Generator: % instead of number for minimum numbers & special

Instead of configuring an integer for “minimum numbers” and “minimum special” in the password generator, please allow to configure a percentage.

Because the maximum length varies from site to site and therefore I often change only the length [*]… and of course, the minimum of numbers and special is different whether the length is 16 or 70. So it’s annoying to have to change the length and the 2 minimums… especially as these values are not next to each other so we’ve to scroll.

[*] Which BTW is annoying to change, especially as the position of the length field changes when the generated password takes less or more lines.

Pascal, to understand your proposal, would you explain to me a little more what you mean by this?

Are you saying some sites demand minima greater than 1, or this is your preference? I would be surprised if a site worked on percentages.

I know a lot of sites demand mixes to protect thoughtless users, but defining minima is a constraint on generator entropy. Consider that within Bitwarden’s 70 character set, the probability of at least one number appearing in a random 16 characters is over 91%, at least one special character over 85% and both over 78%. Increase the length to 30 characters and those become 99%, 97% and 96%. Would not a minimum of 1 on each (if you must) suffice for any length?

1 Like

Have you encountered a website that requires a percentage of specials? If so, can you share it? I would love to see those requirements.

When I use the generator, I just set the settings to match whatever the website states as their minimums, except the length, which I set to the maximum.

Requiring more than the minimum of particular character classe is actually a “bad thing” because it reduces the size of the search space. This is easiest to understand when taken to the extreme. If a 3 character password were required to have 100% digits, you would have 1000 passwords to pick from ( = 10*10*10). If just one digit is required you can chose from 270,750 ( = 95*95*10 + 95*10*95 + 10*95*95).

1 Like

@DenBesten [joke] Do you see often a site that clearly mentions their requirements upfront? :roll_eyes:
Those who do are usually not problematic :man_shrugging:

I want my defaults to be like min numeric=10%, min special=10%.
So if length=70 => min=7. If length=20, min=2. If length=16 => min=2.

I’m lazy, I don’t want to have to change the generator settings, I want to “set & forget”.
My defaults are better than what the majority of sites requires. The only problem is usually when they limit to a small length.

1 Like

OK for the requirements but what about the generator options? What are the impacts of “min numeric” and “min special”? From the attacker point of view, the number of potential characters is the same whatever the minimum values we use, right?
:thinking: They can brute force first passwords with higher min numeric/specials.

1 Like

Other than for convenience, you have not explained why.

For 16 characters as an example, one knows that no crack which does not have at least two numeric and two symbolic characters is excluded, the maximum alpha is 12. As a quick calculation you have reduced prior entropy for 16 characters from 98 to 86. That is, you have made it about 4000 times easier to crack, turned a 16 character password into a 14 character one, for no obvious reason. Why is this a good idea?

You assume they have no clue to your method. Humans are non-random in their choices. If I as an attacker had an inkling, why would I not choose the 4000x easier attack first?