Request: Mask random passwords by default

anemo42

<div class="IPBDescription">A Feature request</div>I don't see any reason why a password should be displayed on screen in the random generator.

If I was sitting in a public location, someone could see the password I was generating on my screen

as I set up an account. I don't need to know what the random password is, just that 1Password is creating one

for me and storing it. I think this field should operate as password fields do elsewhere in the UI: masked by default,

but displaying the password when clicked.

khad

While I think that any onlooker would have a very difficult time recording — let alone memorizing <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' /> — one of the 50 character strong passwords generated by 1Password, I will definitely pass this long to the developers for consideration. Thanks for letting us know you are interested in this.



Please let me know if there is anything else I can help with.



Cheers,

anemo42

[quote name='khad' timestamp='1298847744' post='21544']

While I think that any onlooker would have a very difficult time recording — let alone memorizing <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' /> — one of the 50 character strong passwords generated by 1Password, I will definitely pass this long to the developers for consideration. Thanks for letting us know you are interested in this.



Please let me know if there is anything else I can help with.



Cheers,

[/quote]



Thanks for the quick reply!



Do you generate a lot of 50 character passwords? I don't, I'm not sure many people do. Isn't the default 1Password length like 12 or 14 characters? Many

sites have a max password length of about 20 chars. Most people have camera phones these days, it would be trivial to discretely get a shot of someone's screen that way.



Regardless, I agree that it is unlikely. However, I think it behooves security software to err on the side of increased security (I really needed an excuse to use the word "behooves" <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />. Especially when there isn't a strong case for needing to see the password. I'm not saying never show it, but mask it by default.

thightower

The only counter points I would have would be that some of us prefer to tweak the passwords and such. Some times I don't like a given GPW as its not got enough special characters etc for my liking or even has characters I don't want in a PW.



Also what would happen if the PW generator broke and started using the same PW over and over, how would we ever know there was a problem.



Personally I can adapt provided we can show the GPW with the option key like any other concealed PW. However I have concerns as noted, but I will let the team decide on the best course of action.

brenty

[quote name='thightower' timestamp='1299026027' post='21708']

The only counter points I would have would be that some of us prefer to tweak the passwords and such. Some times I don't like a given GPW as its not got enough special characters etc for my liking or even has characters I don't want in a PW.



Also what would happen if the PW generator broke and started using the same PW over and over, how would we ever know there was a problem.



Personally I can adapt provided we can show the GPW with the option key like any other concealed PW. However I have concerns as noted, but I will let the team decide on the best course of action.

[/quote]



Yeah, I'm in the same weirdo camp, T. I like to "proof" and "approve" my generated passwords, too, although I can't for the life of me think of any practical justification for this whatsoever. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/tongue.gif' class='bbc_emoticon' alt=':P' />



Obscuring them does make a lot of sense. After all, we don't need to memorize them. What's the point? That's what we have 1Password for.



That said, I'd really like to retain the option of viewing them -- if only to satisfy my bizarre proclivities. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />

anemo42

@thightower:



I suppose that as a beta tester, you need to verify things like this.

However, as an end user, I generally trust software to do the right thing.

With security software, especially, there is always a chain of trust

that goes back, at least in part to the developers (no pressure guys <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' /> ).



Perhaps you want to leave the generated passwords unmasked by default in

pre-release builds, and just mask by default in production builds. Not knowing

how you make your builds, I dont' know if this is practical.



@brenty:



I also had that strange compulsion to verify generated passwords for a long time.

Mostly this was due to the fact that the software I used before did not have good

controls over the amount of numbers / special characters to include, and different

sites have different rules for what they allow. Eventually I got tired of always

double checking everything and just let the generator do its job.

khad

Thanks for the additional details! While we never say "never," I want to be honest that this is not at the top of our priority list at the moment. We have to factor in viewing pronounceable passwords, etc.