Why is password rated 'terrible'

This discussion was created from comments split from: Synch from Mac to iPad/iPhone.

Comments

  • Johann_Gruber
    Johann_Gruber
    Community Member

    Hello Mr. Ben,

    Please excuse me for reporting a problem, but I can not see it here at 1Password!
    I had a master password (chosen by myself with uppercase and lowercase letters, numbers and special characters). This master password has been described as terrible by 1Password! Studying Mr. Jerffrey Goldberg's predictions about master password predictability, I came to the conclusion that my password was really not secure and should be changed due to the classification in "Terrible". So I made use of the password generator and picked out 6 words that were noticeable to me and according to the tracking green bar was considered very safe (completely filled in). I have to realize that I've changed the empty spaces to hyphens. Now I changed the master password. And now it comes: The password generated by the master password is also called
    "Terrible" !! The Secure Key visible below is called "Fantastic". Now I ask myself, is the password generated by the master password really not safe or would it have my old master password with 16 characters also sufficient? What have I done wrong??

    I would appreciate an answer very much.

    Greetings from Gruber Johann

  • Hi @Johann_Gruber

    This seems unrelated to the original thread so I've gone ahead and split it into a new one. :)

    Please excuse me for reporting a problem, but I can not see it here at 1Password!

    You're excused, but no excuse necessary. We appreciate feedback about how 1Password is (or isn't) working.

    So I made use of the password generator and picked out 6 words that were noticeable to me and according to the tracking green bar was considered very safe (completely filled in). I have to realize that I've changed the empty spaces to hyphens. Now I changed the master password. And now it comes: The password generated by the master password is also called
    "Terrible" !! The Secure Key visible below is called "Fantastic". Now I ask myself, is the password generated by the master password really not safe or would it have my old master password with 16 characters also sufficient? What have I done wrong??

    The strength indicator in 1Password is based largely on the calculated entropy (randomness) of the password. If you're manually picking words, that is no longer random. 1Password will still try to make an educated guess about the password strength, but it will assume zero entropy (as it has no reason to assume otherwise or any data to calculate actual entropy). This will be the case for any passwords that have been modified after being generated and ones that are not generated at all. It'll also be true if you paste or type a generated password into a field instead of letting the password generator fill it in.

    Ben

  • Johann_Gruber
    Johann_Gruber
    Community Member

    Thank you Mr. Ben for your quick response.

    If I understood you correctly, the only error is that I converted the white space between the words into a hyphen, even though I did not change the order of the generated words or the words themselves. So randomism is still there, because I also got the same words in the same order from the password generator. So you can say that it is a safe master password or am I wrong?

    Greetings from Gruber Johann

  • Thank you Mr. Ben for your quick response.

    You are very welcome.

    If I understood you correctly, the only error is that I converted the white space between the words into a hyphen, even though I did not change the order of the generated words or the words themselves. So randomism is still there, because I also got the same words in the same order from the password generator. So you can say that it is a safe master password or am I wrong?

    It wouldn't be appropriate for me to judge a password as "safe" or not. That said, if the only difference between the generated password and what you're using is hyphens instead of spaces I wouldn't imagine there is any problem with that. The only difficulty is the fact that 1Password won't be able to accurately measure the randomness of the password. It can only gauge entropy from unedited generated passwords. In this case it may be wise to disregard the rating.

    Ben

  • Johann_Gruber
    Johann_Gruber
    Community Member

    Hello Ben,

    Please contact me today to tell you about a positive experience.
    I wanted to log into 1Password as usual this morning. To memorize my master password, I tried it manually, but gave it up after several failed attempts. I now wanted to copy the master password from the iPhone to insert it on the lapetop. When I opened 1Password on the phone, I got an error message by having to enter the master password. I managed that right away, lo and behold, when I opened 1Password on Lapetop, the password strength rating had suddenly turned "fantastic". This leaves me with the conclusion that you can change the spaces in hyphens, etc., if you leave the individual words in the proposed order with a generated password.

    I'm very happy that it worked and thank you for your patience with me. Maybe this is also a new and positive experience for you.

    Greetings from Gruber Johann.

  • Thanks for sharing, @Johann_Gruber. :)

    Ben

This discussion has been closed.