Feature request: Password Generator Filter

jay_gunn

Some sites inexplicably restrict the special characters you can use in a password, so normally I just slide special characters down to 0 on those sites.



But I got to thinking it'd be great to have a way to filter or restrict what special characters 1Password will use in it's password generator. Like if a site will only let you use: =-)(*&^%$#@!~ but not: []{}\|;:'",<.>/?`_+ then you could turn the slider up for how many special characters you want, and then maybe under the advanced options section have a text area to filter which special characters it will use. So you could type in that first set, and then 1Password will only use those special characters in it's password generation.



That way you could always use strong alphanumeric + special character passwords, and have them all completely randomly generated, without worrying about the sites that for whatever reason decide to restrict what characters you can use in your passwords.



Naturally this feature, if implemented, should be in all versions of 1Password <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

brenty

Hiya, jay_gunn!



Thanks for the suggestion! We will have to see if this is something we can add at some point. Although its usefulness may be limited, it could be a great quality-of-life feature. If only there were a way to autodetect the symbols that are allowed!



Honestly, I tend to just use long, case-sensitive passwords with numbers. I don't remember what site it was, but a while back I encountered one that let me set a password with symbols in it when I registered, but the actual login form broke when I used it as a result of the symbols I included in the password. Long story short, I don't use that site anymore. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />

jay_gunn

Man, if you guys can figure out how to auto detect what characters are valid, I think I'd have to come and personally shake everyone's hand. That would truly be amazing! Several sites I've been too neglect to give you any warning about restricted characters, or even lengths, so you end up generating a good strong password only to find out the site won't accept it and only THEN tells you oh it has to be 6-8 characters and blah blah blah. Ugh.



Bank sites are the worst at this.



I can't say I've run into a site that will accept a password with special characters, and then screw up when you try to log in, though. That's just bloody brilliant!

brenty

[quote name='jay_gunn' timestamp='1304629648' post='26357']

Several sites I've been too neglect to give you any warning about restricted characters, or even lengths, so you end up generating a good strong password only to find out the site won't accept it and only THEN tells you oh it has to be 6-8 characters and blah blah blah. Ugh.

[/quote]



Ugh, indeed! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />



I know how you feel. Maybe someday a standard will emerge -- or be legislated upon the financial industry. [s]When[/s] If that day comes, we will be happy to spend less time on trying to find workarounds and more on adding and refining features and usability. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='B)' />



[quote]

I can't say I've run into a site that will accept a password with special characters, and then screw up when you try to log in, though. That's just bloody brilliant!

[/quote]



Yeah, "brilliant" wasn't what came out of my mouth what that happened. Although, the first and last letters were the same. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/tongue.gif' class='bbc_emoticon' alt=':P' />



Thanks so much for your passionate feedback! I have to say, I have an idea of what drives you. I had considered opening a second account at another bank recently, but decided against it. And the more I think about it, I realize that, while my current bank's website is far from hassle-free, I don't completely hate it, so I will stick with it for the time being. Maybe in the future we can all be free of these shenanigans; if so, 1Password will be able to help. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

khad

Also keep in mind that [url="http://forum.agile.ws/index.php?/topic/1774-choosing-a-good-master-password/page__view__findpost__p__10902"]longer passwords are more secure[/url] than shorter "more complex" ones (with those "fancy" characters). <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />



If you can have both length and complexity, that is even better, but length alone can be pretty secure. I worry more about those sites which restrict the length than the keyspace (i.e. character set).



Cheers,

dgittler

I want to add my voice to this request - I came to these forums looking specifically for this topic.



I've been having issues on certain websites that occasionally specific characters aren't allowed. It's just a pain trying to figure out if the problem is password length (I use long ones) or specific characters. Also, when I'm setting up MySQL databases, occasionally a ' slips into the password and that causes all kinds of fun.



