Password generator of limited use due to missing features. (other languages, up/ lower case, number)

JochenRLP
JochenRLP
Community Member

The password generator in 1password is of limited use because I cannot create passwords that meet the password rules of the enterprise I'm working for. I need to change each single password manually to match. The password needs to contain

  • a number
  • upper and low case characters
  • special characters (covered)

The second issue is that 1password is only supporting English words. For non-native language it's hard to remember words you never use or never heard of. I like learning new words but that's not helping to remember passwords.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:password generation upper case

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @JochenRLP!

    We currently do not have the option to customize the password generator rules at this level. We are always looking at ways to improve 1Password features however, so thank you for taking the time to share your use case with us. I will make sure to share it with the team.

    With regards to your second request, I have already answered your other post here.

  • OctalOrangutan
    OctalOrangutan
    Community Member

    Hi all,

    I'd like to second the first aspect of this request - currently I'm generating a multi-word password then adding a capital and inserting a number between two of the words to create passwords that match Windows domain password restrictions.

    The software engineer in me has visions of an advanced option that looks like a printf-style format string for requesting password generation :-)

    e.g.

    %w%Pw%3n%w

    This would produce a password consisting of a dictionary word, a proper noun dictionary word, 3-digit number, then finally another dictionary word without any separators e.g. orangeCanada429penguin

    I suspect the uptake on usage for this feature would be tiny, but I can dream :-)

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for taking the time to share your thoughts with us as well @OctalOrangutan :+1: :)

  • prime
    prime
    Community Member

    I love this idea. When I do make words like this for passwords, I always copy and paste it in the note section and add this info to it.

  • ag_ana
    ag_ana
    1Password Alumni

    @prime:

    I always copy and paste it in the note section and add this info to it.

    Do you mean the rules that you used to create this specific password?

  • prime
    prime
    Community Member

    @ag_ana
    When generating the password it looks like this:
    leach-impulse-naples-trembly-celery
    I’ll copy it, put it into the notes, and change it to something like this:
    leach-impulse-NAPLES-1-trembly-celery+5
    Because most sites I need a password for will want a capital letter and numbers as well.

  • ag_ana
    ag_ana
    1Password Alumni

    @prime:

    Thank you for the confirmation. I do something similar, but I don't copy it in the secure notes, I make the changes directly in the password field :+1:

  • prime
    prime
    Community Member

    @ag_ana l’ve done that a few times, but messed up the password :lol: I go into the note second of the login also (at the bottom where you can add notes for a login), since I don’t have to switch anything. If that makes sense

  • ag_ana
    ag_ana
    1Password Alumni

    That can work too, yes :)

  • dorits
    dorits
    Community Member

    It's a rare website these days that does not require a combination of lower and uppercase letters plus numbers. In addition, sites vary as to which symbols they will accept, if any. Even your own discussion forum registration says "Your password must be at least 6 characters long. For a stronger password, increase its length or combine upper and lowercase letters, digits, and symbols!"

    I feel like I'm perpetually using the notes section to alter your generated password. That pretty much eliminates the convenience of having a password generated for me. I do not like the characters option because I need easily-typed passwords when I'm on an insecure network; e.g. when traveling.

    The current 1Password word generator seems very outdated, creating extra work for users. I don't understand why it can't be programmed to generate passwords that the vast majority of websites demand these days.

  • strettig
    strettig
    Community Member

    I'll just jump in and say the same. Almost no site allows you to create a password like the ones created by default with the "words" option in 1Password. I have to manually introduce capital letters and numbers to make the password compliant.

    Word-based passwords have been widely acknowledged by security professionals to be better than random letter/number/symbol combinations. I implore 1Password to implement automatic number/capital entry into the "words" password option. The suggested passwords for iOS follow this convention, are built into the system and are therefore extremely convenient. A dedicated password manager should have at least this degree of functionality.

    I really like 1Password. This is one of the only friction points for the experience for me.

    Thanks!

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you both for the feedback :+1: :) We will keep it in mind while we continue improving the password generator.

  • frett
    frett
    Community Member

    @strettig said "Word-based passwords have been widely acknowledged by security professionals to be better than random letter/number/symbol combinations"

    Is that true? Everything I have read says to avoid dictionary words. Can't possibly see how word-based passwords would be better than random combinations. Easier to for you to remember, maybe, but not better security.

    Please elaborate.

  • ag_ana
    ag_ana
    1Password Alumni
    edited May 2020

    @frett:

    Please see this post from my colleague Daniel from our security team. He wrote about this topic recently over there.

  • DanielP
    DanielP
    1Password Alumni
    edited May 2020

    @frett:

    Is that true? Everything I have read says to avoid dictionary words.

    In addition to what I wrote in the post that Ana linked to, I would be very interested in reading these resources if you could share them with me.

    Using a single dictionary word should certainly be avoided (extensive rainbow tables are available online to make brute-forcing through these very simple), but using several dictionary words is a different matter entirely.

