Two identical passwords generated !!!!

kutschke
kutschke
Community Member

I have spent much of the weekend adding all of my passwords from about 200 accounts to 1Password and generating new random passwords for all of them. I am up to 145. When I generated the 145th, 1Password told me the new password was a duplicate! I checked and it indeed matched one that I had generated last night. I can't see how this is pilot error. This is wildly improbable given even a sortta good random engine.

Has anyone else seen this?


1Password Version: 7.3.1
Extension Version: Not Provided
OS Version: OS X 10.14.5
Sync Type: Default (dropbox?)

Comments

  • kutschke
    kutschke
    Community Member

    Ooops - just figured out the pilot error on my own.

    When I changed the password on the web site, it offered to update the existing stored password. I did not need to click yes but I did - somehow I had wrong item selected - probably carelessness when bringing the 1Password window in the foreground.

    Nevermind</Emily Litella voice>

  • I'm glad to hear you were able to sort out what happened here. :) It would indeed be incredibly improbable to generate two of the same password unless using a very short password length.

    Ben

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited October 2020

    Ooops - just figured out the pilot error on my own. When I changed the password on the web site, it offered to update the existing stored password.

    Whew!

    That is actually what I expected. We've had similar cases in the past, and they've all turned out to be something like this.

    It would indeed be incredibly improbable to generate two of the same password unless using a very short password length.

    I haven't done the math, but I think that for four digit PINs we shouldn't be surprised at a collision after 145 generated passwords. But even for four character (letter, digit) passwords it would be a surprise (though not an astronomical one).

    [Now looking at where I may have saved things up for performing such calculations ... Never mind, it is built into R's standard stats package.]

    So for PINs, there is nearly a 2/3 chance a collision in a pool of 145:

    R> pbirthday(145, classes = 10000)
    [1] 0.649735
    
    

    and for four character passwords, it is about a 1 in 1400 chance.

    R> pbirthday(145, classes = 62^4)
    [1] 0.0007062879
    R> 1/pbirthday(145, classes = 62^4)
    [1] 1415.853
    

    But for normal passwords, say with default settings in the "new" generator with 118 bits, the numbers really are beyond astronomical, and they go beyond the range of R's birthday calculator.

    R> 1/pbirthday(145, classes = 2^118)
    [1] Inf
    
    

    So yes. Something would have been very very wrong if our generator came up with the same password twice.

This discussion has been closed.