Mando

Thanks for such a well-reasoned and written response. I don’t disagree with you, except in one respect: when people can’t use Enpass auto fill, then the long passwords become untenable. And it is not uncommon to be unable to use Enpass auto fill. For example, I am not allowed to even install Enpass on my work laptop. That means opening up Enpass on my personal phone and typing in the passwords manually on the laptop. That becomes extremely difficult with a tremendously long password such as described above. This also applies to the times that Enpass auto fill doesn’t work on a specific website login page. In short, it’s a challenge in any case where we can’t use Enpass auto fill. As such, I still think it was a valid question for me to ask about what minimum degree of complexity would be reasonable. As this would apply to all my passwords (there’s no way to know in advance which ones you’ll need to have simplified), it was important enough for me to ask here about what the best balance would be between security and usability. If people find they can’t use the longer passwords, they might get frustrated enough to give up on a password manager altogether, which I think we can all agree would be the least secure scenario with the largest reuse of passwords. Thanks

Regarding the topic as a whole: In my mind, my last post does seem to indicate that the Enpass Password Generator is too conservative. That's based on my limited research. Anybody out there from Enpass? Is there an explanation of the methodology that would show that the Password Generator is "just right?" I'd be among the happiest to hear about it, as I'm about to create all my future passwords based off of my last post. lol

So, the question was whether or not we have some external authority we could trust to tell us what makes an acceptable password. Individuals will have they're own assessment and opinion on what makes sense for them, and that may be a many-character password. But the idea was that maybe we could trust these other password checker sites. There was some evidence that they were using a weaker strength-testing-tool like zxcvbn, which seemed a reasonable point to be made suggesting that the other sites could not be trusted. All well and good. It may be safe to say that we shouldn't use any of those sites (although of course they would protest). But then I found the following chart, and ones similar to it. It shows a 12-character password taking 37,000 years to crack. If you change it at least once in the next five years you're probably going to be alright. Or, there will be all sorts of news stories about how computing power just jumped quadrillion in which case no password is going to matter. That kind of thing. Credit goes to Komando, the authors of the following page, and to Hive Systems themselves, of course: https://www.komando.com/security/check-your-password-strength/783192/ Next, I found a cost calculator that showed it would cost millions of dollars to crack that 12-character password. That's part of the equation too. When would a hacker just give up and not care about your stuff anymore? I think "millions" meets that definition. And if you're thinking governments want access to your Netflix account, well... So I feel like that's a couple of empirical ways of looking at it. There doesn't seem to be any right answer out there, at least not above 12-characters. Smarter people than me argue for pages and pages on Reddit and none of them have reached a universal conclusion - although the frantic screeching sound heard when discussing 2-9 characters starts to drop precipitously once you reach 10, 11, and 12. People at least seem a lot less certain that 12 is bad, is what I mean. There is also the concept that authentication processes will change/improve in the near future also - likely making our passwords defunct long before even their expected expiry date. We're already headed to passwordless, for example. Finally, there's humility. Nobody cares about me so much as to spend $100k, never mind a million, to get at my account. They're going to give up rather quickly. The following works, for me - use at your own discretion: upper lower numbers symbols, most likely in a memorable passphrase format (1boston~Beer) 12-character-minimum is "enough" for normal use - Netflix, LinkedIn, Facebook, email 14-character-minimum for financial accounts and all-encompassing services like Google/iCloud* 15-20+ characters just as a natural consequence of the passphrase growing to be that long (because it's so easy)(1boston~beer-keg.-yay!) * only because of the priceless value (to me) of my documents and photos (e.g. in Google Drive), and also how it cascades to other services, like "Google Sign-in" used for other sites. Bottom line: make sure you don't ever drop below 12, but then have a bias towards 15-20, however many characters your passphrase turns out to be/whatever's the length of the easiest passphrase

Thank you for the time and thought put into your response. I wasn’t asking for anyone’s permission to use weak passwords. I was asking whether or not they WERE weak in the first place. These other sites say they are not. It sounds like you’re saying all these other sites are wrong The point of password managers is NOT to use the most secure passwords possible. It is to use the most secure passwords *acceptable.* That’s why the Enpass Password generator has a rating system. It encourages the average user to use an *acceptable* level of password security. No typical user is going to use a 40-char password. In fact, the Enpass generator doesn’t recommend that. It would seem in your judgement that the generator would therefore be faulty. Also, if someone were to recommend an 80-char password, then your password would not be seen as strong “enough” and therefore unacceptable. Where does it end? What is “enough?” Thats the point of my question. Somewhere along the spectrum lies a point between “enough” and “too much.” Where is that? How do we know? Is the Enpass Generator enough or too much? Suggesting ever longer and longer passwords is not the answer. That just becomes more and more of the “too much.” 40, 80, 600 characters. What is enough? Do I have the answer to this? No. Of course not. I’m just the one posing the question, hopefully ably enough to get the ball rolling. And you’ve helped keep the ball rolling, which I appreciate. I just feel like we’ve still missed something. Do we have reason to believe that all the other sites are wrong, and the Enpass generator is right, as far as “enough” and “acceptable“ are concerned? How do we judge? Maybe there’s a study that shows a test of the passwords generated by these sites, or something similar. I don’t know. It’s possible I’m not even asking the question correctly, in which case I apologize for wasting anyone’s time trying to figure it out. I’ve definitely waded out pretty deep on this one and I’m not even sure how well I can swim.

