1password 7 (windows) generate password - how to set option for numbers and symbols

When I want to set a good, great, fantastic new password, I don't seem to have the option to set the number of integers and/or symbols. Nor can I see how good my new password it. Yes, there's a gauge bar but it seems to be less than precise.

Obviously you know a number of us prefer the generate tool used in 1PW 4. Can we know the reason you didn't bring it forward? Also, are there plans to set closer options in future generate tools?

Thanks.

-G.


1Password Version: 7.3.661
Extension Version: 4.7.3.90
OS Version: Windows 7 64-bit
Sync Type: none
Referrer: forum-search:1password 7 (windows) generate password - how to set option for numbers and symbols

Comments

  • BenBen AWS Team

    Team Member

    Hi @gorham,

    Thanks for taking the time to provide feedback on 1Password 7. We are working on standardizing the password generator across all of 1Password. To better understand your request could you please provide and explanation for the purpose of defining the number of integers or symbols? It seems in most cases this is something that is either required or not, vs requiring a specific number of them. Additionally, could you please elaborate on what sort of precision you're looking for with regard to the password strength indicator?

    Ben

  • I had to dredge this one up. When I go to a new site and want to set up a password, my 1Password4 lets me make it more "fantastic" with more integers and/or symbols. But sometimes the site itself has limits so I have to adjust that. It's really helpful (to me - one size definitely does not fit all!) tweak those integers and/or symbols to keep the password as strong as possible within the given parameters. Yetch. That makes sense to me. You are forgiven if it doesn't at all to you. Anyway, I've come to terms with keeping 1Password4 on my machine as a password generator.

    Incidentally, I feel like I missed the rabbit but I'd comment that I'm not controlling the letters, integers or symbols; my results are still random - within the parameters I have to use. I'd probably not have been quite as forceful as @ClickCardo but I do agree that if we want to muck about with the component parts, we should be able to do so.

    I'm not sure why this surfaced after all this time but, hey, a soapbox is always welcome. 8-)

    -G.

  • LarsLars Junior Member

    Team Member

    @ClickCardo - we appreciate your passion for 1Password! :)

    I really insist that the paying customer should have the right to...

    We hear you. The trouble is that we've got quite a large range of paying customers from all walks of life, all levels of skill and familiarity with 1Password, and with computers in general. They've got different needs, from the 20 year veteran sysadmin to my mother. And many if not most of them feel that "the paying customer" (by which they mean: themselves) should have...whatever feature/ability/preference/option they're currently advocating for.

    We're always happy to hear people's use-cases. We want to hear them, in fact, because we don't always think of everything, nor do we always have the best idea or approach right out of the gate. But there are also a couple of simple truths: all 1Password users are "paying customers" (we've never had a free version of the desktop apps), and we cannot say yes to every user's request, partly because some of them literally request polar opposite things from one another, but also because if we tried to do so, 1Password would wind up looking (and working) like a UI nightmare fairly quickly. So what we do instead is try to take in as much feedback as we can...and then make our own decisions, using our own best judgment.

    If you can give us examples - as many as you have - of websites for which the standard functions of 1Password's Strong Password Generator didn't work, and what occurred instead? Our experience is that the number of websites that continue to have the kind of user-hostile functionality of things like password requirements that aren't shown to the user until AFTER they've violated them, or requiring specific values in specific locations/quantities, keeps decreasing month by month. Obviously, that number is not (yet!) zero, but it's going down steadily, as more and more webmasters begin to understand the difference between security and security theater.

  • The one thing I've always wished for in 1Password password generator is the ability to define what symbols are allowable. I still routinely run into sites with rules like "must include at least 1 symbol from #*&%$^ (but no other symbols)". It would be VERY useful to be able to optionally specify which symbols are valid - something like a text box on the password generator screen that defaults to blank (all symbols) but, if filled in, will only use the symbols from the text box. I've seen some very odd combinations of allowable symbols so a simple subset is not sufficient - it needs to be configurable on-the-fly.

  • @wilcoxon You are absolutely right on! I've had to either remove or substitute out a symbol based on local parameters myself. It probably doesn't hurt in the long run but it does play havoc with the idea of random. Your idea - where there's a pool of acceptable symbols - would, I think, maintain randomosity. :)

  • brentybrenty

    Team Member

    Indeed. It's certainly something that could help in some cases. We haven't found a good way of presenting that kind of functionality that doesn't run an even more significant risk of people unnecessarily limiting the strength of their passwords on an ongoing basis, but perhaps we will. One thing we're also looking at is making 1Password get users the same end result -- maximum strength password within the limitations of a specific website -- with less fiddling, perhaps by having 1Password remember the restrictions of specific websites and act accordingly. Either way, knowing specific websites we should be using as test cases can help a lot, as Lars mentioned above.

