Forum Discussion

Former Member's avatar
Former Member
5 years ago

Auto-generated password at the same time "Excellent" and "Fantastic"

I created 2 entries of the same account, with different website names. One entry was created at account creation and a generated password from 1Password was used. The second entry was created when ...
betas
Former Member's avatar
Former Member
5 years ago

Hi Former Member, that is an excellent observation.

The short answer is that human created passwords are much weaker than ones generated from our password generator, and once 1Password doesn't know the specifics of how a password was generated it has to assume that it is human created.

The longer answer

The strength of a password is a function of the system from which it was generated. When we know precisely how a password was generated we know its strength even without looking at the password itself. When we don't know how it was generated, we have to look at the password and guess.

When you generate a password using 1Password, 1Password can compute the strength of the password precisely from the generator settings alone. In particular, any password that can be generated from a particular set of settings is exactly as likely to be generated as any other. Passwords that we generated are created uniformly.

Knowing that a password was generated by our generator isn't enough to compute its strength precisely. We need to know what instructions were given to the generator. For example, a password generated from rules that requires digits is going to be weaker than rules that merely allows digits with all other things being equal. But there is no way to tell whether digits were allowed or required when we see digits in a password, and there is no way to tell if digits were allowed when we see a password without digits. But when we know the settings given to the generator, we can compute the strength.

Human created passwords are not generated uniformly. There are simply some combinations that people are more likely to pick than others. Indeed, people are really terrible at being random, especially when they are trying to be. And so we have to use a bunch of heuristics to inspect the password and guess what sort of human processes and patterns were used in creating it. As soon as we are looking at a password that is potentially human generated, it is automatically going to be downgraded in strength.

Where this leads to unwanted results you observe is that if you copy a 1Password generated password to some other 1Password item, it will be seen as "human created" in that other item. Even if it were known to be or somehow marked as having been generated from our generator, it is our generator that tells us the strength of what it generates. So we can't work backwards from a password alone.