Why was this Password deemed "weak"?

Hi,

I noticed that the Password for my admin-Account for my WD-Mycloud Disk was marked as "weak" (red bar). I wonder why this might have happened: Is there a way to find the "reasoning" for this?
The Password was: "T4qCzaYhk7Lb" (I changed it) and if I create a new Password entry, it would be considered "good"....
So I guess 1Password knows somethiing in context that I miss......
There was no entry in the "Watchtower" Tab.....
The PW was not reused...
The entry was created 12.2014 so maybe 1Password assumed it to be "Standard Initial admin-PW"?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • @Richard35 the password isn't weak. I suspect however you copied and pasted it from 1Passwod into WD-MyCloud Disk.

    Copying and pasting it frequently causes poorly designed input fields to not accurately identify the entropy. Try typing it in manually (by hand) and you should get the result as 'strong'.

    Whilst I'm on the topic I'll say this: there's no good reason to use such short passwords. With 1Password you should be aiming for a password like the one below, assuming the service/website permits it:

    OSY|L^^*TmK09j1YuB|OPmpZm&[2eOS\2}<ve}H/|Ni"GT#bEo?RV#E]LwX[!9|j

  • brentybrenty

    Team Member

    the password isn't weak. I suspect however you copied and pasted it from 1Passwod into WD-MyCloud Disk.

    @darrenNZ: Well...that depends on how it was created.

    So I guess 1Password knows somethiing in context that I miss......

    @Richard35: Exactly! When you generate a password using 1Password and have 1Password save it automatically for you, it knows exactly how much entropy it has since it created it. But when you enter a password into an item yourself — whether typing to copy and paste — 1Password doesn't know anything about how it was crated and will treat it skeptically, assigning it a weaker strength rating.

    For example, this password, "T4qCzaYhk7Lb", could be something you made up using a phrase like "The four quiet city zoos always yield hungry kids seven lion's breakfasts" (or perhaps something less ridiculous). If 1Password generates a password though, it knows it is completely random and treats it accordingly.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • For example, this password, "T4qCzaYhk7Lb", could be something you made up using a phrase like "The four quiet city zoos always yield hungry kids seven lion's breakfasts" (or perhaps something less ridiculous).

    Shouldn't it give the "weak" declaration again if I enter it by hand?
    Or in other words: How could I replicate the effect? 1Password did something here, that I do not understand and if a Program does that, I get curious......

    Whilst I'm on the topic I'll say this: there's no good reason to use such short passwords.

    While I fully agree in principle, I use 1Password on my Phone for all Password needs (and on the Mac mostly to manage/organize the PWs). Which means, I have to enter the generated Passwords by hand relatively often at work and on other private/public PCs.
    Maybe there is an easy solution here, that I miss? I could put a txt-File to copy/paste the PWs on a USB-Stick but that would be counterproductive :p
    How do you tackle this?

    @brenty:
    Maybe in a future Version, there could be a "provide PW on USB"-Button on the Phone and then one could copy/paste the PW from a temporary created txt-file off the Phone-USB? Though I doubt the iPhone is capable of such a thing.
    Now, that I think about this: The PCs at work reject all USB-Devices which are not registered by IT.
    Maybe there is an easy solution that I am missing here?

  • brentybrenty

    Team Member

    Shouldn't it give the "weak" declaration again if I enter it by hand?

    @Richard35: No. That's still a pretty good password. 1Password just doesn't know how good unless it makes it — and saves it — itself.

    I don't quite understand the rest of what you're asking though. What exactly are you trying to do? Is there a particular reason you are intentionally avoiding using the password generator to create and save a new password? I don't get why you'd have to or want to generate a password on one device and then type it manually into a login on another. Why not just save it on the first and then sync the data?

  • I don't quite understand the rest of what you're asking though

    Sorry, let me clarify.
    Lets separate my Questions:
    First, I try to understand how the "decision" that my PW was weak was made. I understand the logic behind your explanation (1Password can not determine the quality of an entered PW) but I'd like to know, if that is possible, how it happened on a technical level:
    For 1Password, there should be no difference between me entering the PW in 2014 and today. This way, I can avoid whatever I did in the future.
    My Philosophy with technical Problems is that if I understand it, I can deliberately do it. If I can not "force" 1Password to mark the same Password as "weak" again, there is something I am missing.....

    The Second Problem is, that I work with a lot of systems that have no Internet access and are secured to a more or less high degree. That means, I have to enter the Password via Keyboard. At least that is what I am doing right now: Maybe there is a better way?
    Is there a Possibility to turn the PW into a Barcode? Barcode-Scanner are Keyboards, so we could scan the PW from the phone....

  • Dicewords work for me in that situation. I still cant memorize them but they are really easy to look at and type...

  • brentybrenty

    Team Member
    edited January 2018

    For 1Password, there should be no difference between me entering the PW in 2014 and today. This way, I can avoid whatever I did in the future.

    @Richard35: I wish it were as simple as that, but we've made changes not only to how the password generator works over the years, but also to improve our algorithm to show "strength". The first part is "easy": as we increase entropy, we can get overall strong passwords, right? But the last bit is really subjective: what was considered strong 10 years ago is likely much weaker today. And all of that is relative, as it isn't the when that matters so much as the technological context, both with regard to 1Password and the prevailing security landscape. All of this will change over time, and everything else that goes into it also makes it difficult to quantify. :blush:

    My Philosophy with technical Problems is that if I understand it, I can deliberately do it. If I can not "force" 1Password to mark the same Password as "weak" again, there is something I am missing.....

