I’ve noted that random password generation, in Bitwarden, doesn’t include some symbols.
( { } ( ) / \ ’ " ` ~ , ; : . <>)+|£€?
Why have you excluded them? Why don’t you make random password generation “more random” adding them? You could give to the user the possibility to include or exclude these symbol as you do with other symbols.
I think those were not listed because the random special symbols already apply for a high password entropy for brute-force attacks.
However, customizing your own character set wouldn’t be a bad idea. I’m not sure if Kyle would agree with this though.
What do you mean with “random special symbols already apply”? During PBKDF? Because KDFs require an input password with an already high entropy to be effective. If you choose an easy password you are not safe even if you use KDF
Nope. I meant that the current available character set already does a “decent” job. But if you want to improve that by adding more complex symbols just to increase the strength and entropy, fine.
But I guess Kyle didn’t place those characters in specific for a lazy reason, not at all.
I’m not here to talk whether passwords are stronger or not. I’d use http://xkpasswd.net as an example. If it could be based on that kind of generation, it would be fair for me.
Although the master password is not something I change frequently. Also because it requires some time and practicing to memorize and keep them in mind.
I find it much more convenient to use a simple character set, such as all lowercase alphabetic.
For more randomness, increase the length.
There are some benefits to not using special characters. Copy-and-paste becomes more reliable, because you will not accidentally leave a substring out due to a special character being interpreted as a word boundary. On rare occasions, when you need to enter a password manually on a small-screen device, you will be less likely to make a typographical error.
If you encounter a website that requires special characters, just include one or two manually.
If you let the user choose if the new symbols will be included or not, I can’t see the problem. For the length I agree with you but many websites limit the password length so you have to increase the entropy as you can.
+1 to have the option to include a larger symbol set for password generation.
Many site limit the use of special symbols, so the set of bitwarden is mostly compatible. More characters would break a lot of sites.
Why not extend the possible character set with a user-defined “real special chars”?
In Denmark we use æÆ, øØ and åÅ as plain ordinary “special” chars, but imagine a security if the password generator could use special chars like ®, «, ╔, √ etc.
I’m aware, that some site probably would refuse “illegal” chars, but most do actually accept them…
By making it a user-defines field, you (Bitwarden) don’t limit any special wishes…
I think this answers my question then, but just to make sure. Is there no way I can set what characters are and are not used in the password? I was sure I was just missing where to configure it somewhere…Some of my sites do not allow any special characters (!@# etc.), some require it. Some require upper and lower case. Some require shorter lengths, some require longer. I’m used to keepass where I can set every single aspect of the random generator.
In the broswer addon you can select witch kind of characters should be used… I dont see the point?
Different websites have different password requirements and not all websites accept all special characters. In such cases, I had to manually copy the password and look for not accepted characters and remove them. Please add the capability to choose special characters while generating the password
32 symbols:
!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
Maybe it would be easier to just let the user enter the symbols they want. Like if I type )#& in the box it will only use ) or # or & for its symbols.
Perhaps with a MRU drop-down list, one of which contains all the default symbols.
See also:
Configure Bitwarden to always give you a long password with only alphanumeric characters.
Then manually insert one or two of the required characters. Use underscore if possible, because it won’t prevent selecting the entire string with a double-click.
Just saw this:
So if Wells Fargo passwords ignore case, and maybe so do other websites, you can prevent the randomness of your password being thus reduced by using all lowercase to begin with.
+1 for this. I often had a situation where certain special characters were not allowed. Then I currently have to disable special characters completely which makes the password more insecure or delete them manually.
And as described here, more special characters should be added as well: Improve random password generation
Unicode characters are meaningful, such as the RAR archive password
Please allow Password Manager users to specify specific special characters to be used in a Generator generated password. Currently only this set “!@#$%^&*” can be selected, which is ridiculous. Please give us the ability to create our own set of special characters. Other password managers allow this.
I modified the title of this Feature Request topic to be more descriptive (was: “Improve random password generation”).
@QM.v5UfM_qGeDq9t-pn8 Welcome to the forum. I moved your post (and vote) to this existing thread.
