Filter special characters in generated passwords per login

Multiple websites that I attempt to use Bitwarden with, limit special characters. These sites include banking /financial, technology (Oracle, Tenable, etc.) and InfoSec sites such as InfraGard and US-CERT.

The “generic” selection works well 80% of the time, but for these rather high-profile sites, it would be nice to have the option to deselect the “forbidden” characters.

I am not sure how we would implement this from a UI perspective. What do you propose?

1 Like

@bofh00 Hmm, isn’t that what last checkbox is for? Am I missing something?
image

Chars on your screenshot could look like a finite list, would suggest that maybeee, maybeeee $ or & are fine. I wouldn’t even try though, if they are picky and dislike, ekhem, special characters*, they might not always write full list of them. If I had seen it, I’d go straight for disabling last option in BW and going for ridiculous length as a compensation**.

Even if BW would offer some way to exclude some chars, this would “I can’t be bothered” approach from me as a user, I’d just disable them all.

* There is absolutely nothing special about them
** I’m masochist who wants to see “password is too long” next.

2 Likes

@eskela True, there really isn’t anything “special” from a typographic sense, but from a programmatic sense, some characters are used to denote executable code, command sequences, or un-processed comments, depending on the programming or query language being used.

In common nomenclature these, and the balance of the non-alpha-numeric characters, are considered “special” as they are not normally used in most dictionary words.

While disabling “special” characters is a work around for some sites, until the greater majority of institutions (including, sadly, US-CERT and the FBI’s InfraGard, along with the Department of Defense, Department of the Army, Veterans Administration, etc.) reconfigure their authorization and authentication systems to the most recent NIST /ISO recommendation /guidance, there will still be the need for some “special” characters.

My suggestion is to maybe develop something similar to what Password Safe uses, where there is a “global” and a per-login “Password Policy” setting, where if the per-login policy is not modified, the global parameters apply? It’s already partially in place from what I can see, in regards to password length.

1 Like

Well, I’m not a developer, but each input field should be sanitised, not allowing you to break app’s code by having weird magic in the password. I appreciate it’s dinousaurs causing all problems, however it’s not as funny as emoji breaking bank systems.

@bofh00 Do you think it would be possible to come up with a list of special chars that dinousaurs might not fancy? This list will never be complete, and might not work in 100% cases, but it might be possible to get a good chunk of them and exclude them. There’s also a chance that “bad” char won’t appear in generated password, increasing our chances of not generating a password with disallowed character.

If I was a user who operates on sites like this, I think I would like to have it resolved like this… In settings (but not in Password Generator tab) ability to select option:
[ ] Switch special chars to alternative set.
This alternative set would be then displayed instead of usual special chars:
image

I don’t think there’s much benefit for most users in showing both. I guess, it would be simpler to do? :slight_smile:

I kinda like moving this to a setting, so normal users don’t have to worry what this is. Users who need this more frequently, can switch their special set, and generate all password with slightly decreased number of chars.

1 Like

It sounds simple in theory, and to your point, “modern” systems should sanitize such things. However, the sheer complexity of bringing a long-lived system into compliance is often under estimated. I’ve seen small-ish banks that took three years just to “sanitize” by scrubbing at the WebUI end of things, since the back-end was not only no longer supported by the original vendor (if they were even still in business), but any institutional knowledge on true systems-level programming had long since retired or deceased.

It might be possible to build a set of general parameters for some of the larger implementations. E.g. a “SQL” set, an “IIS” set, an “Apache/PHP” set, Java, ECMA/JScript, etc., but it seems to me to be more practical to have them customized on a per-login basis, with a default “global” starting set.

2 Likes

I see where you are going. So minimal viable solution would be to:

  • Store “bad” chars against the entry. You can have various sets of bad chars for different sites.
  • Exclude chars from “bad” list when you press Edit and go for Generate Password for this entry?

I forgot the option to generate for particular entry is even there, as I usually generate password from Tools, copy, paste in the form, save (to see if form is not unhappy), then edit entry (easily accessible as filtered) and paste password.

1 Like

That’s a viable solution, though it might be easier to “whitelist” than “blacklist”, requiring selection of acceptable characters from a pick-list versus denial of “bad”.

Copy-past-save-edit-paste-save-lather-rinse-repeat works … until one hits the sheer ridiculousness of my life.

32 folders (waiting on sub-folders…), over 300 logins, at least 2/3rds require changing passwords every 60-90 days.

The more automation I can use to keep everything humming along, the better.

2 Likes

Perhaps something like this?
Perhaps something like this?

2 Likes

I like it - though since there are already options for 0-9, A-Z and a-z, maybe just the non-alpha-numerics? Or are you thinking to replace the “quick-picker” and have this as a secondary custom screen?

The layout and explanatory text is great and makes sense to me.

It was just an example I knew of from GRC. Perhaps it could remain the way the current UI is but have an option to select your own alphabet set like shown in my example above.

I really like Keepass’ approach to generating passwords:
Keepass%20exclude%20chars

1 Like

Keepass%20special%20chars

3 Likes

Perhaps it’s a bit of “mystery meat” UI, but you could make clicking each individual special char in the tickbox item turn it either light gray or black to select or deselect individual characters, thereby allowing users to quickly include or exclude special chars. Perhaps with accompanying hovertext to explain? My two cents.

This is a similar request to Password Generator Should Have More Character Set

I also like the KeePass approach. At least for Power Users they offer much more possibilities to tune the generated ouput. For example I needed a bunch of keys that could only contain Hexadecimal Digits, this wasn’t possible with Bitwarden so I used KeePass…
For the minimal solution I would suggest adding two InputFields to add characters to the set and remove characters from the set of possible characters.

2 Likes

I think we can easily manage this in the current UI. Please see my mocked changes below.
(edit + reset)

Should be clear what I mean !
I would only show those edit/delete links when you “hover” over that field, because most users won’t need to change this.

edit-or-reset

Personally, I would like to remove the $ character from the list, because it doesn’t work nicely with CLI. So that’s why I want this feature :slight_smile:

3 Likes

Hi there,

I have got the same problem: Some pages restrict the special characters.

I was just about screenshoting LastPass-AddOn as they have had a simple textbox there with the special characters (so edits would be easily possible); but it seems that LastPass has deprecated that feature.

So my suggestion for the UI is just having asimple textbox after the checkbox in which the special characters are listet (and could be changed when needed).

Best regards,
Patrick

I’m really thinking everyone is overthinking this whole thing, just don’t use special characters for those sites.

A random 20 character password of upper, lower, and numbers is 62^20 which is 704,423,425,546,998,022,968,330,264,616,370,176 password combinations. I’m sure you’re fine leaving out special characters. It’s the length of the password that really matters the most.

The only issue with that is most of these “troublesome” sites mandate the use special characters, even if it is a limited set.

Where I’m running across the issue is on government (local, state, federal), healthcare (hospital, pharmacy, etc.) and financial (banking, insurance) systems. Which sort-of makes sense. These types of sites are among the most heavily regulated, which tends to lead to slow adoption of “up-to-date” practices.

Elsewise, I’d agree with you. Passphrase versus password and whatnot.

2 Likes