Filter special characters in generated passwords per login

I think an additional avenue in dealing with this issue is to collectively educate website developers to allow more special characters in passwords.

When coding, it’s trivially easy to escape special characters when needed. Plus, allowing a full spectrum of special characters provides more password entropy, which is an essential component for good security.

Encouraging the millions of web developer’s to adopt a new practice seems like a sysiphean task for a small password manager company to take on. Beyond a blog post or two, how to go about it?

The edit generated password suggestion
above is excellent IMHO.

1 Like

It’s not just web developers either.

Some organisations are way out of date on these matters, banks being the obvious example but government at many levels is not far behind.

Ok - to expand on the editable password in the generator. Of course it is already possible to edit a password after it has been saved. But if you already know the limitations, it would save several steps to allow changing disallowed special characters to allowed ones before saving. This also avoids the risk of saving a password different to the one actually set up in an account.

If saving also copied the new password to the clipboard this would be even better.

This approach is surely a lot simpler to implement than having an editable list of allowed special characters, that is likely to be wrong for almost as many sites as the current implementation.

For the sites that only tell you the allowed characters after you have submitted a password, this doesn’t help, but that is not Bitwarden’s fault.

The whole point is that I can’t see a single reason why would not the user be given full control over what characters can / cannot be used while generating passwords. This is a tool that should follow my (user’s) rules, and accomodate my needs as the user who generates passwords on a daily basis. Why would the tool force me into using a particular set of special characters - why? Am I treated like a kid who cannot decide which characters are needed for the passwords?

That’s very simple - just let me control the characters I need in my generated passwords.

Instead, if the tool wants me to EDIT the password it generates, why would I want to use the tool in first place? I would not.

The basic idea behind not giving me enough freedom in configuring the characters is wrong. If you want to cater for users who have no clue how to generate strong passwords, then give them such an option with good defaults. But for adults just give full control. I don’t know how this can be not obvious.

It is a reasonable suggestion, and I am sure it will get addressed in the future sometime. Until then, your request has been heard loud and clear, but there are bigger fish to fry first.

When generating a new password in the Password Generator, I’d like to list the special characters that are allowed to use.

In my particular case, I’d only allow for an underscore _ - this way I can always select whole passwords with a double-click while still allowing for special characters.

Right now, I tend to turn the special characters OFF - just because I can never select the whole password with a double click.

Hope it makes sense for more than just me! – Thanks.

I’d very much welcome this, for different reasons: some sites are very arbitrary in which special characters they allow. And for the rare case where there are no restrictions on the character set, I’d like to include some nonstandard symbols like ø and ß, just to spice things up …

4 Likes

I very much welcome the suggestion and second that.

Due to varying requirements on different platforms for allowable special characters in the password, this feature would enhance Bitwarden’s effectiveness and applicability

+1 for this feature. I used to use KeePass which has password generation profiles and explicit selection of which characters to use.

+1 RoboForm has this feature and I’m currently evaluating Bitwarden. So far this is the only thing Bitwarden I’d missing that I use often. This seems like a small item to implement with a high return in value to the user. Please add the ability to edit the special characters list for password generation.

I’d like this too. My bank has a short list of special characters that they allow, as do many other sites. It would be great if they all fixed their systems, but that’s not the world we live in. Being able to specify special characters allowed in the generator would be a really helpful feature.

I have run into this issue as well, on rare occasion. An easy workaround is to disable the special characters in the password generator, save the newly generated password, then manually edit the password to insert a couple of random, valid special characters.

That’s reasonable on a computer where multitasking is straightforward, but a total drag on a mobile device.

In the higher voted thread on this, there was a great suggestion to allow editing of the generated password in Bitwarden.

Anyone can already edit a saved password. What is needed for the ultimate convenience is the ability filter out certain special characters. Having to edit a password must also be a total drag on a mobile device, don’t you think?

I use mobile phone contraptions for phoning people :smiley:. I know this sounds strange to some, but they don’t have the facilities of a computer. I sometimes send texts using them, but other than those uses I generally just use them for browsing. Very few things have to be done so instantly that I can’t wait until I have a computer within reach.

For things like setting up logins I use a computer, which makes things a lot easier. Having been using Bitwarden for about 15 months now that is the best way to do this in my view. The new logins will then appear on my phone contraption should I wish to login from there.

More generally, I find fewer sites where I have to fiddle with the password generation settings in Bitwarden now than when I started. Progress.

@Davidz You should not interpolate your case to everybody.

I personally like passwords that only have _ as a special character because I can then double-click the password and it will be selected as a whole, which is not the case if there are dots ., commas , etc. I compensate for the lack of these special characters by using more characters in the password. But anyway, that’s how I would like to generate passwords, and I am not going to change this – I still need a way to customize a set of special characters that are allowed to be used by the password generation. The only result of me not being able to let the generator only use _ is that I now don’t use the special characters at all.

As a side note, I can see already that an effort needed to implement such a feature is 10x smaller than the effort that is spent on discussing this feature. Just look at other password managers, almost everyone has got it. I can’t see what is to be discussed if people are just asking for this. But nevermind, this is how contemporary software development works - years are spent discussing something while a few hours are needed to implement it and get the feedback from real users.

P.S. There are also paying customers, and we expect that the developers will listen to us and consider our requests. Looks at the date when I first posted the request… still nothing. I’d rather see progress with the feature implementaion than the progress you described above (in the second citation).

You seriously need to garner a lot more votes if you want this feature to rise to the top of the development priority list. Or if this feature is so important, feel free to contribute some code yourself - this is an open source project after all.

1 Like

Thanks, I’ve not time to spend on persuading the developers and the community. I’ve already spent time creating the feature request AND describing the use-cases AND answering in the thread AND paying the subscription. By asking me to spend even more time to persuade someone to improve the product in obvious ways, you further devalue my time and make me feel miserable - because everyone would feel miserable if asked to prove obvious things and beg to implement trivial things in a product they are paying for.


Just for reference, is it really such a giant effort to turn one text label into an input and save it in user profile? Really?

image

It is literally that much work. Somehow it needs votes to convert a piece of text into an input and takes months and months of discussion.

… and by saying this:

feel free to contribute some code yourself

you indirectly agree that if done, it would be accepted into the codebase; so by this you confirm there is no need to collect enough votes, and all is needed is will, and a few hours of work.

It might of course take a few weeks rather than a few hours if you need to create a task in your task manager, then poker-plan the task, then let agile manager assign it to someone, then test it, then write 20 unit tests for it, then have QA engineers check it, then deploy it, then finally it’s there. If that’s the way things are accomplished by the Bitwarden dev team, then yes it is much more involving than a few hours single-person work, and yes it needs to collect enough votes before going that far.

@anton I don’t do what you claimed that I do.

As a paying customer myself, there are a number of things I wish Bitwarden would do to change the software in ways that I would prefer. However, I also appreciate that Bitwarden probably have competing requests for changes. Above all I wouldn’t want to see new, not properly tested, versions rushed as the likes of Microsoft tend to do, this software is too important to be bodged.

1 Like