We’ve been told what makes a strong password for years. The rules are indelibly etched in our minds: Make ‘em long, and make ‘em random. The more difficult a password is to guess, the harder it is to crack. That’s true. But there’s more to it.
Our password generator has created an incalculable number of long, random passwords since 2006. It’s gone through a few iterations in that time, but it’s been dubbed the Strong Password Generator for about 14 years. Because, well, that’s what it is, and who needs flashy nomenclature?
But it’s 2021; it’s time for a change, and I’m excited to announce the Smart Password Generator.
Still strong. So much smarter.
One smart cookie
I spoke with Client Apps Product Lead, Mitchell Cohen (also a smart cookie), about how the Smart Password Generator (SPG) earned its name.
Mitch first walked me through a user interface (UI) that’s clean and simple.
The UI is sparse because you don’t really need it. And therein lies the beauty. Elsewhere lies the brain.
The (aptly named) brain is where the core of our code structure lives. When you request a password, the generator calls on this central brain — no matter what version of 1Password you use. In a sense, Mitchell and his incredible team have ‘taught’ the brain what password requirements are, how they work, and how to conform in the strongest way possible.
If a website has the
passwordrules attribute coded in its HTML (hey-o, devs!), the brain can use those guidelines to generate a password. It can also check the list of websites that have custom password behavior. The list, which lives in the brain, is compiled in part with Apple and holds 200 websites (and counting). And my power users can still dive into the UI to adjust the password recipe, for those times you just need 49 characters.
But it’s the default setting - the setting that’s compatible with millions of websites across the internet, the setting that just works - that’s the smartest part.
Sense and sensibility
Mitchell’s team worked closely with Chief of Security, Jeffrey Goldberg, to develop a password-generation process that, for the first time, puts function over form.
It started with uniform distribution. While people are much more likely to choose some passwords more than others, the mathematical principle of uniform distribution ensures any of the nearly-countless possible passwords are just as likely to be generated as any other.
The wordlist used by the Smart Password Generator currently consists of 10,122 plausible English-language syllables. The SPG selects four syllables, one of which will be entirely uppercase, and blends them with separators, which are chosen from ten digits (0-9) and six basic symbols (!@.- _ *).
In the blink of an eye, you have a password that’s strong, and much more likely to be accepted by any website on earth.
Long, random passwords just aren’t convenient. If you need to enter 45 randomly-generated characters on another device often enough, you’ll inevitably change that password to something like password123 because it’s easy to type and remember. It’s also - you got it - not strong.
While a lengthy, unintelligible password may appear stronger than a smart one, it’s mainly illusion. Pronounceable syllables make a smart password look human generated and, therefore, weaker. But a human-generated password could never be chosen uniformly and, therefore, can’t be accurately assessed for entropy.
We’ve made a compromise of sorts. We’ve sacrificed a few bits of entropy to gain a whole lot of convenience, compatibility, and accessibility — and those certainly are real world, which is what really matters.