    ===
    Daniel
    1Password Security Team

  • frett
    frett
    Community Member
    edited May 2020

    @ag_ana and @DanielP In your linked post you don't still explain how dictionary words are inherently more secure than random characters.

    As you state, words certainly make it easier to remember (and thus help facilitate a long password), but isn't that the point of 1Password? To allow users to not have to rely on memorized words, so we can create long random passwords?

    Many (most?) sites do not have form fields that allow for very long passwords, so if a site allows an 8-digit (or 28-digit) password, I would think random characters will always be stronger than dictionary words of the same length.

    And I don't have an example in front of me, but I've seen popular tech sites post something like "using random words strung together like oceanzebraangstelevate13 is better than a phrase from a book. Even better is to take a few letters from the random words and combine them to make something unrecognizable like ceanebrangstelev13." (obviously that's shorter but that's not their point)

    I'm no expert and don't read password research by experts. Just asking out of ignorance. :)

  • frett
    frett
    Community Member

    So doing a search for how to make a good password, for example, gives me an early source from Howtogeek.com (https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/)

    He says: "With the tips above, it’s pretty easy to come up with a password. Just bash your fingers against your keyboard and you can come up with a strong password like 3o(t&gSp&3hZ4#t9. That’s a pretty good one—it’s 16 characters, includes a mix of many different types of characters, and is hard to guess because it’s a series of random characters.

    The only problem here is memorizing this password. Assuming you don’t have a photographic memory, you’d have to spend time drilling these characters into your brain. There are random password generators that can come up with this type of password for you—they’re generally most useful as part of a password manager that will also remember the passwords for you.

    You’ll need to think about how to come up with a memorable password. You don’t want to use something obvious with dictionary characters, so consider using some sort of trick to memorize it.

    For example, you might find it easier to remember a sentence like “The first house I ever lived in was 613 Fake Street. Rent was $400 per month.” You can turn that sentence into a password by using the first digits of each word, so your password would become TfhIeliw613FS.Rw$4pm. This is a strong password at 21 digits. Sure, a true random password might include a few more numbers and symbols and upper-case letters scrambled around, but it’s not bad at all."

    I'm just giving you an example of what many sites recommend. Maybe not security or cryptography sites, just what an average user has been told for several years.

    Just from a probability standpoint logically it seems like a password of set length and random characters is stronger than random dictionary words of the same length.

  • DanielP
    DanielP
    1Password Alumni
    edited May 2020

    @frett:

    I'm no expert and don't read password research by experts. Just asking out of ignorance. :)

    You are asking some important questions, so you are doing the right thing to seek clarification. These concepts are not always intuitive, and I personally think that it doesn't help that research often can give some things for granted. I will attempt to address your concerns in order.

    In your linked post you don't still explain how dictionary words are inherently more secure than random characters.

    The explanation is in the first paragraph of my post in that other discussion. Here is the relevant quote for your convenience:

    The idea is that the password complexity is dominated by password length more than by the pool of characters you can pick from. So from a password strength point of view, a longer password is typically harder to crack than a shorter one, even if the latter uses numbers and symbols.

    I have emphasized the sentence that most closely answers your question. More about this later in my post, including counterexamples where this is not the case.

    As you state, words certainly make it easier to remember (and thus help facilitate a long password), but isn't that the point of 1Password? To allow users to not have to rely on memorized words, so we can create long random passwords?

    That is indeed the point of a password manager. It helps to put this discussion into context though: remember that most folks don't use a password manager at all (I would argue that most of them don't even know what a password manager is), so anything we can do to make introducing one in someone's life is taking things step by step. If this means having them switch to longer, easier to type passwords as a stepping stone towards a password manager, then so be it. The ultimate goal is to improve your security posture even if you are not an expert user, and longer word-based passwords are more user-friendly that shorter, scary-looking ones with a bunch of symbols, which might throw some people off. You might be surprised to hear this, but I have chatted with many customers over the years who don't know that 1Password can not only store passwords for you, but it can also help you fill them on webpages, and still type them manually.

    But, on a more technical note, you also need to remember that a word-based password is still a random password: the difference is that instead of fetching its building units from a pool of characters and digits, you fetch them from a pool of words. So just because they make more sense to us as humans because they are readable, does not mean that they are not randomly generated.

    Many (most?) sites do not have form fields that allow for very long passwords, so if a site allows an 8-digit (or 28-digit) password, I would think random characters will always be stronger than dictionary words of the same length.

    Certainly at the same length, using additional symbols and digits can increase entropy (see the last part of my reply here). But we should not look at websites that do things badly (in this case, putting an upper limit to the password length): we should always look at what the best approach is in general. Some websites still require you to only enter 8-digit PINs to login, but that does not mean that we should follow that lead.

    There is also a usability aspect: there are cases in which you might have to enter these passwords manually even if you use a password manager (maybe you only have your phone with you and you need to enter them on a computer where 1Password is not installed, or maybe you want to login to a streaming app on your smart TV). In these cases, word-based passwords can make your life easier, without requiring you to make then shorter.

