Password composition

You point out that

1P’s devs have refused to allow its customers to decide what characters THEY want in THEIR passwords,

Yes.

An example

One of the characters that we do not include among symbols is "<".

There is an e-store system out there which will silently truncate passwords at a "<" character. If you give any of the stores that use that system a password of OYf<abOsh^Or3nPPQ6%-ZKj would actually be treated by the system as OYf !

It is certainly the case that allowing the "<" character in passwords used on such sites makes the passwords much weaker. If we opened up the ability to let users specify their own character sets, how many of those users would be aware of these sorts of thing?

On being a mother hen

The underlying password generation engine that is used in (some of) our 1Password clients has all of the power you are seeking. But we have deliberately chosen not to expose that through the user interface.

There are other things that we don't pass let users have control over:

• We don't make PBKDF2 iterations user configurable
• We don't allow users to choose encryption algorithms
• We don't give users control of the wordlists our password generator uses
• We don't give users the ability to specify what certificates are to be trusted when checking for updates

And many more.

We do this for three reasons (not all of which apply to password generation)

1. We don't want to overwhelm people with too many advanced options. There's always room for "just one more" advanced option, but there aren't room for N more.
2. Complexity is the enemy of security. Our systems are complicated, but only as complicated as necessary.
3. We don't want people to shoot themselves in the foot.
4. We aren't in the "security theater" business. (We don't want to just add features that may make people think things are more security without really adding to real security.)

And it is really point (3) that is most relevant to this particular discussion. There are some people who know just enough about some of these things to fixate on some particular security goal or measure. They want to crank some indicator up to 11. But they don't understand deeply enough to recognize that they may be gaining very little security in doing so and they may be harming their security interests through trade-offs. On the other hand, someone who fully understands the math and the threats and what crackers do wouldn't really be bothered by the details of our choices about what symbols to include even if they disagreed with some of the individual choices.

This approach may come across as patronizing and arrogant, and perhaps it is. But it allows us to make things both easier and more secure for 1Password users. Making things both easier and more secure for people is our reason for being.

But if someone really is bothered by it they are free to do as you suggest and used a separate password generator entirely.

The reason for the multiple posts is because of the way this forum (dis)functions. As I’ve mentioned before, anytime you edit a post 3 times it disappears. So I tried to repost it and it vanished again..and again...and again.

"Doctor, it hurts when I bend my arm like this!" "Stop it." But in all seriousness, this is working as designed. Maybe in the future we can find a better spam filtration system. But for now, since you're aware of these limitations, it's easy enough for you to work within those constraints...or wait a bit for us to dig you out of the spam queue again.

Only after the last attempt did I notice the tiny grey message box in the lower left corner of my screen which said the post must be approved by a moderator before it will appear. I assumed you’d only post the most recent - the last one since it was the final draft after I’d made changes.

To be clear, this is all automated. If you're often making multiple edits and then reposting the same thing multiple times, I really can't say I'm surprised that you get caught by the spam filter. This just isn't something that a most people do, usually just bots.

I sure wouldn’t have posted one after another if they were actually showing up, I would have continued editing the original. And yes, I’m aware of the preview button, but it seems I still catch or think of something after I’ve submitted it.

Indeed, the forum also has a draft feature so you can compose your message and edit it before submitting it. It probably wouldn't be a bad idea in general to take your time and consider your words before posting in the future.

Now, Oh, that’s right - you didn’t tell me to replace it, you told me to delete banned characters.

Which is actually worse advice because that’s shortening the password.

You should read my example again.

Point is, if you’re going to generate passwords containing unwanted characters which I must manually replace/delete,

1Password doesn't intentionally generate passwords you don't want. It's random.

the why not allow me to uncheck those characters in the generator so they’re just never used in the first place?

That may be a feature we can add to a future version of 1Password.

It’s not making the password any less secure if I choose not to use a pipe so the generator inserts one of the other 50 or so characters. Same length = same security.

