Options for helping multi-word passwords pass "one uppercase, one digit, one symbol" rules

harrist4harrist4
edited October 2017 in Mac

I prefer using multiword passwords, like "been-manhole-helicopter" or similar combinations, but they fail to pass most website's password rules. I almost always end up doing this: "Been5manhole$helicopter" Then it passes.
(Note: I do not want to lose the word combination--the whole point is to have the words, otherwise I would just choose a different recipe).

That's such a silly thing to have to do by hand. Could we have a way to automate this process of "make it fit the rules"?

It's not so bad on my Mac, but when using iOS the password field is obfuscated, with a read-only copy right next to it--editing the generated password is quite challenging in iOS.


1Password Version: 6.8.3
Extension Version: Not Provided
OS Version: OS X 10.12.6
Sync Type: DropBox

«1

Comments

  • bundtkatebundtkate

    Team Member

    Hey @harrist4! Adding more "recipes" to the password generator is something we've considered doing and, although I can't make any promises, I will certainly pass along your support for this feature. One thing I've found to help at least a bit is to change the word separator. This isn't universal, but some sites will accept a hyphen or underscore as a symbol so it can save you from needing to add that at the least. A lot of sites have started to make their rules a bit more obnoxious, so I too look forward to some more customization options for the password generator. :+1:

  • Thanks for a gleam of hope. I have also tried twiddling the separator character, but it rarely satisfies those annoying rules. A special-sauce option seems to be in need, one that does all 3: flips case and swaps in digits and symbols between words.

    One issue does remain: it is very tricky to manually modify a generated password in iOS--try it out.

  • LarsLars Junior Member

    Team Member

    @harrist4 - it's true: as with most things, using a desktop OS like macOS, along with a full-sized keyboard and monitor, gives you much more flexibility and options than trying to do the same thing on a mobile device. Our iOS team works incredibly hard to match what we can do feature-for-feature on the Mac (or even Windows), but it's just not always possible, and modifying a password is indeed much easier on your Mac or PC than it is on your iOS device -- even an iPad.

    I don't really have a neat trick or insider tip for this, since what you're describing is basically a limitation of screen size and OS, but personally, I try not to sign up for things unless I'm on my Mac. If it has to be done via iOS, I'll do it within 1Password, and just make myself a note to make any edits/changes/updates the next time I'm in front of my Mac. You certainly can do it in iOS (especially if you've got an iPad instead of the much-smaller screen of the iPhone), I just find it easier and less time-consuming on the desktop. Thanks for dropping by and sharing your thoughts with us. :)

  • I'd like to second this request. While I agree these extra rules are unnecessary with sufficient passphrases, unfortunately many security systems still believe in these requirements. I find myself having to go through the hassle of adding capitalization and numbers to at least half of my new password generations which puts a major damper on the user experience.

  • LarsLars Junior Member

    Team Member

    @jdgoesmarching - thanks for adding your voice to those who'd like to see such a feature. We're always keeping a watchful eye on something as critical to 1Password as the SPG, to make sure it has the right balance of necessary features.

  • I'd also like to add my voice to more options in the rules. I have many places, particularly enterprise stuff, that requires combinations like: At least 1 capital letter, at least 1 lower case letter, at least 1 symbol (maybe a restricted set) and at least 1 numeral. Then there is the length.

    I like using words with separators too, so to meet this it would use some symbols and numerals instead of letters and would drop capitals into the mix. So you might get something like this: $ay.H3llo.W0rld.

    Hoping this feature might come soon so I don't have to manually edit passwords whenever I generate them - which defeats the point of generation in the first place.

    I was using passwd safe until recently and while I love 1password, this feature is sorely missed.

  • bundtkatebundtkate

    Team Member
    edited November 2017

    @HangieMO: Thanks for the feedback! I've had some awful experiences with ridiculous password rules too, so I certainly wouldn't mind this feature myself. :+1:

  • Adding my vote for needing this! I cannot count the number of times I've had to dork around with a password after generating it to make it compliant with rather normal and industry standard password requirements. And it is fairly unbelievable to me that I just forked over another $50 for version 7 and you guys still haven't added this feature?