Please see this post which I found which is very similar to my questions: https://discussion.enpass.io/index.php?/topic/27234-password-strenght/#comment-77241 They list several password checker sites, which all show a password as strong but which Enpass shows as weak. I would add these to the list: https://www.passwordmonster.com/ https://nordpass.com/secure-password/ https://bitwarden.com/password-strength/ The answer in that other post was the following: "Different password strength checkers use different ranges and algorithms to estimate strength of a password. Please go through this link to see how Enpass estimates strength of a password." For me, I feel that this misses the point somewhat. The point for me is to answer the following: Do we agree to the original point, which is that all these other sites are providing more favorable assessments than Enpass? Do we agree, alone or in aggregate, that these sites provide assessments that we can rely on? i.e. if they say a password is strong, then it is strong? If they say it takes centuries to crack a password, then that is what it takes? Do we agree that this results in more unwieldy passwords when following Enpass advice? Are these unwieldy passwords warranted, or are they unnecessarily long and complicated? In the case of a three-word passphrase, should we really keep inflating a supposedly "weak" password to 4 or 5 or 6 or 7 words (and only 8 actually seems to induce an "excellent" rating in Enpass) when all these other password checkers say the three-word passphrase is STRONG and will take centuries to crack? In the end, I find myself having to exit Enpass and go over to these websites to feel confident that the password complexity is really necessary. Please, I hope no one says that ever-longer passwords "can't hurt." They do. They lead to non-compliance amongst many other things I'm sure, I don't pretend to be an expert. But I know this: not everyone in my family uses password managers. I'm trying to convince them, but we're not there yet. However, they do let me help register some accounts for them and even keep their credentials in Enpass for them, in case they forget. But for them they just enter passwords manually. Unnecessarily long passwords do not work. They just change them to something really ridiculous. Finally, if I'm on someone else's laptop with them, and need to log into one of my accounts, I'm stuck too. I can look up the password on my phone, sure, but now I have to type it all out, looking back and forth the whole time, and losing my place, often meaning I have to do the whole thing all over again. Shorter passwords would be great. So... it's a valid question. Can I work with Enpass Generator and all the automated filling and other features, or do I instead need to go to these other sites? Thank you to anyone who responds this weekend, I would normally submit this question directly to Enpass support but they are closed and it would be ideal to get some input now. Thanks

After an initial flurry of activity, I haven't heard back any further on this topic and it has been quite a while. Thought perhaps by posting here there might be others who could help in this wider support community. The form fills are still not working. I worked with the Enpass Team for a while and it all seemed great, but then it just stopped. Seems they hit a wall. I tried a few more emails but with no response for months, so I find myself trying here again. Please help if you can. Thank you.

See questions below for you, dear reader. lol I have been trying to get Identities and credit cards to work off and on for months now. Nothing works. By that I mean, nothing fills except for maybe one field, email address. I've tried submitting tickets but so far no luck, so came here to the community. I have been through the user guide multiple times, and I have to ask: where in the user guide is this addressed in detail? Identities and credit cards and how you set them up and how they work? I just can't find it. Or is there another web page with the information? I'll take any resource there is regarding it. Or maybe it's super easy, barely an inconvenience but it just seems hard to me because it's not working. I just don't know. I switched to Enpass from LastPass, and while their security stinks they did do form fills quite nicely. I can't believe I would even think about going back to them but this is so incredibly frustrating. I test websites and so I fill forms all day. It was nice to have that automated and integrated with the password filling for my work accounts and personal browsing. Save as Web Form: In a related matter, I'd also like to be able to save all values in a form, regardless of password field, but right now save as web form is limited only to pages with a password field. Okay, so I'm here looking for any answers from the community, not just team members. Are identities and/or credit cards working for anyone out there? If so, how are you setting them up? If not, could you please post here so we know it's not working for you either? Or does no one else even try to use them? Thanks ======================================================= For my part, here is my info again (already in the tickets): The version of the Enpass app, browser and OS you are using: Enpass 6.9.0 Chrome Version 116 and Safari Version 16.5.1 macOS 13.4.1 (22F66) and iOS 16.6 The apps/webpages on which you are facing this concern I'm facing this on any web-form I've tried to fill in yet, including credit cards. You can test and troubleshoot this by creating an identity and/or credit card and going to any web form. The URL of the form doesn't (shouldn't?) matter. If it somehow works for you then please provide instructions as that would mean that I am doing it wrong in some way. Which is a distinct possibility. A screenshot of any error occurring or a short video showing the issue would be helpful. There is no error it just doesn't fill in all the fields.