Sure, but you seemed to be saying you'd insert a non-random character manually. I'm sorry if I misunderstood.

It most certainly is random - I could have chosen any of 50+ characters to insert just like the generator would.

If you chose it, it's not random. Unless your brain contains a pseudorandom number generator.

It probably makes no difference to a hacker if the generator were to insert a / or ^ or 6 in place of a pipe if I was allowed to exclude the pipe.

Perhaps not, but you're really stretching here. We're not going to build a security product on assumptions like that. Instead, we need to assume that the attacker knows how the password was created. And the only way 1Password can really know the entropy of a password is if it generates it itself, without any "help" from humans.

But it was still generated and wasted my time choosing another which may also have a pipe in it. It’s not as fast as simply clicking the regenerate button again. Since I know unwanted characters may be lurking in the password, I must take time to closely inspect each character to see if any of the 2 unwanted ones are there. That may take 6-8 seconds on a 30 character password. And if one is lurking near the end, I’ve just wasted several seconds and must do it all over. Approx. time wasted = 15 seconds.

Then consider that all of the time that 1Password saves you through everything else it does the other 99% of the time when you're using it balances that out for you.

There are times when I must manually enter a password - no pasting allowed. And since the Uppercase i (I) can be confused with lowercase L (l) I often exclude them. They can even be confused with the pipe (I happen to like the pipe since it’s a lesser-used character, I’ve just been using it as an example).

Understood. That makes sense. Certainly there are cases where that can happen.

What a load of...hyperbole!

No, that's reality.

If you used a browser that loaded an alert box on every webpage and you had to click a button to get rid of it before viewing the page, I think you’d tire of that rather quickly and probably be a bit agitated by it even though it takes but a second, despite the fact that you’re using a device that's more powerful than all of the technology used to land humans on the moon, perhaps in the comfort of your own home, your workplace, or even traveling somewhere in between, using communications which can span the Earth in its entirely in milliseconds.

I get what you're saying, but unless you spend hours a day (as many of us do surfing the web) generating passwords for sites that exclude specific characters, that's an absurd analogy. I think it's safe to say that you've spent far more time on your complaints (not having more control over generated password composition) than you have on the things you're complaining about (a few seconds here and there creating passwords).

Again, I shouldn’t have to repeatedly generate passwords to get one that doesn’t include characters I don’t want. Just like you shouldn’t have to repeatedly click a button to view webpages.

I agree. You shouldn't have to. Yet some websites have absurd restrictions even in 2018.

If I could omit the pipe (or any unwanted characters) and another was inserted in its place, it would STILL be one "which no one could possibly guess.

Right, that's why I suggested removing it, because what remains will still be randomly generated.

So what’s the problem in giving users a choice? They’ve been asking for it for YEARS.

Users have a lot of choices, and often the problems that they contact us about stem from having too many. There are many features and changes that people have asked us for over time, but we really don't think that should be the sole criteria.

According to a website, it would take about 4 hours to crack .1ro2#9% Following your advice and deleting a character dropped it down to 3 minutes. But replacing one character with another RANDOM character kept it at 4 hours.

Well duh, that's a really, really short password.

And it would take about 42 years to crack +262]+%27&+5 Following your advice and deleting a character dropped it down to 11 months - a VERY significant and unwelcome change. But replacing one character with another RANDOM character kept it at 42 years.

Again with the really short password. Seriously, try 21, as in my example above. No one sane will recommend you make 8 or 12 character passwords in the first place, much less ones that contain only symbols and digits. Excluding the alphabet cuts your entropy by more than half from the get go.

Therefore, it appears as though if the generator was not allowed to use certain characters and used others instead, there would be virtually no difference in strength as long as the length stayed the same.

That's one doozy of a straw man argument. I don't know what else to tell you.

Evidently it’s not always 3 times, because I just edited my reply twice, then it vanished and I saw this message:

Indeed, I believe that time factors into it fairly heavily.