How to create more complex password recipes

computing · February 11, 2023, 1:08pm

Hello,

I have some sites that have custom password requirements, say, where only “certain” special characters are allowed (others fail the new password) and where you can’t have the same character sequentially repeated. Sadly though, I still have to deal with these sites several times per year to change my already-strong password (more silliness!).

Therefore, now that I’m considering using bitwarden, I wanted to ask if it could create custom passwords (using custom recipe) – per login.

For example, one site I have to deal with has these (silly, IMHO) requirements.

Passwords must be 12 to 30 characters in length and comply with the following:

  • Must contain at least one uppercase letter (A, B, C, etc.)

  • Must contain at least one lowercase letter (a, b, c, etc.)

  • Must contain at least one number (1, 2, 3, etc.)

 • Must contain at least one of the following characters (!, @, #, $, *, +, -)

  • Must not contain double characters (no two consecutive characters can be the same)

 • Must not be the same as any of the five previous passwords used

Can bitwarden (or any password manager) handle these requirements? These forced password requirements are only for a single login, not my requirement for default logins. I have no idea why these sites have such silly password requirements, but using any password manager I have tried thus far means the generated password will FAIL and I spend five or ten minutes tweaking the password so the site will accept it.

There are other sites that have similarly silly restrictions, but they are different than the above, so I would want to save a special password recipe for that login. And, again, these recipe would be for that login and not the default.

KeyPassXC comes close but it won’t store a custom password recipe by login and it has no provision that I found to keep having sequential repeated characters.

Thanks in advance!

RogerDodger · February 11, 2023, 1:54pm

Hello @computing and welcome to the Community!

Bitwarden’s Password Generator can handle what you describe except for limiting the special characters that are allowed. You can turn special characters on or off, but that is it.

I have also wished that I could enable or disable specific special characters to make it easier to generate new passwords. What I do instead is generate new passwords and then replace any special characters that are not allowed with allowable special characters.

Other than that, I really like the Password Generator. You can even use it to generate unique usernames including unique email addresses as usernames if you like.

You can find the details of Bitwarden’s Password Generator here:

I encourage you to try it for yourself because it is fun to play with!

grb · February 11, 2023, 4:15pm

It also can’t enforce rules like the following:

RogerDodger · February 11, 2023, 4:22pm

I actually assumed that the double character restriction was automatic. I guess I’ve just been lucky that I haven’t seen it in any of my generated passwords.

grb · February 11, 2023, 4:41pm

It’s not enforced. However, as you surmised, it occurs with low (but non-negligible) frequency. Using the stand-alone online generator to produce passwords consisting of 5 capital letters, I had to regenerate only 9 times before it produced WWCSM.

The rule about not re-using previous passwords is non-enforceable in the generator, as well, but here the probability of generating a previously used password is negligible. Even for passwords that consist of 5 capital letters, the probability of repeating one of the 10 most recent passwords would be less than one-in-a-million.

computing · February 11, 2023, 5:25pm

A password manager could surely enforce two consecutive characters not being the same. I understand Bitwarden doesn’t do that, but it’s simple enough to code it.

Not using the same password as before isn’t an issue as you pointed out since you’d just create a new one and the odds of it being the same as the old one are as close to zero as you can get.

computing · February 11, 2023, 5:27pm

Right, but that generator doesn’t address the issues I raised.

Thanks for your reply.

grb · February 11, 2023, 6:00pm

The problem is not coding the rule. The problem is identifying what idiosyncratic rules a specific website is enforcing. There is a proposal to use HTML attributes on registration forms to allow a password manager app to identify the rules being enforced by different website, but I doubt this will catch on anytime soon.

computing · February 11, 2023, 7:37pm

That proposal would be cool.

IAC, I wasn’t trying to make a big issue of this. I’m just between deciding 1Password (which I’ve used) and Bitwarden (which I hear so much good about).

I’m having a difficult time, regardless of encryption, etc., deciding to store my passwords online.

I appreciate your replies!

Thanks

RogerDodger · February 11, 2023, 8:44pm

There is also a specific feature request for manually selecting Special Characters:

computing · February 11, 2023, 9:05pm

For this to be useful for me, each login would offer its own password “recipe” where you could (optionally) define exactly what special characters could be used. Maybe also allowing you to enter a regular expression to further define what could or couldn’t be in the password. This sounds a bit like overkill since most sites have their act together password wise.
I’m trying to use Yubico and avoid passwords altogether, but until this catches on universally, we’re still stuck with passwords and TOTP.
Thanks