Improve random password generation

I’ve noted that random password generation, in Bitwarden, doesn’t include some symbols.

( { } [ ] ( ) / \ ’ " ` ~ , ; : . <>)+|£€?

Why have you excluded them? Why don’t you make random password generation “more random” adding them? You could give to the user the possibility to include or exclude these symbol as you do with other symbols.

I think those were not listed because the random special symbols already apply for a high password entropy for brute-force attacks.

However, customizing your own character set wouldn’t be a bad idea. I’m not sure if Kyle would agree with this though.

What do you mean with “random special symbols already apply”? During PBKDF? Because KDFs require an input password with an already high entropy to be effective. If you choose an easy password you are not safe even if you use KDF

Nope. I meant that the current available character set already does a “decent” job. But if you want to improve that by adding more complex symbols just to increase the strength and entropy, fine.

But I guess Kyle didn’t place those characters in specific for a lazy reason, not at all.

I’m not here to talk whether passwords are stronger or not. I’d use http://xkpasswd.net as an example. If it could be based on that kind of generation, it would be fair for me.
Although the master password is not something I change frequently. Also because it requires some time and practicing to memorize and keep them in mind.

I find it much more convenient to use a simple character set, such as all lowercase alphabetic.

For more randomness, increase the length.

There are some benefits to not using special characters. Copy-and-paste becomes more reliable, because you will not accidentally leave a substring out due to a special character being interpreted as a word boundary. On rare occasions, when you need to enter a password manually on a small-screen device, you will be less likely to make a typographical error.

If you encounter a website that requires special characters, just include one or two manually.

1 Like

If you let the user choose if the new symbols will be included or not, I can’t see the problem. For the length I agree with you but many websites limit the password length so you have to increase the entropy as you can.

+1 to have the option to include a larger symbol set for password generation.

Many site limit the use of special symbols, so the set of bitwarden is mostly compatible. More characters would break a lot of sites.

I think this answers my question then, but just to make sure. Is there no way I can set what characters are and are not used in the password? I was sure I was just missing where to configure it somewhere…Some of my sites do not allow any special characters ([email protected]# etc.), some require it. Some require upper and lower case. Some require shorter lengths, some require longer. I’m used to keepass where I can set every single aspect of the random generator.

In the broswer addon you can select witch kind of characters should be used… I dont see the point?