    As far as the actual execution goes, my preference would be a recipe that made one of the words ALL CAPS and an option to include a 3 digit number as a hyphen group. So instead of waffle-soufle-whimper you get like WAFFLE-390-soufle-whimper. And the next time you click it you get smurf-HIGHWAY-wrench-932 or whatever. (The point being which word is all capped and where the random number group appear are randomized.)

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @heavyboots! Thanks for sharing your thoughts and wishes on this issue. Password generation options are something we're (re-) evaluating pretty frequently, so please keep an eye on updates, and thanks for being a long-time user. :)

  • I was told in another thread that you were not considering this sort of change. I hope that this response is more current and correct (and that all of the staff here are on the same page with the same information about this!).

  • JacobJacob

    Team Member

    With features in general, nothing is set in stone. If there's a lot of interest in something, we'll certainly consider it. If there are only a few people looking for it, though, we'll usually build something that more people can use – it's a balance that we try our best with.

  • I've almost given up completely on pass phrases because almost every single site has these stupid rules in place. Passphrases are the reason I switched to 1Password. I understand you have to balance features, but the one that brought me here is basically useless to me. I'm at a point where I need to consider family plans and given that your competition is much more competitive on price, my reasons for sticking with 1P are dwindling.

    I don't mean to sound entitled, these are just the facts of my situation and it drives me crazy that it hinges on a simple checkbox to add a number and a symbol.

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @jdgoesmarching! We really appreciate you taking the time to share your use-case and your wishes with us for greater flexibility with passphrases. And we'd be sorry to see you go, of course, but as long as you're using something for password management and practicing good security, we'll be happy. As Jacob mentioned above, feature requests are something that tend to be in flux on a pretty constant basis. We don't have a specific "voting" system for customers for feature requests, but we do keep an eye on what the most-requested features are. And we also balance that against what we think are best practices, as well as a number of other factors. Passphrase-generation modifications like the one you're looking for are something that we've had other requests for, (in just this thread!), but not as much as some other features. We're not saying "no" definitively, but given the ease of adding a symbol or numeral in the appropriate place(s) manually after generating an otherwise acceptable passphrase, this one's not as high on our list as some others for the moment -- so I think the firmest answer we can give is "probably not immediately."

  • easeleasel
    edited July 2019

    Another vote for this from another "finally bit the bullet and bought v7" long time user. Editing in numbers and caps is tedious and error prone, and arguably less secure than generating them randomly. The suggestion above about randomly uppercasing an entire word and replacing another with numbers is a great one. I doubt many would complain if the default changed and it's certainly not algorithmically complicated to implement. This is an easy win, please don't let feature mania derail simple quality of life improvements to core functionality.

  • ag_anaag_ana

    Team Member

    Thank you for taking the time to share you feedback with us @easel, we appreciate it :) And welcome to the forum!

  • hawkmothhawkmoth
    edited July 2019

    I am musing about working around this issue. Would there be anything wrong with generating a new pass phrase while registering for a new site and then manually appending the very same number, capital letter, and symbol to every one? I know this isn't random at all and would be terrible if that was all there was to a new password. But what if the pass phrase otherwise met the standards of strength and randomness? Would that be OK? So the user would manually add [email protected], say, to every new pass phrase.

  • LarsLars Junior Member

    Team Member

    @hawkmoth - maybe I haven't had enough coffee yet this morning, but I'm unsure what you're suggesting. Can you clarify? You want to...what??

  • @Lars,

    Well, I did say I was musing.

