We’ve been told what makes a strong password for years. The rules are indelibly etched in our minds: Make ‘em long, and make ‘em random. The more difficult a password is to guess, the harder it is to crack. That’s true. But there’s more to it.
Our password generator has created an incalculable amount of long, random passwords since 2006. It’s gone through a few iterations in that time, but it’s been dubbed the Strong Password Generator for about 14 years. Because, well, that’s what it is, and who needs flashy nomenclature?
It’s 2021; it’s time for a change, and I’d like to introduce the Smart Password Generator.
Still strong. So much smarter.
One smart cookie
I spoke with Client Apps Product Lead, Mitchell Cohen (also a smart cookie), about how the Smart Password Generator (SPG) earned its name.
Mitch first walked me through a user interface (UI) that’s clean and simple.
The UI is sparse because you don’t really need it. And therein lies the beauty. Elsewhere lies the brain.
The (aptly named) brain is where the core of our code structure lives. When you request a password, the generator calls on this central brain — no matter what version of 1Password you use. Coded in the brain are password rules for millions of websites (and counting) across the internet. In essence, Mitchell’s team has ‘taught’ the brain what password requirements are, how they work, and how to conform in the strongest way possible.
But that’s not the smartest part.
Sense and sensibility
Mitchell’s team worked closely with Chief of Security, Jeffrey Goldberg, to develop a password-generation process that, for the first time, puts function over form.
It started with uniform distribution. While people are much more likely to choose some passwords more than others, the mathematical principal of uniform distribution ensures any of the nearly-countless possible passwords are just as likely to be generated as any other.
The wordlist used by the Smart Password Generator currently consists of 10,122 plausible English-language syllables. The SPG blends the syllables, one of which will be entirely uppercase, with random separators. The separators are chosen from ten digits (0-9) and six basic symbols (!@.- _ *), to form a smart password.
My more astute readers may notice we reduced the number of possible characters/combinations for a password. No, this doesn’t compromise security. Yes, I’d love to explain — with numbers.
2 clever by 1/2
|Password Element||Bits of Entropy|
Smart passwords get 53.22 bits of entropy from four syllable sets, chosen uniformly, from our list of 10,122 possibilities. They gain 2 more bits from randomly making one of those syllables uppercase, and another 11.49 bits from the separators.
An 89-bit password is uncrackable by any entity on earth and, with these elements, passwords generated by the SPG are much more likely to be accepted by any website on earth.
Long, random passwords just aren’t convenient. If you need to enter 45 randomly-generated characters on another device often enough, you’ll inevitably change that password to something like password123 because it’s easy to type and remember. It’s also - you got it - not strong.
While a lengthy, unintelligible password may appear stronger than a smart one, it’s mainly illusion. Pronounceable syllables make a smart password look human generated and, therefore, weaker. But a human-generated password could never be chosen uniformly and, therefore, can’t be accurately assessed for entropy.
We’ve made a compromise of sorts. We’ve sacrificed a few bits of (theoretical) entropy, that don’t affect real-world security, to gain a whole lot of convenience, compatibility, and accessibility — and those certainly are real world… which is what really matters.
Fifteen years ago, 1Password was created to make your online life a little bit simpler but we’ve always known we must adapt as the world changes. Today, while other services seem to go out of their way to limit protection, we work to make it stronger, easier, and more available.
I may be biased, but I think the smart money’s on us.