1password Mini (beta 7) - more control over special characters used when generating password?

palfieripalfieri
edited April 2018 in Windows Beta

I've encountered websites where they only allow certain special characters (see embedded picture), and would like to be able to limit 1pwd Mini to generate a password only using those special characters. As it stands now, I have to continually hit 'regenerate' until I get a password with only allowed symbols. When generating a password with 20+ characters this can take a while.

in 1pwd 4, we had the ability to lower the number of special characters in a generated password to a manageable amount (i.e. only 3) which was a hack I used to make this easier.

What's the official way of handling pwd limitations like this one? ::

And - any thought as to adding more control over the special characters used in 1pwd mini 7?

Thank you.


1Password Version: 7.0.532
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Dropbox

Comments

  • edited April 2018

    I would also like to have at least a similar control over password generation like in 1Password for iOS, i.e. together with the control of the password length I'd also like to have sliders for number of digits and number of symbols, and an option to generate password which consist of words.
    To palfieri: In your case it's easier to generate a password without symbols and to add them manually at random positions in the password. Imagine that every system can have different limitations, so you would need to replace the list of allowed characters for every system. Fortunately most of systems don't limit the list of allowed characters because it weakens the security.

  • Thanks for the advice. Yes, I've resorted to adding in special characters myself, however it takes away from the automatic nature of 1pwd itself. I like how automatic the software is in other instances and get cranky when its now.

    I also concur on including sliders for number of digits/symbols. This existed in 1pwd4 mini (my previous version) and was very useful from a control standpoint.

  • bundtkatebundtkate

    Team Member

    @palfieri: My recommendation is the same as @oksoftware's. I'll generate a password with no symbols (allow symbols unchecked) and add some in, or I'll generate a longer password and delete any symbols that are disallowed by the site. It is irritating, but thankfully fairly uncommon.

    We'd love to have a better way of handling this, but in practice almost anything reasonable to do would still require some user input. Sliders can make it easier in some cases, but cannot make it fully automatic. Unless we have some way to detect those requirements or save password "recipes" per site, there's no way to avoid some sort of user input to comply with restrictive password rules. The former isn't something I believe we're capable of and the latter is, in many ways, more onerous than a one-off edit. Especially when you may never end up changing the password for that site. :frown:

    Personally, I prefer generating a long password and nixing improper symbols. Psychologically I feel like it has less effect on the randomness of my password than adding my own self-chosen symbol. The math may well say I'm wrong, but it feels better and there's some value in that. Hopefully, sites will start to get up to speed on what actually makes a good password and adjust their rules accordingly, but until then, the above is my best recommendation. I'm not aware of any plans to make changes to the password generator in the immediate future.

  • For those annoying sites that demand that you change your password often - and have a restricted list of special characters, it would be handy to store a list of those symbols on a per-site basis.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @Stuart21,

    It would be nice but it isn't as simple as it sounds. It'd require us to manually visit all sites (we had requests for banks, credit cards, etc), read their password rules, code it into a file, put it on a server and then manually code all of our 1Password apps to pull that file, match against your site and then set the configuration properly. We've tried this before with our image service and even 2-3 years, it is not barely reaching all sites either.

    Even Apple, with all of their money and vast number of folks, could only do it for top 1000 sites for their own built-in generator.

    We have some ideas on how to better approach this solution but it may take a while before we see the benefits.

  • +1 for at least some control -- don't let the great be the enemy of the good!

    In particular, I would love to be able to specify a word-based password which was mostly lowercase (as now) but also has uppercase letters, digits, and symbols. This would cover almost all of the relevant cases, I think.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @a.jaffe,

    In particular, I would love to be able to specify a word-based password which was mostly lowercase (as now) but also has uppercase letters, digits, and symbols

    We have no plans to do that. The whole point of word-based passwords is that it is easy for you to type and remember. If you want to add the rest, you might as well use the character passwords instead, it'll be much stronger.

  • feature request: Let the USER (me) specify special character mix and length constraints for each site. Not asking for fully automatic; asking for more control. This is a very much needed feature as many sites accept and want great passwords, but still have limits on length and composition.

    Example, I just had to create a password with these constraints: 8-24 characters; requires letters, numbers and characters from this set "$!#&-%"

    Nobody can say that at 24-character password with those contents is not secure. Sure, 64 characters or multiple words might be harder to actually crack, but on a modern system that locks out hackers after a few attempts, there is little practical difference.

    A good way to manage this would be to add a feature that lets the users maintain a number of patterns and then pick the needed one for any site.

  • brentybrenty

    Team Member

    I don't see where anyone is suggesting that 24 characters is insufficient. 64 characters is great, but it's really overkill for the foreseeable future.