    Anyway, when a user wants to use a pass phrase for a web site that requires a capital letter, a number, and a symbol in their acceptable passwords, could that user first let 1Password generate a passphrase. Perhaps, for example, midnight-safely-glamour-carrel. My question was meant to ask, would it be any less secure if the user appended the same capital letter, number and symbol to every pass phrase used on any web site that has a requirement like that. So, in my example, midnight-safely-glamour-carrel-A9*. On a different web site, maybe the pass phrase generated is adultery-slave-farthest-lila (1Password really did generate that), but the user adds the same three characters at the end, making it adultery-slave-farthest-lila-A9*. Is this any less secure because the same three appended characters are used repeatedly? If a user can be confident that it doesn't compromise security, it would be easy to remember which three characters are used every time, and s/he could then have the advantages of the pass phrase (easier to remember, easier to type, etc.) and still meet the requirements of sites that demand something like a capital letter, a number and a special character in any acceptable password.

    All I'm really asking is whether a random pass phrase becomes any less secure if nonrandom extras are added on by the user. My intuition says that password strength should not be compromised, but I am not confident that intuition is correct in that case. (I hope that's somewhat clearer.)

  • brentybrenty

    Team Member

    @hawkmoth: Presuming I am understanding your question correctly:

    Is [adding something non-random to a random password] any less secure because the same three appended characters are used repeatedly?

    Then the answer is threefold:

    • No, that would not technically be any less secure, but
    • it would also not offer a security benefit (so I'd question doing it at all), and
    • 1Password still needs to treat it (being a user-created/modified password) skeptically (e.g. viewing it as much weaker than if it generated the exact same password itself) since it cannot accurately determine the entropy, not knowing how it was made (humans are not a good source of entropy*)

    *There was a great StackExchange discussion about this, with one not-quite-accurate but nonetheless awesome summation, "Humans are a strong random generator, but only in youtube comments." A more factual summation from the same discussion is, "Human _brains_ are poor RNG." :)

  • hawkmothhawkmoth
    edited July 2019

    @brenty observed:

    it would also not offer a security benefit (so I'd question doing it at all).

    Exactly so, but that isn't the reason for doing this at all. Some web sites insist on this, but the word generator can't accommodate this requirement. So, given what you've said, if a user generates a random set of words for a pass phrase and then appends some characters to satisfy the idiotic requirements of a web site, this would constitute a reasonable work around. It would be just as secure as the original set of words. And if appending the same set of characters every time doesn't compromise the security of the pass phrase either, it keeps the user from having to go in and internally edit the passphrase itself to introduce, say, a capital letter, a number, and a special character. (I do note that the password generator in 1Password is using special characters as word separators, so maybe appending a capital letter and number would be sufficient..)

    I suppose this would have been better in the Lounge area.

  • brentybrenty

    Team Member

    @hawkmoth: Gotcha. Yeah, I'd say that's a good approach in that case then. :)

    I don't think that we want 1Password adding static characters to passwords itself though. We are considering adding a way to include some additional stuff in word-based passwords if needed. But it's best to use a character-based password unless you absolutely need to be able to remember/type it, as word-based will always be weaker than character-based of the same length (and have the benefit of the full character set).

  • Since I originally posted this almost two years ago, I have been holding out hope that a simple feature like a checkbox to add some randomness to the separators would appear in v7.
    I studied the feature comparison and saw lots of UI enhancements but no mention of helping with password generation--perhaps that's in there but not described in the top bullet points.

    Nevertheless, I plan on sticking with 1Password simply because it has been an excellent tool for years.

    Please do consider this feature. If it weren't so tedious to edit a password in iOS, I wouldn't be complaining about having to tweak the passwords. Nevertheless, the fact that I 1) must tweak the multi-word password, and 2) must edit the iOS passwords blindly via map and compass, makes it quite annoying.
    If there were even something as simple as a highlight over the plaintext showing the current letter of the cyphertext in iOS, it would be less painful.

