Additional customizations to Password Generator are needed

Sites frequently put restrictions on what a valid password must include, e.g.: both upper & lower case, specific symbols, both numbers & characters, etc. With the current version of password generator I need to copy, then edit 1P generated passwords so they will meet site requirements. Here are a couple of suggestions to address the problems I see most often. "Words" generation should include options to include both upper & lower case letters, as well as using numbers in some manner, e.g. as a separator, etc. In "Characters" the symbols to be used should be definable. Or, possibly create a third category, e.g. "Custom" in addition to Words & Characters, to configure the options to meet specific site requirements.


1Password Version: 7.3.712
Extension Version: 1.17
OS Version: Win 10 b64 1903
Sync Type: Not Provided
Referrer: forum-search:password generator

Comments

  • We definitely appreciate in-depth feedback and feature requests such as this, especially anything that makes others more secure online!

    What you're talking about would take a great deal of development and testing across 7 apps, but I do think it's a good idea. I do truly hope we can do something like that someday. But ultimately it doesn't scale as well as one might think, as each website has different password requirements. I think it would be better if we can find a way for 1Password to know the requirements for sites and automatically generate the best password allowable. But that's quite a challenge all to itself.

    The good news is, the 1Password X Suggested Password feature does remedy a part of the issue here, as it automatically suggests a 20 character password composed of capital and lowercase letters, and numbers. The bad news is we don't (yet?) have that feature everywhere. But so far it seems to be working well, and perhaps we can do something similar elsewhere in the future!

  • Thanks for the screenshot @Naxterra!

    I will certainly be passing this along into our feature requests, as I know I would certainly love to see some the tweaks you're showing here within 1Password as well!

  • SeaLandSkyPhoto
    SeaLandSkyPhoto
    Community Member

    How about just a template that can be associated with a given login that describes the specific rules for that site. No real need for you to try and track all the rules out there (and probably hopeless to keep up with them). Much more productive for you to focus on real features and issues instead of on each web site developer's idea of password security requirements. This would be especially valuable for those sites that require frequent password changes. Here's what I fought with today:

    Took 15 minutes to get past this challenge. Mostly due to the site putting green check marks past each rule as it was satisfied and then still not taking the password after all the rules were marked as satisfied. And that last little sentence was not exactly clear (at least to me). "consecutive" characters means lexigraphical sort order. So can't have 'abc' or '123' anywhere in the password. The "identical" characters I initially took as can't have 'aa' or '22', but it wouldn't take the password until I ensured that there were not more than 2 instances of any given character anywhere in the password.

    So it would take quite a flexible template to handle this one, but it would be really nice to have it tied to the login entry for this site for when I have to change the password. And perhaps we could upload templates as we figure out the complexities for a given site so others could benefit.

  • We appreciate the struggles associated with these sites, @SeaLandSkyPhoto, but we actually have made a conscious choice to take a bit of a different approach to this problem. Templates would solve it, don't get me wrong, but it strikes us as something of a half-measure. You and I may be fine creating a template for each picky site with ill-advised rules, but my parents probably aren't going to do that. Implementing templates would be a lot of work to solve the problem for only a portion of our customers. I'm not going to take it off the table – a solution for some is better than not solving it at all – but it would be far better if we could implement something that's going to be usable by everyone so we decided to try.

    Windows isn't a great platform to see this in action as our password generator is a fair bit behind the times, but on Mac and in 1Password X, we've implemented some changes to the password manager specifically aimed at generating passwords that are more likely to be accepted regardless of the site's rules and without having to adjust the recipe beyond a few toggles. Anecdotally, I can say that these changes really do seem to have improved things. It's not a competition, but misery loves company so I'll try to one-up your example with one of my own – my mortgage bank. I don't actually know their password rules. They have them, but they don't tell me about them until I break the rules. And even then, they only tell me the rule I broke, not all of them. If I want to have a bad day, I need only change my online banking password with them. With the generator built into 1Password for Windows, this is nothing short of a nightmare. I have spent, without exaggeration, up to half an hour (and possibly more) trying to generate a password that bank will accept. The first time I had to change it after the generator changes, I used 1Password for Mac and it accepted my new password the first time. I've had to change it a few times since then and it has still taken a few tries on occasion, but the most tries I've needed is 2 or 3 and that's pure bliss compared to the past.

