Filter special characters in generated passwords per login

Keepass%20special%20chars

3 Likes

Perhaps it’s a bit of “mystery meat” UI, but you could make clicking each individual special char in the tickbox item turn it either light gray or black to select or deselect individual characters, thereby allowing users to quickly include or exclude special chars. Perhaps with accompanying hovertext to explain? My two cents.

This is a similar request to Password Generator Should Have More Character Set

I also like the KeePass approach. At least for Power Users they offer much more possibilities to tune the generated ouput. For example I needed a bunch of keys that could only contain Hexadecimal Digits, this wasn’t possible with Bitwarden so I used KeePass…
For the minimal solution I would suggest adding two InputFields to add characters to the set and remove characters from the set of possible characters.

2 Likes

I think we can easily manage this in the current UI. Please see my mocked changes below.
(edit + reset)

Should be clear what I mean !
I would only show those edit/delete links when you “hover” over that field, because most users won’t need to change this.

edit-or-reset

Personally, I would like to remove the $ character from the list, because it doesn’t work nicely with CLI. So that’s why I want this feature :slight_smile:

3 Likes

Hi there,

I have got the same problem: Some pages restrict the special characters.

I was just about screenshoting LastPass-AddOn as they have had a simple textbox there with the special characters (so edits would be easily possible); but it seems that LastPass has deprecated that feature.

So my suggestion for the UI is just having asimple textbox after the checkbox in which the special characters are listet (and could be changed when needed).

Best regards,
Patrick

I’m really thinking everyone is overthinking this whole thing, just don’t use special characters for those sites.

A random 20 character password of upper, lower, and numbers is 62^20 which is 704,423,425,546,998,022,968,330,264,616,370,176 password combinations. I’m sure you’re fine leaving out special characters. It’s the length of the password that really matters the most.

The only issue with that is most of these “troublesome” sites mandate the use special characters, even if it is a limited set.

Where I’m running across the issue is on government (local, state, federal), healthcare (hospital, pharmacy, etc.) and financial (banking, insurance) systems. Which sort-of makes sense. These types of sites are among the most heavily regulated, which tends to lead to slow adoption of “up-to-date” practices.

Elsewise, I’d agree with you. Passphrase versus password and whatnot.

2 Likes

I agree with @bofh00, some sites do have arbitrary “special character” requirements that force users to use at least one symbol out of a specified set that doesn’t match Bitwarden’s. For these I have to generate a password, copy to a text editor, make arbitrary replacements, then paste the modified string. I can also go to https://passwordsgenerator.net/plus/ which gives me the option to edit the list of additional characters.

It would be nice to be able to do this within Bitwarden’s generator. I like @hoyolo’s mockup above; minimalist but effective.

2 Likes

I ran into a lot of annoyance with 1Password because they had a glib stance on their generator. It would have commas and a bunch of random characters, special characters at the front of a password, etc. which many sites - albeit arbitrary- didn’t like.

I’m for practicality of not getting ‘we don’t accept passwords that look like computer code’ rather than taking a stance that a password field should accept any character I throw at it. After all, if you change a password from OIlk*(j343 to OIlk,(j343 the hash would be entirely different. Brute forcing is just a series of guesses until one cracks the puzzle and its complexity is just based on assumptions and looking for the lowest hanging fruit. The person with a password of monkey123 is screwed compared to you.

Back to 1Password, the problem with there’s was that it would immediately pop up to update your password. If the site didn’t like the password it generated I couldn’t exit out and fill my current password back in because it had been updated. Consequently I had to do a lot of opening Notepad and pasting new passwords, then going into my vault and updating it with the password the site would take.

We should not have to each time select what type and length of password to generate. A password manager should generate a random number internally, and at least on the desktop display it N different ways all at once. Give us a copy icon for each one so we can click on any of the icons and copy that one.

I personally would like to see:

  • Lengths 16, 24, 32
  • Character set [a-z0-9_] (last one is underscore) of each length above. Also preferably always avoid characters resembling 0 and 1.

That’s a total of 6 passwords, and you can copy any of them by clicking on the associated copy icon.

Then give us some options to vary the above, so we get the type we prefer. Always 6 passwords, always able to copy any one of them with one click.

This might need modification on a mobile device – maybe only 4 at a time.

Looking for Password Generator?


There are many tools, but these tools are simple and better than all

I think an Eeasy solution would be, that the Password in the Generator is editable. So you can manualy add or remove characters.

1 Like

Bumping this - it is still relevant. The password generator in Bitwarden could do with some love, as it is surely the second most commonly used UI after searching for a password.

I think an additional avenue in dealing with this issue is to collectively educate website developers to allow more special characters in passwords.

When coding, it’s trivially easy to escape special characters when needed. Plus, allowing a full spectrum of special characters provides more password entropy, which is an essential component for good security.

Encouraging the millions of web developer’s to adopt a new practice seems like a sysiphean task for a small password manager company to take on. Beyond a blog post or two, how to go about it?

The edit generated password suggestion
above is excellent IMHO.

1 Like

It’s not just web developers either.

Some organisations are way out of date on these matters, banks being the obvious example but government at many levels is not far behind.

Ok - to expand on the editable password in the generator. Of course it is already possible to edit a password after it has been saved. But if you already know the limitations, it would save several steps to allow changing disallowed special characters to allowed ones before saving. This also avoids the risk of saving a password different to the one actually set up in an account.

If saving also copied the new password to the clipboard this would be even better.

This approach is surely a lot simpler to implement than having an editable list of allowed special characters, that is likely to be wrong for almost as many sites as the current implementation.

For the sites that only tell you the allowed characters after you have submitted a password, this doesn’t help, but that is not Bitwarden’s fault.

The whole point is that I can’t see a single reason why would not the user be given full control over what characters can / cannot be used while generating passwords. This is a tool that should follow my (user’s) rules, and accomodate my needs as the user who generates passwords on a daily basis. Why would the tool force me into using a particular set of special characters - why? Am I treated like a kid who cannot decide which characters are needed for the passwords?

That’s very simple - just let me control the characters I need in my generated passwords.

Instead, if the tool wants me to EDIT the password it generates, why would I want to use the tool in first place? I would not.

The basic idea behind not giving me enough freedom in configuring the characters is wrong. If you want to cater for users who have no clue how to generate strong passwords, then give them such an option with good defaults. But for adults just give full control. I don’t know how this can be not obvious.

It is a reasonable suggestion, and I am sure it will get addressed in the future sometime. Until then, your request has been heard loud and clear, but there are bigger fish to fry first.