    Anyway, requiring the user to create and manage a bunch of presets would not be a better experience. Very few sites have the same requirements, so you'd really need to setup a new one for each in most cases. You may personally be okay with that, but most users aren't. That's why you can have 1Password generate a strong password automatically and simply delete any unsupported characters from it right in line.

    We do want to offer a way to give 1Password an allowed character set or exclude specific characters in the future, but we would need to support that in the generation process itself, and also expose it in the UI in a way that isn't confusing and doesn't encourage people to generate weaker passwords by rote.

  • 1) I recommend and request allowing users to paste in the allowed set of characters for a specific site and have the password generator use only them. It would be a far better user experience than having to hand-edit a too-long password to remove illegal symbols for that site, or hand replace them one at a time. A typical user will simply slide the "symbols count" to "0" after a couple of regeneration attempts and will lose the benefits. Example from a major banking site: !@#$%^&*_. In 10 attempts at regenerating a password in 1Password for Mac, even with only 3 symbols instead of the 8 I wanted to use, every attempt returned an "illegal" char vs. that allowed set.

    2) I agree with the above poster to allow adding a capital letter and a number to a string of words. There are situations like needing to enter a password on a smartphone, or worse, enter a WiFi password on a device like a printer with a very limited control panel, where words are FAR less effort to enter, with far less likelihood of a typo on a long password on which you cannot see or paste the password string as you enter it.

    3) On our own site, for registering, set a good example by stating the requirements of a username and password before the user enters one which fails. Set users up for success and happiness, not frustration. State at the time of first entry that usernames can only have characters and underscores and be a max of 20 chars.

    You could save thousands of hour of frustrations by posting that as a "Best Practice" that all Sites and Apps need to adopt:
    show the full set of requirements and limitations of usernames and passwords all the time, before users have gone to the trouble of generating a complex string which will fail.

    Thank you.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @mrp_loves_1pw,

    Thanks for your suggestions.

    1) I recommend and request allowing users to paste in the allowed set of characters for a specific site and have the password generator use only them. It would be a far better user experience than having to hand-edit a too-long password to remove illegal symbols for that site, or hand replace them one at a time.

    We'll see if it is feasible, the problem is that there is no consistent standard for laying out the rules. The good news is that Apple (WebKit) is trying to push toward this: https://github.com/whatwg/html/issues/3518

    You can bet that we'll be supporting it if they go forward with it.

    A typical user will simply slide the "symbols count" to "0" after a couple of regeneration attempts and will lose the benefits.

    The moment the site restricts the allowed symbols, you lose the benefits anyway.

    The whole point of a strong password is the randomness or entropy. As long as the site says only "$#*" is allowed, you just tune the password crackers to include these 3 characters and you've just lost all entropy of the said symbols. There's no benefit of including symbols anymore, you'd be better off adding more characters instead.

    3) On our own site, for registering, set a good example by stating the requirements of a username and password before the user enters one which fails. Set users up for success and happiness, not frustration. State at the time of first entry that usernames can only have characters and underscores and be a max of 20 chars.

    That's a great advice for all sites, yes. That however doesn't apply to us since we have no advance knowledge of what each site allows, there is no standard that anyone follows. That's the reason we have basic settings for the password generator.

    You could save thousands of hour of frustrations by posting that as a "Best Practice" that all Sites and Apps need to adopt:

    Technically, the best practice from us would be; don't restrict anything. There is no real reason to have these restrictions.

    We do have this guideline: https://support.1password.com/compatible-website-design/

    I'll ask our team to see if they can add more content about not restricting username/passwords in the first place.

  • I agree with @MikeT, there is no reason to limit user in either maximum length or complexity of a password, except a minimum length and and a minimum required complexity. The maximum length points usually to a problem with a wrong hashing algorithm or a lack of any (the worst case possible). The limitation in special characters points to a wrongly designed web possible vulnerable against code injection. If any web limits the user in password length or the complexity, be always aware of its security.

  • MikeTMikeT Agile Samurai

    Team Member

    Yep, agreed on the minimal requirements. Some sites have started to include the top 1K/10K common passwords and pwned passwords as well to force users not to reuse the passwords.

  • I would suggest as a first step to add another tickbox that says "only most allowed symbols" and just put there the 10-11 symbols that most sites support. I think ? ! _ etc most support. It is not your fault I know but you can make our lives easier. Or maybe better you can let us decide a custom list of symbols that can be for the whole vault. Probably that would be an easier implementation

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @jimger,

    In a way, we already do that. We have removed symbols that has caused problems for many sites, such as < which actually strips the rest of the passwords for some sites (🤕).

    We may be able to look into letting you manage this as an advanced option, I'll pass it on as a suggestion.

  • Thanks....

  • MikeTMikeT Agile Samurai

    Team Member

    Thanks for your suggestion!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file