Specifically, I've run into problems with the $ ' & and " characters. For now I've disabled ambiguous characters and am only generating a few symbol characters in my passwords, but I would like the option to always exclude problem characters as I run across them.

khad

Welcome to the forums, dgittler!



Unfortunately, there is no way for a site to indicate the characters it accepts, so there is no way to automate this in 1Password. Finer-grained control over precisely which characters to allow or disallow in a generated password is a possibility, but I can't promise it will be added. The "maxlength" attribute of an input element in a web form is something 1Password can and does automate. A sufficiently long password with symbols set to 0 is still a very strong password. For this reason, I usually set symbols to zero and length to 50. If the password is too long, 1Password will notify me and shorten the password automatically. One of the real benefits of using the built-in Strong Password Generator is that you are not limiting the length or keyspace of your password on every site you visit, and having unique passwords (as strong as possible) for each site is a breeze.



We will consider adding more complexity to the Strong Password Generator interface. Thanks for letting us know this would be useful to you!



Cheers,

tatchley

I second this motion. It would be nice to have an "excluded characters" list. While I do see your point to have extremely long 50 character passwords that don't use symbols, it should be noted that not all sites allow passwords longer than, say 15-20 characters.



[quote name='khad' timestamp='1305058749' post='26738']

Unfortunately, there is no way for a site to indicate the characters it accepts, so there is no way to automate this in 1Password.

[/quote]



Some sites do indicate which characters are acceptable in a password. Or, if not overtly stated at first, many sites offer a popup warning if you include unacceptable characters.

khad

You are correct that some sites limit password length. If they actually indicate this within the page's code with the "maxlength" attribute 1Password recognizes this and behaves accordingly. If the length limitation is only set on the back end, there is no way for 1Password to programmatically ascertain this, so you will need to adjust manually.







[quote]

Some sites do indicate which characters are acceptable in a password. Or, if not overtly stated at first, many sites offer a popup warning if you include unacceptable characters.

[/quote]

I'm sorry if I wasn't clear. There is no way for sites to communicate to other apps like 1Password what the limitations are. They may indicate these limitations in a human-readable way but not in a way that a program like 1Password can parse. The only exception to this is the aforementioned "maxlength" attribute which 1Password already respects.



Because the limitations are not communicated in a way which 1Password can parse, there is not currently a way to automate this. Since the only way the information is communicated is in a human-readable format, you (the human who [i]can[/i] parse the information) will need to adjust the settings manually.



We'll look at ways to better handle this including possibly giving the user more fine-grained control of the character space, but there will need to be some advances in web technology before 1Password could adjust the settings automatically.

tatchley

Yes, 1P cannot do it automatically, but I would still like the option to manually exclude characters from the generator, even if I have to spend a few more seconds doing so <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/tongue.png' class='bbc_emoticon' alt=':P' />

benfdc

When this happens to me (it just did today, in fact), I manually substitute allowed symbols for the verboten symbols in the password that 1P generates. But if there were a filter I would probably use it.

khad

Indeed. "We'll look at ways to better handle this including possibly giving the user more fine-grained control of the character space…"



It would be so much nicer if there was either a way for sites to communicate their requirements programmatically or — better yet — have no restrictions on length or character space. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



Sigh. We must work with what we're given rather than what we wish for.

benfdc

Maybe Agile, on its own or in coordination with other players in the field, could define and promote some sort of meta-tag that would allow sites to specify password parameters. Then 1Password could have a preference directing it to always generate a maximum-strength password.

khad

On a personal level, I'd much prefer to see us direct our efforts to [b][i]eliminate[/i][/b] such entropy-weakening limits if we were to pursue such an endeavor.

benfdc

The perfect is the enemy of the good.

khad

Neither option would likely produce "perfect" results, so it would simply be a matter of convincing web folks to change one thing or another. The effort would be about the same, but eliminating those artificial limits would have a net security gain [b]and[/b] convenience rather than just convenience.