  • brentybrenty

    Team Member

    I don't know what "too many" means. In testing thousands, I haven't encountered any websites that say "no more than n symbols/digits". It's possible that there are some out there, but it's certainly going to be rare. Being "picky" about passwords doesn't benefit security; it just gives people rashes.

  • Amen @ClickCardo! Which is why I keep 1Password4 (Windows 7) on my machine too. Not the extension and I've removed the data and of course changed the password. For me, it's just password generator software. Picky? Us? Heh!

    @brenty, not too many but which ones they let you use.

  • LarsLars Junior Member

    Team Member

    :) :+1:

  • brentybrenty

    Team Member

    I don't have a horse in this race, just years of testing thousands of websites for all sorts of issues that can affect 1Password users. If we can find a way to make 1Password work flawlessly for every edge case, we'll all be happy. Until then, we've got to try to do the most good for the greatest number we can. Thanks for understanding, and for supporting what we do! :)

  • It should be a useful feature if we can define required characters and symbols. For example, in our landscape we are using SAP and several databases, and we have password policies. Like 3 min digits, 5 min symbols, 4 min lower case, 4 upper case characters, forbidden characters (especially for Oracle, it only accepts ? % ^ * + ~ - = [ ] { } : , . # _ )

  • brentybrenty

    Team Member

    @Naxterra: Thanks for bringing this up. I hadn't heard of those specific requirements before. It's something we'll evaluate along with the others that people share with us. You've got good odds of getting a valid password if you max out the length, but certainly it would be possible that one or more of those might not be met due to randomness.

  • This turned into an interesting thread! I've become more aware of the process and users' expectations too.

    I just want to thank the Team Members for their care and consideration for issues raised here. In my experience it's a rare thing and I (and I'm sure many others) really appreciate your accessibility and expertise.

    Who brought that soapbox in here?? 8-)

  • bundtkatebundtkate

    Team Member

    Thank you for your kind words and for following along, @gorham. It's an interesting problem, so I think it does attract a lot of attention, both from our team and our customers, as a result. We get on soapboxes ourselves at times, too, so I suppose it's only fair we share them from time to time. :wink: Ultimately, I think we all agree that most of the time the real source of trouble is sites having these requirements at all, but that's reality for the moment and we need to find ways to cope as best we can.

    With that said, unlike brenty, I actually do have a horse in this race. You'll probably find me mentioning this in numerous threads here, but I'm actually really passionate about solving this problem because it has a huge impact on me several times a year and I can fully sympathize with everyone who encounters it. The bank that holds my mortgage is the literal worst with passwords. You know those sites that don't tell you the rules until you break them brenty mentioned? Yea, it's one of those. Plus, the bank makes me change my password fairly often (another practice that has fallen out of favor) so I have to deal with it often. For all of the time my wonderful teammates have spent teaching me the value of random, I just can't bring myself to care about it when faced with this wretched site.

    Ultimately, I've tried to turn this negative into a positive and use myself as a test case for changes to the password generator. The one we currently use on Windows is actually about as good as 1Password 4 in my case. I can't claim to understand exactly why, but the few times I've tested with 1Password 4's generator and limited the number of symbols (usually the thing that gets me), I haven't found it gets a good password any quicker than 7. I suspect length has something to do with it (the bank doesn't allow a very long password either) as shorter passwords tend to end up with fewer symbols by default, but that's just a guess. 1Password X's option to generate a word-based password with numbers as a separator and capital letters was so close to working every time, but I needed a symbol still which meant manually editing or the same old regen dance. Oddly enough, 1Password for Mac's most recent password generator seems to have hit the mark. Again, I don't know why, but I do know that some changes were made to it in an effort to work better with picky sites. I've only had to change that password twice since that update, but it worked on the first try both times, which is amazing enough that I owe the team that worked on it a few beers at the very least.

    This may be neither here nor there for most in this thread – if you don't have a Mac, this isn't something y'all will get to play with just yet – but I bring it up just to show that this is something we think about and worry about and work towards alleviating in our own way. I've found the solutions our development teams implement for problems don't always look the way I'd expect them to. Like you, I thought recipes were probably the answer here and, as sites adopt methods to better share their password requirements with password managers, perhaps they'll still have a role to play. But, from my perspective, we seem to have solved my biggest password generation problem without them and my hope is that you'll see many of your struggles solved the same way.

    Regardless, I'd love to keep this conversation going. As things change, let us know what you think, tell us if anything makes things better or worse. Soapbox or no, feedback from y'all is always immensely helpful and we'd not be able to improve near as quickly without it. Thank you for taking the time to share and hopefully my personal sympathies for your plight provide some solace next time you're faced with stupid password requirements, too. :chuffed:

  • khadkhad Social Choreographer

    Team Member
    edited July 22

    For whatever it’s worth, adding numbers and symbols isn’t the only way to make a password better or stronger. In fact, it’s not even the best way. Length is always the easiest way to add entropy. But even when you can’t make a password super long, you can still achieve high entropy without numbers and symbols.

