Expand Pool of Special Characters Available in Password Generator

I hope to have the option of typing my own desired set of special characters. For example, I really dislike ^ but I’m stuck with it if I check for special symbols in the generator. I know I can modify the password thereafter, but I would like to have better control on this.

1 Like

Maybe it would be a good idea to let user define the charset which will be used to generate the random password.

For example, allow user to create and enable several charset (for example numbers, alphabets, capitalized alphabet, symbols, custom charsets).

Then also give user an option to decide how many times the characters in this charset will be appeared in the generated password. For example, maybe some user want 3 numbers, 5 alphabets, 2 capitalized alphabets, 5 characters in “!@#” and 2 characters in “%^*(”. The last two charset could be a custom charset created and configured by user, and user can decide which characters are in those charset.

@InternetNotSafe, you appear to want to take a 17 character password which with the specified character set would have an entropy of 104, and by user interference turn it into a specification with entropy 54. Possible calculation errors notwithstanding, this is a fine example of why human brains should be allowed nowhere near things which should be random. :slight_smile:

I see the purpose of special characters as exploiting such entropy as a website makes available to conforming passwords.

Unless you assume that the characters drawn from each subset will be arranged in blocks and not mixed up (e.g., 371epvghJXE@@!#!*%), then I believe the entropy may be as high as 103 bits*. You do lose some entropy because about half of the randomly generated passwords (drawing from the full 69-charater pool) would fail to meet the required character counts for the individual subsets.

And to be fair, Bitwarden’s current password generator does use a similar method (although the constraints are implemented as a lower bound on the number of characters from each subset).


*This estimate seems to be higher than expected, so I reserve the right to be wrong! At a minimum, the true entropy will have to be lower than 103 bits, because this estimate does not take into account re-arrangements that result in the same password string (e.g., switching the first and second characters in @@!#!). Basically, I took your estimate (17·log₂69) and added Σ(log₂(nPr)) to account for the permutations

I read their specification to be in blocks as written. Otherwise our 103/104 is the same. Randomisation of the block content would move toward the higher figure but removal of constraint of an exact (human-selected) number of characters from each block would also be needed to get there. I always assume the selection strategy is known to an attacker.

With a 17 character password, selecting solely from upper case characters still affords 80, showing the importance of length.

I may have posted something like the following elsewhere here, but this is also an apt location in case it is worth a proposal. For context I use my own password/passphrase generator to get larger word and symbol sets than in Bitwarden. Multiple tests have shown that output from it is statistically random within the symbol space so I am content with it.

Symbols are specified in the following UI elements:
There are two fields, one Include, one Exclude, each with an associated check box. If neither box is checked, my allowable symbol set has 28 elements used freely like alphanumerics. If Exclude is checked then its listed symbols are removed from the 28. If Include is checked then only the set with in the Include field is permitted. This allows relatively simple switching between common website constraints, and complete flexibility.

There is no reason why passwords could not contain spaces. It would increase the entropy and would probably be an addition cheap to develop.

Special Characters are missing from the password generator. At the moment the special characters that the Password Generator generates is:

@ ! # * $ % ^ &

The missing Special Characters that should be added to the password generator to be able to generate is:

< | ( ) . : ; ” - ‘ [ ] { } + = ~ _ - / ? \

I second this request. I would like a tick box to select “Unicode” characters, just like with Kee Pass. I used to use Unicode characters in my passwords all the time. I found the vast majority of web sites work with unicode characters in the password.