Me too, and actually it looks a bit crazy for me to require users to count chars in their password in mind (as we all know that it is always better to not have it written anywhere in plain text)
One of my banks asks for specific characters out of a password. Which specific characters are asked for will vary with each login. A login now consists of username, password, specific characters and a number sent by text.
I have never bothered to try and find out how it decides which characters to ask for, but being done by a bank a bank it will be simplistic, badly thought out and badly implemented.
If they were competent they would offer the far more secure option of a security key, but banks are fairly clueless about information security.
Although the real answer is for legacy banks to just stop asking these stupid questions, we all know this will take approximately eighty years. So in the meantime this feature in Bitwarden would be epic.
I also have a number of accounts where only certain characters from the password are required. Something I do that works about half the time (depending on how the site is coded) is store individual characters as custom fields. For example:
My password is EXAMPLE1
The site is coded so if they want characters 2, 4 and 8, the form fields are named “passwordChar2”, “passwordChar4” and “passwordChar8”. Check this by viewing the page HTML source.
I store custom fields called “passwordChar1”, “passwordChar2”, etc. with values ‘E’, ‘X’, etc.
When I’m asked for three characters from my password, I just click the account as normal in Bitwarden and the correct letters are filled in for me. In the example above, X - M - 1.
As I mentioned, this doesn’t work for all websites. Some don’t name the form fields this way, in which case having the character positions visible would be quite handy.
That’s a great tip @danmullen and I’ll take a look at this sometime.
Update on my earlier post. Having thought about this (briefly) I suspect that the bank is using some variation of HOTP to specify the positions of he characters to be entered. Being a bank (and thus useless at IT) they use the ridiculously primitive text to send a TOTP code as the final stage. Being a Mickey Mouse form of communication [1] the texts sometimes don’t arrive. I then swear at them and try again later. IIRC it asks for the same positions in subsequent attempts.
[1] I’m feeling generous.
Update, tried this tip. It didn’t work for me but I’ll remember it for the future. Thanks again.
Programers in all fields, with minor exception, have very little knowledge of what the customer has to do let alone what the customer thinks about when trying to access such services. A few calls to the support supervisor or manager of the IT department may be a better option than adding the above.
I think this is a good work around if the website supports it. As you say some websites dont support it, but also it makes changing the password a bit of a pain.
The main place I have seen this is on banks (in UK) websites. Another example here:
I assume they thought it would be extra layer of security if someones computer has a key logging spyware on it, it would not capture the whole password in one go.
Now they typically have two factor authentication, but they kept the random character requirement. I can imagine no one wants to be the person who "lowered’ the security level (i.e. removed it) if something went wrong, so it gets left.
Interestingly other banks in some other countries (the ones I know of) don’t do this requirement and ask for the whole password each time, which does slightly worry me if some keylogging software infected my computer.
I think the best implementation of the solution would be to show the numbers only when the ‘eye’ icon is pressed, then it would not clutter the UI in normal use.
Fingers crossed people vote for this
At least here we have an option to raise it up and get it noticed in front of the developers, much harder to do that to a faceless company.
Feature function What will this feature do differently?
It will show the password in large-type, with an overlay showing the position of each character in the password
Example:
For the password PASSWORD1 - see image below
What benefits will this feature bring?
Many websites ask for partial passwords (e.g: third, fifth and seventh character in the password).
This feature would make it much easier to see what characters need to be entered
Unfortunately many of mine don’t store it like this and I still have 10+ websites that I log into multiple times a day where I have to enter information like this
I like how 1Password does it where you have a button to show large text and it has the numbers under it. This way you kill two birds with one stone, you get large text and the word count.
but I’ll remember it for the future. Thanks again.
