Compliant random passwords

Feature Name:

Randomly generate passwords compliant with websites’ policies

Feature Description:

• Generate random passwords compliant with websites’ policies
  • The website describes their password policy
  • The Password Manager reads this policy and suggests a new and random password to the user (in case the user doesn’t already have the website in the vault) that is compliant with the imposed policy

Clients / Repos Affected:

• Browser Extension

Timeline to Completion (Estimate):

• October 2021

Motivation

Hi everyone! In my MSc Thesis Dissertation, which is a part of the PassCert Project, we are building a proof-of-concept password manager that through the use of formal verification, is guaranteed to satisfy properties on data storage and password generation.

My project has the following goals:

1. Make autofill more secure
2. Make the Password Manager’s randomly generated passwords compliant with sites’ password policies (the feature I propose in this post)

This feature was suggested in a 2014/2015 work, by Stajano et al.

In short, the idea presented is to use a standardized type of annotations to facilitate the work done by password managers in analyzing forms — something like pmf-change-password, pmf-password, pmf-new-password, etc.

Not only this, but where it’s needed a new password, there would be an indication of what is the website’s policy, like so:

<!-- site policy requires a password to have 3 character classes and a minimum of 8 characters -->
<input type="password" name="new" class="pmf-new-password" policy="3class8"/>

The policy description follows the suggestions of Tan et al.

@tgreer @kspearrin

This is a good idea and would be fairly straightforward to implement, given a standard annotation like the one you propose. The real trick is getting that standard widely adopted. Without wide adoption, this feature simply wouldn’t work most of the time. (And I don’t think you could realistically scrape the password requirements from the page otherwise.)

Are there any other similar standards out there, or existing efforts to standardize this that you could hook into?

As you have your own forked project (PassCert), are you looking for your contributions to be merged back into the official repos, or are you just putting it up for discussion?

Thanks for the reply

Yes, that’s indeed the bigger problem: adoption. It’s something so “simple” but it’s really hard to get everyone on board. I would say there is a general consensus that policies should follow a standard: the problem is what standard.

From what I read, it kind of depends on the country. The US will follow their NIST standards, whilst the EU will follow another standard, probably from ENISA, and I think that Australia also follows a different standard. Possibly other countries have their own, and this is just regarding government entities. I think that companies just grab a standard and they “choose” what restrictions to apply.

There is some research on the topic. Two of them are these articles by Tan et al. and Shay et al. They analyze and draw some interesting conclusions on what policies are better, taking into account factors like password guessability as well as password memorability — may be needed for some accounts, even though randomly generating passwords is optimal.

In the coming days, I plan to compile all policies’ annotations (like 3class8 or 2word16 or comp8) that are suggested in the literature and what they actually mean in a practical way. This may be a starting point to have all the possibilities that this feature will accept, i.e., all the policies that the feature will recognize — they should be more than enough to guarantee security and usability.

The ideal goal would be to have our work merged, yes! Hopefully this makes sense to you.

And maybe bitwarden could be at the forefront in this topic, being the first Password Manager to suggest the usage of these types of policies.

Sounds good. As your primary goal is to develop a proof of concept for your dissertation, I’d say go for it. I can’t give you an answer on whether your work would be considered for merging, but I don’t think that should limit your thesis work. I think it’s a great example of OSS that you can grab & fork our project and use it in academic research.

Out of the two features you’ve proposed, this one is more straightforward to implement. Your other feature requires changing models, intercepting HTTP requests, generating and substituting tokens, etc. This feature only requires that you parse a DOM element and pass those requirements to the password generator service. So I recommend you work on this feature first to get familiar with the Bitwarden stack.

A few pointers to get you started, although I recommend you have a good poke around the code and experiment for yourself:

• you would need a content script running in the webpage to scrape the annotated DOM element
• that content script would send messages to communicate with the extension’s background script
• the background script would then invoke an Angular service to parse the annotation and pass the correct arguments to passwordGeneration.service.ts
• you could then consider copying to clipboard or autofilling the password

There are examples of all of this in the code already, so think of existing functionality that does similar things and then follow what they do.

Do any site even support this yet?

Thanks for the reply!! I haven’t had the chance to come here sooner

I’ll try to follow your recommendations. If/when I run into trouble, is it okay to ask for help in this thread? with more technical details?

To my knowledge, it is not implemented on any website. But there is some academic work done on this topic, as I mentioned, and some of it has partnerships with big corporations that could make it a standard. Here’s to hoping they adopt these changes

I will develop it as a Proof of Concept

It’s probably better to message me on Gitter for smaller questions, it’s easier to go back & forth without cluttering up the discussion here.