    So, it seems to be working, at least to a degree. There probably are going to be sites that still cause a fuss I'm sure, but progress is good and I'm sure we'll continue to adjust. There may come a day we fall back on templates for those sites we just can't tame, but I think trying for a more holistic solution is a noble goal and there's definitely a chance it will be all we need. I can't say when this will be available in the Windows app just yet. I expect we'll give it some more time to mature before pushing it out across platforms. But, if you're a Windows person and want to give it a go, you can grab 1Password X and try using it for a bit so long as you have a 1Password membership. If you do, I'd love to hear your thoughts as this is still a work in progress and we don't yet know if the problem is solved and your feedback can only help make this work better. I'll certainly share your idea about templates with the team, but I hope you can forgive me for crossing my fingers we don't need 'em. :chuffed:

  • SeaLandSkyPhoto
    SeaLandSkyPhoto
    Community Member

    Thanx for taking the time to think about this. I agree it's not an optimal solution for the non-techie types. I'm actually on a Mac so I've been using 1Password for Mac (7.4.1). That was the version that I was using when I ran into the example I quoted.

  • Oh no, @SeaLandSkyPhoto! I guess you've just proven my point that work remains to be done. If you wouldn't mind, could you share the site that was giving you fits? One thing that helps a ton is test cases – it lets us know where we're falling short and helps us improve where it's needed. Another litmus test for picky sites would be a great help as we continue to improve. :chuffed:

  • SeaLandSkyPhoto
    SeaLandSkyPhoto
    Community Member

    Chase.com Specifically the credit card login but it might be Chase.com in general...just have the one credit card account

  • Greg
    Greg
    1Password Alumni

    Hi @SeaLandSkyPhoto,

    I was able to find their password requirements and they are... strict. Am I right to understand that we are talking about these requirements? Please let us know.

    Thanks! :+1:

    ++
    Greg

  • SeaLandSkyPhoto
    SeaLandSkyPhoto
    Community Member

    Greg,

    That looks like them.

    Paul

  • SeaLandSkyPhoto
    SeaLandSkyPhoto
    Community Member

    One thing that might help without going all the way to a template based solution as noted above would be to allow more control over the set of special characters (rather than just controlling the number of special characters). Seems everyone has their own definition of what is an allowable special character.

  • bundtkate
    edited January 2020

    That's actually the kind of direction we've been headed in our way, @SeaLandSkyPhoto. Under the hood, the new password generator tries to stick to commonly accepted special characters. So, part of this process is finding that balance of enough included to make the password generated sufficiently secure but not so many that picky sites will constantly reject it. Actually nice it's Chase though. I have a few of their cards so I'll spend some time playing with it and see what my experience is like. :chuffed:

  • jmjm
    jmjm
    Community Member

    I was able to find their password requirements and they are... strict.

    And just today I was setting up my family's AIR MILES account using 1P. You know what its pw requirement is....a 4 digit PIN! Incredible.

  • ag_ana
    ag_ana
    1Password Alumni

    Incredible indeed :(

  • jmjm
    jmjm
    Community Member

    How can a company argue that this is acceptable security in this day and age?

  • Greg
    Greg
    1Password Alumni

    @jmjm: Some companies are not there yet, but the situation is getting better. :) We do our best to change those bad practices.

    Let us know if you have other questions, we are always ready to help you with 1Password.

    Cheers,
    Greg

  • jmjm
    jmjm
    Community Member
    edited January 2020

    Some companies are not there yet, but the situation is getting better.

    Not knowing anything about what is involved "under the hood"....but how hard can it be for the company to "beef up" the requirements for the passwords to enter the site?

  • DanielP
    DanielP
    1Password Alumni

    @jmjm:

    In my personal experience, the update of the password policy itself is the least of the problems. There might be some technical challenges when you have several systems communicating with each other, but even in that case it wouldn't a terribly complicated project to complete.

    The biggest challenges are typically related to convincing an organization to change the way they have been doing things so far, and helping them understand the risks if they continue to do things the same way. And unfortunately, even if an organization understands this, there is always the problem of actually deciding to allocate resources to security development, which typically does not have any tangible output. It's much easier to focus on "the next shiny feature" instead ;)

This discussion has been closed.