Good password ranked as terrible?

paulbutcherelit
paulbutcherelit
Community Member

1Password7 on my Mac is ranking an auto-generated password (not generated by 1Password, but still) as "Terrible":

And yet the same password is considered good by 1Password Web:

(don't worry - we've changed to a different password, so there's no security problem sharing it here).

Any idea what's up?


1Password Version: 7.0.3
Extension Version: Not Provided
OS Version: 10.13.4
Sync Type: Not Provided

«1

Comments

  • JMT
    JMT
    Community Member

    I've got EXACTLY the same issue - my password was just the same as yours (in type) - I think it's a safari generated password - same pattern. Maybe something to do with the dashes? But here's the REALLY weird thing - I had the password stored twice for some reason, with slightly different descriptions - and in the other record, it's "excellent". I wonder if it's "terrible" because it's duplicated in my 1Password list (although it's for the same actual login...)

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @paulbutcherelit and @JMT! Thanks for your question about the password strength meter. You're correct, it's a function of whether WE created it or not. There are a few issues to smooth out with the Password Generator, but it's also not as easy as you might imagine to give a definitive answer: there are MANY ways to calculate password strength, and not everyone agrees what the "right" way to do it is. We've tried to use a conservative approach that includes making sure we don't give you a false sense of security by telling you a password is stronger than it actually is.

    For instance, in the example from Paul's post, a copied password may LOOK strong, but we don't know how it was generated, so it may not be that strong at all, so it's assigned a lower score. When we generate a password, we can calculate much more precisely the strength, as we know how it was created. Nevertheless, certainly a long-and-strong password shouldn't have a near-zero strength, and this is a bug we're working on.

    If you want general advice until we have a more solid fix for this out, once you hit 23 random characters (alpha/numeric/symbol), you're at 128 bits of entropy. That's enough to foil even the fastest cracking tools currently available.

  • paulbutcherelit
    paulbutcherelit
    Community Member

    Thanks for the reply @Lars. I'm not sure that it explains why the discrepancy between the local and web versions of 1Password? I would (naively perhaps) have expected them to use the same algorithm?

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Greetings @paulbutcherelit,

    I don't have an answer for you I'm afraid but I do agree with you, expecting the two to be consistent is a pretty reasonable expectation.

  • BayUno
    BayUno
    Community Member


    Yes I have the same problem. I have a password that is considered very very strong on password meters on the web (it's 19 characters, w some symbols, some caps, no recognizable words etc...), and it says "terrible" on the desktop 1password app. Then on the 1password website it says it's good (or the green bar is about 2/3s filled like on @paulbutcherelit 's)

    If the password strength meter were faulty on say the Netflix website or something I wouldn't care as much. But this is all you guys do, passwords, passwords, passwords. This is what we are paying you for, to help us with our passwords, to remember them and tell us if they are strong or not!

  • Thanks for the feedback, @BayUno. Was this password generated by 1Password? Did you type or copy & paste it into this item or was it put there by the generator?

    Ben

  • BayUno
    BayUno
    Community Member

    Hi @ben I typed it

  • @BayUno

    That's why. One of the major factors in the way 1Password scores passwords is entropy. With a password you've typed in the entropy is assumed to be zero.

    Ben

  • BayUno
    BayUno
    Community Member

    @Ben ok so even if it was a very complex very strong password, if I typed it in, it would show as zero entropy and be labeled as terrible?

  • @BayUno,

    1Password will still try to make an educated guess about the password strength, but it will assume zero entropy (as it has no reason to assume otherwise or any data to calculate actual entropy). I just created a new login item and typed in the password t8Ss8hased#@asd and even though that is a typed password with zero entropy 1Password estimated it was "excellent." If your password is similar there may be a problem with the calculation. I'd suggest troubleshooting by creating a new login item for this password and typing it again there (don't copy & paste). If it still comes up as 'terrible' then it would seem that is indeed 1Password's assessment of it.

    Ben

  • paulbutcherelit
    paulbutcherelit
    Community Member

    @BayUno please see my comment at the start of this thread about the discrepancy between the way that 1Password web and 1Password Mac rate passwords. It seems that 1Password does not have an opinion about passwords, it has multiple divergent opinions depending on where you look.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @paulbutcherelit: I've (un)fortunately been doing a lot of testing in the area of differences between platforms and know what you're talking about. There is no right answer when it comes to password strength, but we're working to improve it and also make it more consistent across the board. Thanks for your feedback on this.

    However, I do think there's something else going on in your case. Like Ben, I'm not able to reproduce what you're seeing. I wonder if that login is simply damaged, or was created when there was a bug with the password strength. If you create a new login with the same password, does that give you a better result, more in line with your expectations?

  • paulbutcherelit
    paulbutcherelit
    Community Member

    I've just tried creating a new password entry with the same password as is ranked terrible, and this time it's ranked excellent.

