I agree with @bofh00, some sites do have arbitrary “special character” requirements that force users to use at least one symbol out of a specified set that doesn’t match Bitwarden’s. For these I have to generate a password, copy to a text editor, make arbitrary replacements, then paste the modified string. I can also go to https://passwordsgenerator.net/plus/ which gives me the option to edit the list of additional characters.
It would be nice to be able to do this within Bitwarden’s generator. I like @hoyolo’s mockup above; minimalist but effective.
I ran into a lot of annoyance with 1Password because they had a glib stance on their generator. It would have commas and a bunch of random characters, special characters at the front of a password, etc. which many sites - albeit arbitrary- didn’t like.
I’m for practicality of not getting ‘we don’t accept passwords that look like computer code’ rather than taking a stance that a password field should accept any character I throw at it. After all, if you change a password from OIlk*(j343 to OIlk,(j343 the hash would be entirely different. Brute forcing is just a series of guesses until one cracks the puzzle and its complexity is just based on assumptions and looking for the lowest hanging fruit. The person with a password of monkey123 is screwed compared to you.
Back to 1Password, the problem with there’s was that it would immediately pop up to update your password. If the site didn’t like the password it generated I couldn’t exit out and fill my current password back in because it had been updated. Consequently I had to do a lot of opening Notepad and pasting new passwords, then going into my vault and updating it with the password the site would take.
Different websites have different password requirements and not all websites accept all special characters. In such cases, I had to manually copy the password and look for not accepted characters and remove them. Please add the capability to choose special characters while generating the password
We should not have to each time select what type and length of password to generate. A password manager should generate a random number internally, and at least on the desktop display it N different ways all at once. Give us a copy icon for each one so we can click on any of the icons and copy that one.
I personally would like to see:
Lengths 16, 24, 32
Character set [a-z0-9_] (last one is underscore) of each length above. Also preferably always avoid characters resembling 0 and 1.
That’s a total of 6 passwords, and you can copy any of them by clicking on the associated copy icon.
Then give us some options to vary the above, so we get the type we prefer. Always 6 passwords, always able to copy any one of them with one click.
This might need modification on a mobile device – maybe only 4 at a time.
Some sites only allow certain special characters in their passwords cause they’re dumb. Have a field in the password generator where we can define which symbols we would like the generator to populate the password with. This would override the default symbols selection.
And to include o’s and 0’s since they look alike. I try to avoid them unless they are printed unequivocally, such as having a slash mark through the zero.
This problem seems to be growing even though websites shouldn’t restrict any symbol, e.g., “Password requirement: minimum of one symbol (except ‘!’ or ‘%’).”
I’ve been working around this for years by reducing the generator’s length to accommodate manually typing the allowed symbol(s) at the end or the beginning of the new generated password. But it’s so fussy. Then I have to make sure the password manager stores the correct password containing the manually typed part.
The proposed option would be easy to implement in my opinion.
In the password Generator’s “OPTIONS” section “!@#$%^&* ︎” include a checkbox next to each symbol character, e.g.,
!@#$%^&* ︎ ︎! ︎@ ︎# ︎$ ︎% ︎^ ︎&
or
︎all ︎! ︎@ ︎# ︎$ ︎% ︎^ ︎&
Clicking “all” would check every box, then a user could uncheck one or more. Or the user could just check one more more box other than “all.”
or
︎! ︎@ ︎# ︎$ ︎% ︎^ ︎& ︎(<-- this box would check all the boxes to its left)
The layout of the Generator only has checkboxes in its right margin, but it’d be less than ideal to stack more boxes there rather than modify the generator’s layout a little and provide horizontal boxes just for the symbols section.
Bumping this - it is still relevant. The password generator in Bitwarden could do with some love, as it is surely the second most commonly used UI after searching for a password.
I think an additional avenue in dealing with this issue is to collectively educate website developers to allow more special characters in passwords.
When coding, it’s trivially easy to escape special characters when needed. Plus, allowing a full spectrum of special characters provides more password entropy, which is an essential component for good security.
Encouraging the millions of web developer’s to adopt a new practice seems like a sysiphean task for a small password manager company to take on. Beyond a blog post or two, how to go about it?
The edit generated password suggestion
above is excellent IMHO.
Ok - to expand on the editable password in the generator. Of course it is already possible to edit a password after it has been saved. But if you already know the limitations, it would save several steps to allow changing disallowed special characters to allowed ones before saving. This also avoids the risk of saving a password different to the one actually set up in an account.
If saving also copied the new password to the clipboard this would be even better.
This approach is surely a lot simpler to implement than having an editable list of allowed special characters, that is likely to be wrong for almost as many sites as the current implementation.
For the sites that only tell you the allowed characters after you have submitted a password, this doesn’t help, but that is not Bitwarden’s fault.
The whole point is that I can’t see a single reason why would not the user be given full control over what characters can / cannot be used while generating passwords. This is a tool that should follow my (user’s) rules, and accomodate my needs as the user who generates passwords on a daily basis. Why would the tool force me into using a particular set of special characters - why? Am I treated like a kid who cannot decide which characters are needed for the passwords?
That’s very simple - just let me control the characters I need in my generated passwords.
Instead, if the tool wants me to EDIT the password it generates, why would I want to use the tool in first place? I would not.
The basic idea behind not giving me enough freedom in configuring the characters is wrong. If you want to cater for users who have no clue how to generate strong passwords, then give them such an option with good defaults. But for adults just give full control. I don’t know how this can be not obvious.
︎” include a checkbox next to each symbol character, e.g.,