Feature Name:
Randomly generate passwords compliant with websites’ policies
Feature Description:
- Generate random passwords compliant with websites’ policies
- The website describes their password policy
- The Password Manager reads this policy and suggests a new and random password to the user (in case the user doesn’t already have the website in the vault) that is compliant with the imposed policy
Clients / Repos Affected:
- Browser Extension
Timeline to Completion (Estimate):
- October 2021
Motivation
Hi everyone! In my MSc Thesis Dissertation, which is a part of the PassCert Project, we are building a proof-of-concept password manager that through the use of formal verification, is guaranteed to satisfy properties on data storage and password generation.
My project has the following goals:
- Make autofill more secure
- Make the Password Manager’s randomly generated passwords compliant with sites’ password policies (the feature I propose in this post)
This feature was suggested in a 2014/2015 work, by Stajano et al.
In short, the idea presented is to use a standardized type of annotations to facilitate the work done by password managers in analyzing forms — something like pmf-change-password
, pmf-password
, pmf-new-password
, etc.
Not only this, but where it’s needed a new password, there would be an indication of what is the website’s policy, like so:
<!-- site policy requires a password to have 3 character classes and a minimum of 8 characters -->
<input type="password" name="new" class="pmf-new-password" policy="3class8"/>
The policy description follows the suggestions of Tan et al.