    So it looks like you're right, there's something about the existing record that's "damaged" in some way.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @paulbutcherelit: I don't recall the details, but there was a bug with password strength. Since this is saved as part of the item, it was still hanging around there. Sorry for the trouble that caused, but I'm glad that creating a new item resolved it — and that we squashed that bug so it was possible. :)

  • harpal
    harpal
    Community Member

    It's April 2020 and this issue still persists. I used a 24 character password generated via 1P Chrome extension and it's showing as "Terrible" password in the Mac OS X app.

  • Hi @harpal

    Did you edit the password at all, or is it straight from the password generator?

    Ben

  • harpal
    harpal
    Community Member

    Thanks for your response, Ben. It's straight from the password generator.

    I rarely create my own passwords - always use long complicated passwords directly via the generator.

  • Thanks @harpal. That's interesting. I wish I had a better answer off-hand for why that might be the case, but I'll speak with the team and do some brainstorming. Thanks for the report.

    Ben

  • codybj
    codybj
    Community Member

    Hi @Ben, any update on this issue you committed to look into back in April? I too am having the same problem. Auto-filled a 1Password generated password with the Chrome extension in Brave browser, then if I go and look in the 1Password app the password is "Terrible". However, if I expand the Saved Form Details on the same vault item, the exact same string in the password field down below is "Very Good". This is happening with many different sites.

  • hawkmoth
    hawkmoth
    Community Member

    I see that this seems to be related to a post I made a few hours ago today. What ever it may be worth, the password in question in my other post is 15 characters long. I did edit the 1PW generated suggestion by one character to make the symbol it contained conform to the web site’s limitations. But in my case, the result is sometimes Terrible, sometimes Very Good, even in the same entry record in the Login category. There is a screen shot in my recent post showing the same password with two different strength assessments in the very same record.

  • ag_ana
    ag_ana
    1Password Alumni

    @hawkmoth:

    Thank you for sharing your experience as well. I have added your feedback in the internal issue we use to track this :+1:

  • ag_ana
    ag_ana
    1Password Alumni

    @codybj:

    We don't have any updates to share at the moment, our developers are still looking into this.

  • amenges
    amenges
    Community Member

    Hi @ag_ana - I am experiencing this issue as well (Used 1Password to generate a password, 1Password rates it as "terrible"). It's specific to one, government website. Do you need any additional details from me for your issue log?

    Thank you!

  • @amenges

    Thank you for the report, and for the offer. I don't believe we need any additional information at this time. Our plan going forward is to use shared code for rating passwords, so the code currently in use in 1Password for Mac is likely to be going away in future generations of the app. Unfortunately that does mean this isn't likely to be addressed in the short term, but should make it much easier to resolve any issues once implemented.

    Ben

  • magic890
    magic890
    Community Member
    edited July 2020

    Hi @Ben, same issue here, password generated via 1Password and after copied again it's rated as Terrible.
    Any plan to fix it soon?
    Do we have a remediation in the meanwhile?

    Moreover, if I edit the password adding a single character, and after restore it to the previous state, the ranking is Excellent.

  • @magic890

    Any plan to fix it soon?

    Unfortunately this is not a quick / short-term project.

    Do we have a remediation in the meanwhile?

    I think what you highlighted is the best I could offer:

    "Moreover, if I edit the password adding a single character, and after restore it to the previous state, the ranking is Excellent."

    I'm sorry there isn't a better answer for the moment, but it is something we're aware of and plan to address as we move forward.

    Ben

  • BiscuitHelp
    BiscuitHelp
    Community Member

    Hi Ben, ag_ana, littlebobbytables, Lars and other 1Password Team Members.
    I am having this issue in October 2020, could you provide an update on this? Its jarring and not reassuring that the app I am trusting with my most sensitive data can have a bug like this go unfixed for 2 years.
    My specific issue: I am seeing passwords generated by 1Password's own generator ranked as 'terrible' when using the safari browser button, and this is reflected in the Mac app.
    Many Thanks,
    BiscuitHelp

  • Hi @BiscuitHelp

    We have some improvements planned regarding the rating of passwords for 1Password for Mac v7.7. This will not change existing ratings, but newly generated passwords should be less likely to be rated as terrible. If you're still having problems with newly generated passwords after 7.7 please let us know.

    Also: for what it's worth, while the symptoms may be similar, this is an entirely different issue than what the OP reported 2 years ago.

    Ben

  • dbates6
    dbates6
    Community Member

    Hi guys, I've run into this problem recently as well, and it's because of another issue in 1Password. Many times, I'd like to use a passphrase as my password, but it doesn't match up with the site's idiotic password requirements, usually the lack of a capital letter or a number. However, 1Password's generator for passphrase doesn't give you that option. I've started using Bitwarden's password generator, which does give that option for passphrases. So I'm copying/pasting the strong password from Bitwarden's site into 1Password, and running into this.

    I'd really like to not use the Bitwarden site, but it does offer a feature that you guys don't. Any chance that we might see this feature added to 1Password's password/phrase generator?

  • ag_tommy
    edited November 2020

    @dbates6

    Our new generator has several options. It's possible one of those may fit your needs.

This discussion has been closed.