Password generator never generates a password with opening symbols

I noticed today after the need for generating multiple passwords that it seems as if the password generator of 1password only generates passwords with closing symbols e.g. ' ) } ] > ' but never the mirrored equivalents ' ( { [ < '. Is this programmed behaviour and is there a certain reason for this? If not wouldn't that make the passwords slightly less secure as the amount of possible character combination go down because of this?


1Password Version: Not Provided
Extension Version: Chrome 1password 1.14
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @Milanvd

    Interestingly I was able to reproduce the behavior you've described using 1Password X, but not with 1Password for iOS. So it does seem there is a discrepancy somewhere. I'll file an issue for the team to investigate. Thanks for letting us know.

    Ben

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Well spotted, @Milanvd!

    This is, indeed, specifically designed behavior. There are (or at least have been) websites that silently truncate passwords at < and other opening brackets. So you might generate a password like Lx<tAmQaBNgpWgi-)H*e and the service will just treat it as the password Lx.

    Keep in mind that if you are generating passwords with the SPG then your passwords are going to be extremely strong even if we are very conservative in what special characters we include. Indeed, we are considering reducing that set even further. A slight reduction in the strength of very strong passwords may easily be worth greater compatibility.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    @ben wrote

    Interestingly I was able to reproduce the behavior you've described using 1Password X, but not with 1Password for iOS. So it does seem there is a discrepancy somewhere.

    1Password X and 1Password for Android are using the new Strong Password Generator, but it hasn't been rolled out to all clients yet.

  • Milanvd
    Milanvd
    Community Member

    @jpgoldberg Thanks for the info, I was expecting that it was programmed behaviour. It is interesting to know that some websites (used to) truncate passwords because of these signs.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @Milanvd,

    It's a shame though because your first post was quite correct, anything that reduces the number of permutations is normally a bad thing. Even if it's for good intentions it does impact the search space and history is littered with examples of when this would bite the people involved. My trust and faith in Goldberg though means I instinctively assume this decision was contemplated at great length and the pros and cons given length consideration.

    It's really just a pity that the default isn't the ability to set arbitrary long passwords using any legal character when creating a new password. The varying password requirements and limitations of various sites though do make that feel like a pipe dream.

This discussion has been closed.