    I'm not sure why you'd want to force a password to be marked as weak, but given that one you save yourself by typing or pasting will fall on that end of the spectrum (as 1Password assumes it's something you made up yourself), that's a pretty easy way to do accomplish that. :)

    The Second Problem is, that I work with a lot of systems that have no Internet access and are secured to a more or less high degree. That means, I have to enter the Password via Keyboard. At least that is what I am doing right now:
    Maybe there is a better way?
    Is there a Possibility to turn the PW into a Barcode? Barcode-Scanner are Keyboards, so we could scan the PW from the phone....

    I'm confused about what you're trying to do here: are you generating a new password on one machine and then entering it manually in another to save it, or viewing a password on one machine and typing it in on another to login? Originally I'd thought the former, but if the latter, AlwaysSortaCurious makes a good point: there are ways to generate strong passwords better suited to that use case, like Diceware or 1Password's own Wordlist.

  • Yes, basically I have the Passwords in the iPhone and generate them with 1Password but then have to enter them regularly on another PC that is not able to run 1Password or has a connection to the Internet.
    Thanks to both of you for the idea with the Wordlist: I did not know about that feature and it seems like a superior solution :)

  • BenBen AWS Team

    Team Member

    Indeed. Words based passwords are pretty awesome for any passwords that you need to manually input (whether that means typing them or giving them verbally over the phone, etc).

    Ben

  • It is possible to use a method that only you know to generate short passwords that look totally random. But these would be bad because they could be guessed by simply trying all combinations of characters (assuming that the malicious user has fast access to test each trial password).

    Therefore, I think the basic requirement for a good password is that it should be fairly long. This year, 10 characters should be sufficient, in general. So, if the content of the 10 characters is not easily guessable by reasonable algorithms ("happyapples" is easily software-guessable as two dictionary words, including plurals), then it is a good password. So, a good password can be very easy to remember yet hard to crack.

    An example might be "Al50states", which is strong (this year) even though it is a simple modification of the easily memorized phrase "all 50 states" and even though it does not look random at all.

    Dramatic further improvement can be made simply by including one or two punctuation characters, since the malicious user would have to be trying all combinations of a larger alphabet to crack the password. Note that randomness (entropy) is not particularly needed!

    This works well for master passwords for password managers, which almost must be memorized. With some practice, it may be feasible to generate strong passwords that are easy to remember and type fairly easily. Just don't explain to others how you generated them, and include at least one trick of your own that is not mentioned in postings like this one!

  • brentybrenty

    Team Member

    @DavidSpector: We really need to assume that an attacker is sophisticated, and that they can discover the "generation method". After all, unsophisticated attackers are not the ones we should be afraid of. ;)

    10 characters is really the bare minimum nowadays. That's what we allow with 1Password.com accounts, but those also have the benefit of the (128-bit, randomly generated) Secret Key. That's not going to be the case with anything else.

    It's just not useful to discuss entropy in that context when the user is choosing the password themselves though. But if they use a word-based password composed of 4 words (that's what we're using by default during 1Password.com account signup, for when users ask for help choosing a strong Master Password), they can get something memorable and strong:

    log2(18000) = 14.135709286 <- bits of entropy per word
    14.135709286(4) <- length of password (words)
    = 56.54283716 <- bits of entropy total

    If they were to use a character-based random password, they can get a bit more entropy:

    log2(81) = 6.5391588111 <- bits of entropy per character*
    6.3398500029(10) <- length of password
    = 63.3985 <- bits of entropy total

    *19 symbols: !#%)*+,-.:=>[email protected]]^_}~
    10 digits
    26 capital letters
    26 lowercase letters
    = 81 characters total

    So, in that case, 10 characters isn't bad at all. But a random word-based password will be better for usability. And most people using 10 character passwords are probably not generating them.

    So, in general, for passwords for websites, 20 characters is a much better "standard", since even if you're only allowed capital and lowercase letters that's very good entropy:

    (52)log2=5.7004397181 <- bits of entropy per character
    5.7004397181(20) <- length of password
    = 114.0087944 <- bits of entropy total

    Most websites will also accept a password like that, so it's the default we're using now in 1Password X. That really future proofs things so you don't need to worry about changing all of your website passwords (unless they're compromised). Or you can use a word-based password composed of 8 words for similar effect:

    log2(18000) = 14.135709286 <- bits of entropy per word
    14.135709286(8) <- length of password (words)
    = 113.08567432 <- bits of entropy total

    Again, you can arguably get away with less depending on the situation, but this ensures that it will be a long time before you need to change a password because it is simply not strong enough. Cheers! :)

  • Slightly off-topic: Top 10 of passwords in Germany:

    1. 123456
    2. 123456789
    3. 1234
    4. 12345
    5. 12345678
    6. hallo
    7. passwort
    8. 1234567
    9. 111111
    10. hallo123

    Source:
    https://www.brandeins.de/magazine/brand-eins-wirtschaftsmagazin/2018/sicherheit/sicherheit-in-zahlen

  • brentybrenty

    Team Member

    @Holgerr: I'm kind of surprised to see so many numbers. Maybe culturally there's a perception that words are easier to guess. Most lists like this in the US though have "monkey" up there. I'm not sure what that says about American culture. :lol:

This discussion has been closed.