Compliant random passwords

mikibakaiki · March 27, 2021, 8:24am

Feature Name:

Randomly generate passwords compliant with websites’ policies

Feature Description:

Generate random passwords compliant with websites’ policies
- The website describes their password policy
- The Password Manager reads this policy and suggests a new and random password to the user (in case the user doesn’t already have the website in the vault) that is compliant with the imposed policy

Clients / Repos Affected:

Browser Extension

Timeline to Completion (Estimate):

October 2021

Motivation

Hi everyone! In my MSc Thesis Dissertation, which is a part of the PassCert Project, we are building a proof-of-concept password manager that through the use of formal verification, is guaranteed to satisfy properties on data storage and password generation.

My project has the following goals:

Make autofill more secure
Make the Password Manager’s randomly generated passwords compliant with sites’ password policies (the feature I propose in this post)

This feature was suggested in a 2014/2015 work, by Stajano et al.

In short, the idea presented is to use a standardized type of annotations to facilitate the work done by password managers in analyzing forms — something like pmf-change-password, pmf-password, pmf-new-password, etc.

Not only this, but where it’s needed a new password, there would be an indication of what is the website’s policy, like so:

<!-- site policy requires a password to have 3 character classes and a minimum of 8 characters -->
<input type="password" name="new" class="pmf-new-password" policy="3class8"/>

The policy description follows the suggestions of Tan et al.

@tgreer @kspearrin

eliykat · March 29, 2021, 11:43pm

This is a good idea and would be fairly straightforward to implement, given a standard annotation like the one you propose. The real trick is getting that standard widely adopted. Without wide adoption, this feature simply wouldn’t work most of the time. (And I don’t think you could realistically scrape the password requirements from the page otherwise.)

Are there any other similar standards out there, or existing efforts to standardize this that you could hook into?

As you have your own forked project (PassCert), are you looking for your contributions to be merged back into the official repos, or are you just putting it up for discussion?

mikibakaiki · March 30, 2021, 9:51pm

Thanks for the reply

Yes, that’s indeed the bigger problem: adoption. It’s something so “simple” but it’s really hard to get everyone on board. I would say there is a general consensus that policies should follow a standard: the problem is what standard.

From what I read, it kind of depends on the country. The US will follow their NIST standards, whilst the EU will follow another standard, probably from ENISA, and I think that Australia also follows a different standard. Possibly other countries have their own, and this is just regarding government entities. I think that companies just grab a standard and they “choose” what restrictions to apply.

There is some research on the topic. Two of them are these articles by Tan et al. and Shay et al. They analyze and draw some interesting conclusions on what policies are better, taking into account factors like password guessability as well as password memorability — may be needed for some accounts, even though randomly generating passwords is optimal.

In the coming days, I plan to compile all policies’ annotations (like 3class8 or 2word16 or comp8) that are suggested in the literature and what they actually mean in a practical way. This may be a starting point to have all the possibilities that this feature will accept, i.e., all the policies that the feature will recognize — they should be more than enough to guarantee security and usability.

The ideal goal would be to have our work merged, yes! Hopefully this makes sense to you.

And maybe bitwarden could be at the forefront in this topic, being the first Password Manager to suggest the usage of these types of policies.

eliykat · March 30, 2021, 10:08pm

Sounds good. As your primary goal is to develop a proof of concept for your dissertation, I’d say go for it. I can’t give you an answer on whether your work would be considered for merging, but I don’t think that should limit your thesis work. I think it’s a great example of OSS that you can grab & fork our project and use it in academic research.

Out of the two features you’ve proposed, this one is more straightforward to implement. Your other feature requires changing models, intercepting HTTP requests, generating and substituting tokens, etc. This feature only requires that you parse a DOM element and pass those requirements to the password generator service. So I recommend you work on this feature first to get familiar with the Bitwarden stack.

A few pointers to get you started, although I recommend you have a good poke around the code and experiment for yourself:

you would need a content script running in the webpage to scrape the annotated DOM element
that content script would send messages to communicate with the extension’s background script
the background script would then invoke an Angular service to parse the annotation and pass the correct arguments to passwordGeneration.service.ts
you could then consider copying to clipboard or autofilling the password

There are examples of all of this in the code already, so think of existing functionality that does similar things and then follow what they do.

Essadon · April 1, 2021, 4:52pm

Do any site even support this yet?

mikibakaiki · April 5, 2021, 10:01am

Thanks for the reply!! I haven’t had the chance to come here sooner

I’ll try to follow your recommendations. If/when I run into trouble, is it okay to ask for help in this thread? with more technical details?

mikibakaiki · April 5, 2021, 10:04am

To my knowledge, it is not implemented on any website. But there is some academic work done on this topic, as I mentioned, and some of it has partnerships with big corporations that could make it a standard. Here’s to hoping they adopt these changes

I will develop it as a Proof of Concept

eliykat · April 5, 2021, 8:15pm

It’s probably better to message me on Gitter for smaller questions, it’s easier to go back & forth without cluttering up the discussion here.

mikibakaiki · April 18, 2021, 4:46pm

Hey there!

So I was just told by a friend that 1password is already using this feature. I dove into their article and found this repo and this site which I’m not sure you were aware exists — I know I wasn’t!

So this means that there may be already some efforts to create a standard on this topic. I will read more about it, and try to see it in the mentioned websites

mikibakaiki · May 5, 2021, 9:12pm

Hey there!

I wanted to do a quick update on what I’ve found and what I’ve been working on.

Recently I found out that Apple has some efforts to enforce a similar feature: create password rules for password managers to interpret and generate compliant passwords. The links can be found in my previous post

So i adapted their solution and their parser to Bitwarden and currently I’ve got a prototype working. Here is a gif demonstrating the general behaviour, for a website with these rules: passwordrules="minlength: 15; maxlength: 23; required: upper, digit; allowed: special;"

A quick summary of what is done and what is missing:

Done

The disabled fields are the required ones.
The length of the password is limited to the min and max of the rules found
The Minimum Numbers is 1 as well since the rule I tried it on requires numbers
The Minimum Special is 0 because symbols are allowed, but they are not mandatory.

Missing

Possibility to limit or describe all the characters that a site may want, like:
required: [!"#$%&/]; - this specific list of symbols or required: [abcdefg] - only passwords with these lowercase letters— the original HTML rules allow for this kind of thing, but I did not implement it yet because I would like this to be merged into BW. If you say it’s okay to adapt, I will
Check if the generated password is compliant with the rules of an enterprise
The possibility for max-consecutive which is also described in the original passwordrules. Basically it restricts the number of consecutive equal characters. For example, with a max-consecutive: 2, the password ooops would not be acceptable. I don’t think this functionality exists in Bitwarden, but should be straightforward to do I think.

In the same github repo, you can find a community updated list of rules in this format, which I intend to check if the website does not have any rules in the HTML code — I am currently working on this!

I think this can be a very good addition to the product, and I would really appreciate feedback on how it is, and how it can improve in order to be merged to the main branch

@cscharf what do you think?

Any feedback is welcome!

PS: I think that 1Password already has something like this, and it uses the “Apple Standard”.