Password generator differences

@prime

I'm not sure the example of your mother-in-law is a valid argument here. I could counter with the fact that my mother and father use 1Password and have absolutely no idea or care what any of their passwords are comprised of. 🤷🏻‍♂️ But I don't really think those sorts of arguments are productive. I think the take-away is that 1Password is not a niche product anymore used only by specific types of people. It is used by companies who roll it out to their entire diverse employee base. It is used by families who have members of all sorts of different backgrounds. And it is used by individuals who never would've thought of doing so even 5 years ago. Everyone needs and deserves a better chance at being secure, not just those who care how many digits are in their passwords.

I do think it is absolutely ridiculous that in 2019 websites still have asinine password requirements and as folks who are aware of that it is our duty to call out these practices and to use whatever leverage we may have to encourage better options when we see them.

Long story short there is still a lot to be done with the password generator. We don't have uniformity across platforms yet, there is still disagreement (even internally) about what controls should be exposed, etc. As is our usual stance I can't make promises about the future. But I can say we'll continue to listen to all of the feedback, combine it with our own thoughts, and then roll out our best effort. And then we'll probably iterate on that some more.

Ben

Ben's point was that just isn't the case today. Certainly that was true for a long time, but after years of high profile security breaches being featured on network TV, there are a lot more folks who don't self-identify as tech people using password managers for their work and/or personal security. We know this only because we talk to them every day. :)

@prime: Sorry, I misunderstood earlier because that's getting away from the topic of this discussion. You're not wrong, but that's of course why 1Password defaults to having digits enabled. And, given that most websites require some digits in the password nowadays, even if the user has disabled digits, when the user inevitably has to re-enable them, they'll be "stuck" with it on again. I don't see how that's a bad thing. Users need to be able to disable digits sometimes still. There's no getting around that. But they'll inevitably have to enable them again, so it's not the case that they will end up with them disabled indefinitely; and that's beside the point: an indeterminate number of digits is better than limiting them, which is why the new password generator is designed this way. The alternative you're arguing for -- setting a specific number of digits -- still has the option of disabling them completely, and that still has the same "downside" you're suggesting; so, on balance, users will still get better passwords with the current options as opposed to the old way.