These sets are missing:
- Minus (-)
- Underline (_)
- Space ( )
- Brackets ({}()<>)
- High ANSI
Plus you should allow users to type a length number rather than using sliding piece.
An idea could be to add a custom character set field in which the user could type the characters he wants to add ?
4 Likes
I’ve noted that random password generation, in Bitwarden, doesn’t include some symbols.
( { } ( ) / \ ’ " ` ~ , ; : . <>)+|£€?
Why have you excluded them? Why don’t you make random password generation “more random” adding them? You could give to the user the possibility to include or exclude these symbol as you do with other symbols.
1 Like
I think those were not listed because the random special symbols already apply for a high password entropy for brute-force attacks.
However, customizing your own character set wouldn’t be a bad idea. I’m not sure if Kyle would agree with this though.
What do you mean with “random special symbols already apply”? During PBKDF? Because KDFs require an input password with an already high entropy to be effective. If you choose an easy password you are not safe even if you use KDF
Nope. I meant that the current available character set already does a “decent” job. But if you want to improve that by adding more complex symbols just to increase the strength and entropy, fine.
But I guess Kyle didn’t place those characters in specific for a lazy reason, not at all.
I’m not here to talk whether passwords are stronger or not. I’d use http://xkpasswd.net as an example. If it could be based on that kind of generation, it would be fair for me.
Although the master password is not something I change frequently. Also because it requires some time and practicing to memorize and keep them in mind.
I find it much more convenient to use a simple character set, such as all lowercase alphabetic.
For more randomness, increase the length.
There are some benefits to not using special characters. Copy-and-paste becomes more reliable, because you will not accidentally leave a substring out due to a special character being interpreted as a word boundary. On rare occasions, when you need to enter a password manually on a small-screen device, you will be less likely to make a typographical error.
If you encounter a website that requires special characters, just include one or two manually.
1 Like
If you let the user choose if the new symbols will be included or not, I can’t see the problem. For the length I agree with you but many websites limit the password length so you have to increase the entropy as you can.
32 symbols:
!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
Maybe it would be easier to just let the user enter the symbols they want. Like if I type )#& in the box it will only use ) or # or & for its symbols.
5 Likes
Perhaps with a MRU drop-down list, one of which contains all the default symbols.
See also:
- Improve random password generation main topic
- Improve random password generation comment #5
Configure Bitwarden to always give you a long password with only alphanumeric characters.
Then manually insert one or two of the required characters. Use underscore if possible, because it won’t prevent selecting the entire string with a double-click.
2 Likes
Just saw this:
So if Wells Fargo passwords ignore case, and maybe so do other websites, you can prevent the randomness of your password being thus reduced by using all lowercase to begin with.
+1 to have the option to include a larger symbol set for password generation.
Many site limit the use of special symbols, so the set of bitwarden is mostly compatible. More characters would break a lot of sites.
Maybe you could simply insert a custom in field the settings where the user can list extra characters he wants to allow and use for passwords. Thank you!
This way it is easy for everyone to add his own characters, like for example Germans often use ä ö and ü - normal letters in the German alphabet.
2 Likes
I have to agree - eight special characters is way too small a set.
A feature idea related to this, which I don’t think any password manager has, would be an option field displaying a string of special characters with some separation between them - and after you have a randomly generated password, you can click on the individual special chars, and the generator will randomly substitute them into the already generated string.
Why? Because on a semi-regular basis, I’ll run across some site that has decided themselves on a subset of special characters - that for some reason doesn’t accept ampersand or exclamation mark, for some idiotic reason. When I hit such sites, I inevitably have to regenerate the password multiple times until the string finally comes up with a password with special characters, but without the bizarrely unacceptable one…
1 Like
Is it though? With upper- and lower-case letters, digits and those eight special chars, that’s a set of 70 symbols. As you can set the length of the required password, you can produce uncrackable passwords very easily.
Why not just go with the first password generated but substitute allowed special characters for any invalid ones?
Is it though?
Well, lets turn it around. What technical or other reason would prohibit expanding the special character set? What negative effects might it incur? A larger character set means a greater entropy pool. I don’t see any downside to that.
As you can set the length of the required password
Very often, you are constrained by the destination site. Yes, I can generate a password a hundred characters long, and frankly I wish I could do that everywhere. Most sites will choke and barf if you try that.
Why not just go with the first password generated but substitute allowed special characters for any invalid ones?
Well sure. I could also just forget about bitwarden and use a pencil and paper to make up passwords. It worked thirty years ago, it can still work now!
My understanding - and expectation - is that a password manager such as bitwarden exists to make secure password creation, entry, and safe storage as easy and convenient as possible. I’ve done the dance you suggest. I’m proposing a feature enhancement, so that the end user does not have to do that manual dance. It would make the application better. In my opinion.
4 Likes
I don’t disagree with any of that. My suggestion was to get around the current limitation you’re finding with the password generator. What you’ve proposed are all reasonable enhancements that could be made 