    And I don't have an example in front of me, but I've seen popular tech sites post something like "using random words strung together like oceanzebraangstelevate13 is better than a phrase from a book. Even better is to take a few letters from the random words and combine them to make something unrecognizable like ceanebrangstelev13." (obviously that's shorter but that's not their point)

    This specific point is true. But you can take this further: instead of adding random numbers, you can take this one step further and add a whole lot of random words to it. The resulting password (such as "catalog-coachman-exhort-quint-legato-visage-lund-nuclear-swell-metric", generated using the 1Password X password generator) is longer than your original one (see my original quote above about the importance of password length).

    You’ll need to think about how to come up with a memorable password. You don’t want to use something obvious with dictionary characters, so consider using some sort of trick to memorize it.

    For example, you might find it easier to remember a sentence like “The first house I ever lived in was 613 Fake Street. Rent was $400 per month.” You can turn that sentence into a password by using the first digits of each word, so your password would become TfhIeliw613FS.Rw$4pm. This is a strong password at 21 digits. Sure, a true random password might include a few more numbers and symbols and upper-case letters scrambled around, but it’s not bad at all."

    There is an elephant in the room in this quote though. If you are trying to come up with a rule to create a random password, then that password is not really random. You are just applying an arbitrary algorithm, which you optimize appropriately to make it easier for the resulting password to be memorized by you. Real randomness means picking from your pool of allowed password units in a way that every unit has the same probability of being picked.

    I'm just giving you an example of what many sites recommend. Maybe not security or cryptography sites, just what an average user has been told for several years.

    If we want to go down that route, I should also remind everyone that for years we have been led to believe that regularly changing passwords every x number of months was a good idea, or that 2FA via SMS was a great way to increase the security of your accounts. The security community has been very vocal about both of these points for a long time, but only recently both points have started to be taken into consideration by the industry at large (and I have to say that we are not quite there yet with any of those two).

    Just from a probability standpoint logically it seems like a password of set length and random characters is stronger than random dictionary words of the same length.

    True, but this is different from your original statement: if you are limited by password length, then the next most important contributor to password entropy is the character pool that you are allowed to choose from. In this scenario, being able to use digits and symbols in addition to the letters of the alphabet would result in a password that is more complicated to crack.

    A few examples should help clarify this, and we are back to the notion of password entropy. Take these randomly generated passwords and compare their entropies:

    • "d8Xdmp=%2G" : random 10-character password. Entropy: 48.9 bits
    • "o0Va65'zsAKDU?lyr%x5MKYZtms^i)9i" : random 32-character password: Entropy: 174.6 bits
    • "clothes-defer-finding-effluent-slider-size-samovar-single-dickens-admonish" : random 10-word password. Entropy: 333.7 bits
    • "4>c!MZdCN7gRiZ~glM446H0Qq9{fYxt*laHVc~dhmkGdLLKG7;MoLR]]7V/heJm4" : random 64-character password. Entropy: 357.6 bits

    As you can see, the 64-character password has more entropy than the 10-word password, even if the word-based password is longer (74 characters vs 64). So again, when the length is capped, the next most important aspect is the character pool. However, compare now the entropy of this word-based password to the 32-character "o0Va65'zsAKDU?lyr%x5MKYZtms^i)9i". While this certainly looks complex, its entropy is roughly half of the one of the word-based password, which has password length in its favor.

    So in summary, you are not wrong in saying that adding digits and symbols can improve the strength of passwords. That is certainly the case. However, one of the most important aspect of a good password is password length. And it is ultimately easier and more user friendly to increase password complexity by making passwords longer, rather than by making them more complex by using a larger pool of characters. You could use passwords with the Greek and Russian alphabet too, as an example, but password entropy shows you that you can avoid this effort by just using longer passwords with the alphabet you know :)

    ===
    Daniel
    1Password Security Team

  • strettig
    strettig
    Community Member

    @frett Thanks for pushing to explore this topic. I was confused the first time I saw this too, as I was following previous password protocols like the ones you mentioned and they made sense to me. Once I read about the reasoning behind the new protocols though they made total sense. They also make it far more manageable when you have to manually enter in a password. Apple/iTunes is a pretty notorious example here since they randomly ask you to manually put in your password quite often and on iOS in some scenarios the interface doesn't allow you to switch to another app like 1Password and then switch back so you can't copy and paste. The totally random digit/number/symbol combos are excruciating in that situation.

    @DanielP And thank you Daniel for the extensive and detailed explanation!

  • frett
    frett
    Community Member

    @strettig and @DanielP Thank you for the input and instruction.

    @DanielP As you state "...the 64-character password has more entropy than the 10-word password, even if the word-based password is longer (74 characters vs 64). So again, when the length is capped, the next most important aspect is the character pool"

    That is a perfect example to illustrate what I wanted to make sure I understood. Thanks!

  • DanielP
    DanielP
    1Password Alumni

    @strettig, @frett:

    You are very welcome. If you have any questions, reach out anytime :+1:

    ===
    Daniel
    1Password Security Team

This discussion has been closed.