users -- and regularly learn from their input and experiences -- we tend to follow our own informed notion of what will be best.

  • mnkyby66
    mnkyby66
    Community Member

    Sounds good. Thanks Lars!

  • Lars
    Lars
    1Password Alumni

    :) :+1:

This discussion has been closed.