Filter special characters in generated passwords per login

I like it - though since there are already options for 0-9, A-Z and a-z, maybe just the non-alpha-numerics? Or are you thinking to replace the “quick-picker” and have this as a secondary custom screen?

The layout and explanatory text is great and makes sense to me.

It was just an example I knew of from GRC. Perhaps it could remain the way the current UI is but have an option to select your own alphabet set like shown in my example above.

I really like Keepass’ approach to generating passwords:
Keepass%20exclude%20chars

1 Like

Keepass%20special%20chars

3 Likes

Perhaps it’s a bit of “mystery meat” UI, but you could make clicking each individual special char in the tickbox item turn it either light gray or black to select or deselect individual characters, thereby allowing users to quickly include or exclude special chars. Perhaps with accompanying hovertext to explain? My two cents.

This is a similar request to Password Generator Should Have More Character Set

I also like the KeePass approach. At least for Power Users they offer much more possibilities to tune the generated ouput. For example I needed a bunch of keys that could only contain Hexadecimal Digits, this wasn’t possible with Bitwarden so I used KeePass…
For the minimal solution I would suggest adding two InputFields to add characters to the set and remove characters from the set of possible characters.

2 Likes

I think we can easily manage this in the current UI. Please see my mocked changes below.
(edit + reset)

Should be clear what I mean !
I would only show those edit/delete links when you “hover” over that field, because most users won’t need to change this.

edit-or-reset

Personally, I would like to remove the $ character from the list, because it doesn’t work nicely with CLI. So that’s why I want this feature :slight_smile:

3 Likes

Hi there,

I have got the same problem: Some pages restrict the special characters.

I was just about screenshoting LastPass-AddOn as they have had a simple textbox there with the special characters (so edits would be easily possible); but it seems that LastPass has deprecated that feature.

So my suggestion for the UI is just having asimple textbox after the checkbox in which the special characters are listet (and could be changed when needed).

Best regards,
Patrick

I’m really thinking everyone is overthinking this whole thing, just don’t use special characters for those sites.

A random 20 character password of upper, lower, and numbers is 62^20 which is 704,423,425,546,998,022,968,330,264,616,370,176 password combinations. I’m sure you’re fine leaving out special characters. It’s the length of the password that really matters the most.

The only issue with that is most of these “troublesome” sites mandate the use special characters, even if it is a limited set.

Where I’m running across the issue is on government (local, state, federal), healthcare (hospital, pharmacy, etc.) and financial (banking, insurance) systems. Which sort-of makes sense. These types of sites are among the most heavily regulated, which tends to lead to slow adoption of “up-to-date” practices.

Elsewise, I’d agree with you. Passphrase versus password and whatnot.

2 Likes

I agree with @bofh00, some sites do have arbitrary “special character” requirements that force users to use at least one symbol out of a specified set that doesn’t match Bitwarden’s. For these I have to generate a password, copy to a text editor, make arbitrary replacements, then paste the modified string. I can also go to https://passwordsgenerator.net/plus/ which gives me the option to edit the list of additional characters.

It would be nice to be able to do this within Bitwarden’s generator. I like @hoyolo’s mockup above; minimalist but effective.

2 Likes

I ran into a lot of annoyance with 1Password because they had a glib stance on their generator. It would have commas and a bunch of random characters, special characters at the front of a password, etc. which many sites - albeit arbitrary- didn’t like.

I’m for practicality of not getting ‘we don’t accept passwords that look like computer code’ rather than taking a stance that a password field should accept any character I throw at it. After all, if you change a password from OIlk*(j343 to OIlk,(j343 the hash would be entirely different. Brute forcing is just a series of guesses until one cracks the puzzle and its complexity is just based on assumptions and looking for the lowest hanging fruit. The person with a password of monkey123 is screwed compared to you.

Back to 1Password, the problem with there’s was that it would immediately pop up to update your password. If the site didn’t like the password it generated I couldn’t exit out and fill my current password back in because it had been updated. Consequently I had to do a lot of opening Notepad and pasting new passwords, then going into my vault and updating it with the password the site would take.

We should not have to each time select what type and length of password to generate. A password manager should generate a random number internally, and at least on the desktop display it N different ways all at once. Give us a copy icon for each one so we can click on any of the icons and copy that one.

I personally would like to see:

  • Lengths 16, 24, 32
  • Character set [a-z0-9_] (last one is underscore) of each length above. Also preferably always avoid characters resembling 0 and 1.

That’s a total of 6 passwords, and you can copy any of them by clicking on the associated copy icon.

Then give us some options to vary the above, so we get the type we prefer. Always 6 passwords, always able to copy any one of them with one click.

This might need modification on a mobile device – maybe only 4 at a time.

Looking for Password Generator?


There are many tools, but these tools are simple and better than all

I think an Eeasy solution would be, that the Password in the Generator is editable. So you can manualy add or remove characters.

1 Like

Bumping this - it is still relevant. The password generator in Bitwarden could do with some love, as it is surely the second most commonly used UI after searching for a password.

I think an additional avenue in dealing with this issue is to collectively educate website developers to allow more special characters in passwords.

When coding, it’s trivially easy to escape special characters when needed. Plus, allowing a full spectrum of special characters provides more password entropy, which is an essential component for good security.

Encouraging the millions of web developer’s to adopt a new practice seems like a sysiphean task for a small password manager company to take on. Beyond a blog post or two, how to go about it?

The edit generated password suggestion
above is excellent IMHO.

1 Like

It’s not just web developers either.

Some organisations are way out of date on these matters, banks being the obvious example but government at many levels is not far behind.