There is no point in doing this polynomial math to avoid storing the user’s 3 characters since a hacker could steal the b values for all users and try every ASCII value until the correct value appears in nanoseconds.
when your password is reduced to 3 characters and stored with extremely computationally simple math, you might as well store it plaintext.
It’s about the same as using ROT13 and calling it “cryptography”
I see this quite often and would suggest a slightly easier option.
Can we have a field or option that will automatically add the index number to the string so that it is easier to see what nth character is.
I know it falls short of the auto fill option but it would make it easier to use manually and is another benefit of using Bitwarden as a password manager
1 2 3 4 5 6 7 8 9 10 11 12
T h 1 s : I S p a s s w
I came here to suggest precisely this index. With really long passwords, it’s really a pain to identify, say, characters 8, 16, 24. I often have to copy the whole password in clear text to notepad and count columns, which creates a vulnerability. I can’t imagine how hard it must be for people with dyslexia.
Even better, we could enter 7, 9, 11 in BW and it would return S, a, s. Easier and this way we won’t even have to make the password visible on the screen.
In the UK practically every bank I know uses this, and I risk being locked out every time because I fail to enter the correct characters 2-3 times.
It usually works as @DarkStar said. I’ve seen this in Poland, UK, and Germany. This is a common practice, and passwords are not being stored in plain text. And now it always comes with 2FA, at least in my bank. If you don’t want to add this functionality, at least add small numbers above or under each password character as the option. This small feature will help us a lot. At this point all password managers are useless on this kind of sites.
1Password has the exact feature you’re describing (showing 1, 2, 3… under each character). This would be incredibly useful in Bitwarden since my experience with U.K. banks has been the same as many other’s in this thread (the ‘please type the nth character of your memorable word’ is very very common over here).
I’ve had a workaround for this for a long time which is massively inelegant where I wish there was a tiny bit of support from the password manager: I use the ‘notes’ field to record the secret phrase and then on a separate line I number the characters:
m Y p a 5 5
1 2 3 4 5 6
Unfortunately, given the notes in the password manager are not fixed width, the alignment is really bad. If I could just have an option to have the notes in a monospaced font, I wouldn’t have any issues until a proper feature for this came along.
I would like to see a solution for this, too. For Halifax, I have tried adding custom fields as “Character 1” etc, and then its value, but that does not seem to work. Bitwarden tries to fill it in, but fails.
This is never going away, it’s a standard for the majority of banks in some countries, and no password manager is going to change that nor encourage/discourage it, so making it easier for BitWarden users to use their bank is a far better option than not supporting it at all and encouraging users to use passwords they know in their head (and thus are easier to extract characters from) instead, simply on a “this isn’t a good system” pretence.
Nor does it mean the password is stored in plaintext, and in fact that’s very unlikely as UK banking regs are incredibly strict. More likely they hash different variations of the password when you set it, so the permutations of characters you can get is hard coded. In the past I’ve been asked to update my password with banks, no doubt because the permutation list was updated.
Really interested in this. Also, how are people currently storing these kinds of memorable words?
Most sites that I use ask for a password then they have this memorable word option instead of 2FA so I currently store the password as usual but then in the ‘notes’ section store the associated memorable word but would at least like a proper way to store this kind of data so it’s at least masked if someone is watching over my shoulder.
Instead of saving it in the notes scroll further down to the CUSTOM FIELDS. Below “New Custom Field” select “Hidden”, then click onto the + sign to the left of it. Add a name (this will stay visible) and then below the “memorable word” which - after saving - will be masked like a password.
Almost every bank I’ve used has had this security measure, and whilst I agree that it is annoying and bad practice from the bank, I doubt it is going away any time soon and would love some sort of function that can allow the autofill of a specified character position. I tried custom fields but unfortunately it doesn’t work as the custom field IDs are numbered as 1, 2 and 3 rather than the actual character positions that they are requesting (which changes each time).
I’ve just noticed that the view password feature in the Firefox extension now has an option to number each character. While this isn’t auto-fill, it is super useful!
I’m happy with the implemented solution.