    For example, even a password that is only 23 characters and has no numbers and no symbols provides an uncrackable-in-the-age-of-the-known-universe 128 bits of entropy. But even if a site or service only allows 15 characters (and, again no numbers and no symbols), you’re still looking at a very secure 80 bits of entropy.

    I don’t say any of this to negate the realities of certain sites and services, but I did want to make sure we were all on the same page when it came to password strength (with and without numbers and symbols).

    My strategy is always to use the longest password a site will allow, including numbers and symbols. But if a site gives me a hard time at all, I just turn off numbers and symbols. Creating passwords is quick and painless for me, and I sleep well at night.

  • With all due respect 1Password, you speak about not being able to grant every request, but this is not about a new feature. The option to choose the number of symbols etc. was already there which you've decided to take away! I want to make the password as complex as I choose, not you, even if all it means is peace of mind knowing I've made a super strong, complex, password. Why take something away when those options had a set default and didn't need changing anyway, unless you wanted to, which I, and the users here, did. Also, there are plenty of sites that will only accept certain symbols. If I had it my way, I would be requesting that we could go further and chose what characters to use. Lastly, to the the last 1password team member, khad, how do you know what lies in the future? God knows what unscrupulous parties will manage to develop, especially given the advances of quantum processing (but then I guess that would make 1Password redundant). Plus, even if the simple fact that having a password with 23 characters is uncrackable, I would most certainly feel much better if I could make it as complex as I wish. Going by that logic, if I create a password with 23x "1" it is uncrackable. Somehow, that doesn't fill me with confidence.
    (1Password on MacOS and iOS)

  • HenryHenry

    Team Member

    @Pedrosa Thank you for sharing your thoughts here. I totally understand the desire to customize your passwords with just the right number of symbols and digits, as it's something I did since starting to use 1Password until our recent switch to the digits/symbols checkboxes.

    Let me respond directly to a few specific bits of your comment to hopefully help you understand where we're coming from...

    The option to choose the number of symbols etc. was already there which you've decided to take away!

    Since 1Password 6-7 for Windows was built from the ground up, not using the existing code from 1Password 4, we didn't specifically decide to take away the option to choose the number of digits/symbols. Our Windows developers were starting from a clean slate. Ditto on the Mac side, where this change came about during a complete redesign of 1Password Mini. Still, why did we make our password generator the way it is now? In short, for ease of use and security:

    • Ease-of-use: Keeping it to just the most important length slider makes the password generator easier and faster to use, and having the user simply choose on/off for symbols and digits rather than exactly how many makes for less choice. Put another way, the new password generator will help alleviate possible choice overload from the considerable segment of our users who just want 1Password to generate a strong password that works.
    • Security: It's a relatively simple formula we follow: randomness = entropy, and more entropy -> stronger passwords. By randomizing the number of digits and symbols in any password you generate, you're actually creating more entropy, and making each character even less guessable. In other words, the randomly possible presence of a symbol or digit for any character maximizes password entropy (and thus strength), more so than simply piling on more symbols like how you and I might have done with 1Password 4.

    I want to make the password as complex as I choose, not you, even if all it means is peace of mind knowing I've made a super strong, complex, password.

    Adding more digits/symbols will (unfortunately) not make your password more strong or complex. Letting the 1Password password generator do its thing – checking the "allow digits" and "allow symbols" boxes – is the best possible strategy for increasing entropy of a password for any given length, since that's more random. Then, to make the password more complex yourself, you can make it longer with the length slider.

    Going by that logic, if I create a password with 23x "1" it is uncrackable.

    Khad did not say that, nor have I or any of our other teammates. Our explanation assumes you're using the password generator, which creates truly random passwords. If we assume there are 50 options for what each character is with symbols and digits options enabled, a 23-character password generated by 1Password has a 1/1.1920929e+39 chance of being 11111111111111111111111, or any other given 23-character string. That's about one in a duodecillion. That's what (I hope) will fill you with confidence. If not, drag the length slider up by one, and you're at about one in 59 duodecillion. (That's a hypothetical attacker's odds at guessing your password on any given attempt, assuming they know its length to begin with.)

    Changing out a few letters in that entropy-rich 24-character password for symbols won't make any meaningful difference, especially since that password is 50 times stronger than one that was already, as Khad said, uncrackable-in-the-age-of-the-known-universe.

    Also, there are plenty of sites that will only accept certain symbols. If I had it my way, I would be requesting that we could go further and chose what characters to use.

    This is a great point, and one others have mentioned in this thread too! Getting just the right password to fit the pickier of websites' password rules can still take a couple tries, and some such sites do still remain. We hope to improve that experience in the future, perhaps by having 1Password manually remember the restrictions of each site or continuing to improve the design of our password generator, as Kate mentioned in her earlier comment. Thank you for the feedback here :)

    Let me know if you have any more questions or feedback on this; we're always happy to hear it.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file