  • brentybrenty

    Team Member

    @harrist4: For more information on the limitations of password security/editing on iOS, please see this recent discussion. We'll see if it can be improved in the future, but I'd be more curious about the specific scenarios where you find it is necessary to manually edit passwords regularly. I test many sites daily and don't run into anything like that often at all. I still hope to see better security practices overall, but things have gotten significantly better on the web in recent years.

  • It's nothing as fancy as sites saying "you must use 2 Greek and 3 Cyrillic characters" or anything like that.
    It's more a problem of many websites not allowing the default multi-word passphrases that 1Password generates.

    I want to use the passphrase generation feature of 1Password because it is so much easier to enter a multi-word password than a gibberish one. But, for example, when I try to use "multiply-abstain-dialect" in most websites they say "you must include at least one digit and one upper-case letter" or "one digit and one symbol"

    So, I put digits in place of the dashes and upper-case a letter, making that example "Multiply4abstain5dialect"
    It still is a much more convenient password to type, while meeting the requirements of the website. That is why I end up editing passwords.

    A relatively simple solution to this problem would be to have an option to tweak the word case and use random digits or symbols as separators.

  • LarsLars Junior Member

    Team Member

    @harrist4 - I confess to not understanding this:

    I want to use the passphrase generation feature of 1Password because it is so much easier to enter a multi-word password than a gibberish one.

    If you're using 1Password to do the password-remembering and password-entering for you, how is it any different? We have the passphrase generator because infrequently, you'll need a password that you have to be able to remember/manually type into certain systems (offline ones where 1Password can't fill, etc). But for the vast majority of online stuff, there's no reason to require a pronounceable/memorable passphrase. But the choice is definitely yours.

    We'll continue to evaluate the flexibility of 1Password's Strong Password Generator, though I don't have any news regarding plans to share at the moment.

  • harrist4harrist4
    edited July 2019

    The main problem is all of the places where I cannot use the autopopulate feature. For example, logging into a network device from a computer that is not mine, or logging into a web account from a public computer.
    It is so much more convenient to type a password made of words than to try to hand-type a bunch of gibberish.

    I have hundreds of accounts and passwords in 1Password. This is not a rare event, I have to manually key in passwords from the app on a regular basis.

    An area where this is very common is when an employer does not allow installing 1Password, but there is still a need to manage large numbers of credentials.

  • BenBen AWS Team

    Team Member

    @harrist4

    The main problem is all of the places where I cannot use the autopopulate feature. For example, logging into a network device from a computer that is not mine, or logging into a web account from a public computer.

    We have to recommend strongly against logging into your accounts from public computers. There is no telling what malware exists on such devices. But your point about computer and network device accounts is well taken.

    It is so much more convenient to type a password made of words than to try to hand-type a bunch of gibberish.

    Yes indeed. This is why we started including the 'words' recipe. So I do understand that point. But generally this should be the exception / minority of your passwords. Most should be able to be generated using the 'characters' recipe?

    I have hundreds of accounts and passwords in 1Password. This is not a rare event, I have to manually key in passwords from the app on a regular basis.

    This is the point I'd like to better understand. As mentioned above in most use cases this should be the vast minority of accounts where autofill is not possible. Could you please elaborate on why you're finding the need to do this so frequently?

    An area where this is very common is when an employer does not allow installing 1Password, but there is still a need to manage large numbers of credentials.

    1Password X may be able to help with that. It does require a 1Password.com membership but it doesn't require installing an app (just a browser extension). If you're not able to do even that the 1Password.com website may help. You can copy & paste passwords from there.

    Ben

  • Just wanted to add my voice to the chorus of people wishing they could add upper/lowercase, number, and symbol characters to "word" passwords. They're much easier to deal with than gibberish passwords (I too often have to type instead of copy-paste or autofill), but most systems I deal with require that I have all the variety of characters regardless of password length.

  • BenBen AWS Team

    Team Member

    Thanks for chiming in with your thoughts on this @davemacdo.

    Ben

  • I'd also like to see this added to 1Password. This is an actual hassle.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file