How do I generate a new passphrase with special rule/ recipe

BruderJ
BruderJ
Community Member

Some websites spefiy in detail which character I have to use for a safe password.
Is it possible to have more influence on that in password-generator
f.e.:
Using only

  • small letters
  • capital letters
  • numbers
  • the following characters: (Text box)
  • hexadecimal code
    This will be very usefull to generate safer passwords faster according to password-rule
    Thanks.

1Password Version: 7.3.657
Extension Version: 1.14
OS Version: Win 10 (1809)
Sync Type: Not Provided
Referrer: forum-search:How do I generate a new passphrase in hexadecimal-format? (Used symbols: 0123456789ABCDEF)

Comments

  • jeremym
    jeremym
    Community Member

    I am also interested in this. 1Password4 allowed you to specify how many digits/symbols were in the password. I need this back :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jeremym: That was removed from the new password generator because it reduced entropy needlessly. Very few (if any -- none that I've seen) sites require a specific number of digits/symbols; they require "at least one of..." Having a toggle for digits/symbols allows 1Password to use one of any of the characters in the set for any given position, which makes for stronger, more random passwords. And we've got some other ideas to make it even easier to work with without sacrificing security. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @BruderJ: I'm not sure exactly what you're asking for, but I can tell you that examples will go a lot further. We'd rather consider actual websites to try to figure out the best ways to deal with them in practice, so if you'd be willing to share them I'll be happy to look into them and bring them up with the team as we continue to work on the new generator. :)

  • fritzophrenic
    fritzophrenic
    Community Member
    edited March 2019

    @brenty : I'm not the OP but I'm interested in this. My normal difficulty in using the password generator is when a website requires "special characters" but then limits which symbols can be used to a very small, specific set.

    Example websites:

    • my.gm.com (OnStar and other things): "please use only the following: ! @ # $ _ -. Spaces are not valid."
    • secure.ssa.gov (US Social Security): "New Password Must...Contain symbols (! @ # $ % ^ & *)"
    • fsaid.ed.gov or studentloans.gov (US Federal Student Loans): "Non-alphanumeric special characters ! @ # $ & * ( ) [ ] _ - . ?"
    • Capital One credit cards (capitalone.com): "May only use the following characters: Aa-Zz 0-9 - _ . / \ @ $ * & ! # "
    • one of my department store cards requires one of: @.\/!#$*&-_
    • my cell phone provider requires one of: . - _ $ * # @ ! +
    • my health savings account requires one of: $ ! @ ? * = ~ +
    • my employer's benefits page requires one of: ! # $ ^ & * - + _ ? = ~
    • my retirement savings prohibits: " # & * < > [ ] ` { }
    • at work, at one point password policy prohibited spaces, @, :, #, and "

    That's probably enough for now. :-)

    If I could just specify a whitelist and/or blacklist of symbols to use when generating a password, that would be awesome.

    Extra-awesome would be if I could specify "must have at least one" for each character type.

    Extra-extra-awesome would be if I could save the password generator profile that goes with a specific login, in case I need to generate a password for that login again in the future.

    Edit: If it's not clear, when those sites "require one of", they generally disallow any non-alphanumeric characters outside of that set.

  • Thanks @fritzophrenic. We don't currently have anything to address those requirements but hopefully we can do so without overly complicating things. :)

    Ben

  • fritzophrenic
    fritzophrenic
    Community Member

    Off-topic: I've had a few posts hidden, awaiting moderation, right after editing. I assume there's some filter that hides the post if I edit it X times within Y seconds. Can you share details publicly or would that defeat the purpose? I'm not sure what exactly it protects from, but I've been bitten by it a few times now (most recently, in this thread, after correcting a simple typo).

  • AGAlumB
    AGAlumB
    1Password Alumni

    @fritzophrenic: We don't make the forum software, so we don't know the specifics. But the gist of it is that posting something innocuous and then editing it is a common tactic spammers use to add links, etc. after the fact. It's nothing personal, and, as you've seen, we do moderate as necessary -- including the actual spam which you mostly won't see. :)

  • Rabbit32
    Rabbit32
    Community Member

    I am 500% on board with fritzophrenic. The current way of generating password is way too labor intensive to be reasonable.

    I just had to change my password for Capital One. I would generate, copy, paste, only to find that the generated password had one or more "prohibited" characters. This process had to be repeated 4 times before the newly generated password contained only valid characters.

    There's got to be an easy way to add this feature. For every login record, have the following new fields/checkboxes. These will be stored with the other info on each login:

    --- Password Rules specified by system owner/web site ---
    [ ] Allow UPPERCASE letters
    [ ] Allow lowercase letters
    [ ] Allow Numeric digits
    [ ] Allow ANY Non-Alphanumeric character you can directly type
    -- OR --
    [ ] Allow Non-Alphanumeric characters as specified below
    Allowed Non-Alphanumeric characters -- Text field where user can type and/or paste from clipboard
    Prohibited Non-Alphanumeric characters -- Text field where user can type and/or paste from clipboard

    *** Note: If both of the 2 text fields contain characters, the same character cannot be entered into both fields ***

    Let the user copy the allowed and/or prohibited characters from the target website's password change page and paste them into the corresponding field(s) in 1Password. If you detect multiple commas in one of the fields, just auto-remove them, as they are clearly being used as a delimiter.

    Then, 1Password would use the stored rules whenever generating a password for that login.

    This would increase the value of password generation tremendously!!! Please give this some serious consideration.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Rabbit32: Can you tell me the specifics? I just went and changed my password at Capital One and it accepted it on the first try, so I'm not sure what trouble you might have run into there (requirements were not displayed). I'll be happy to mess around with it more, though they might lock me out temporarily. :lol:

  • Rabbit32
    Rabbit32
    Community Member

    Well... I actually decided to change my passwords at 3 banks tonight:

    • Bank of the West (a regional bank with branches in several western states)
    • Capital One
    • Chase Bank

    The Chase and Capital One changes worked fine on the first attempts. Bank of the West, however, rejected the first generated password because it had a [ character. Their only allowed non-alphanumeric characters are: ! @ # $ %

    So I had to try again on theirs. You can get to them at botw.com or www.bankofthewest.com.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Rabbit32: I don't have an account with that one (though I do the other two), but I'll see if someone else here does so we can test that. But sharing the allowed special characters here is very helpful too. Thank you! We're always looking for more data points for this. :)

  • Rabbit32
    Rabbit32
    Community Member

    It sounds like you guys are building in the list of valid special characters for sites you have information on, but I haven't heard anyone explicitly state that. Can you confirm that this is what you guys do?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Rabbit32: It's something we'd like to do, but it's no small task, as I'm sure you can imagine. Rather, at present the password generator uses symbols that are commonly allowed and also not problematic (for example, some characters can cause the password to be truncated due to issues with popular web platforms).

This discussion has been closed.