Password Character position indicator

Some sites don’t accept your full password but rather ask you for specific characters, e.g. 3rd, 5th and second last characters. Banks are particularly bad for this kind of behaviour.

Currently, and especially if you’re generating longer passwords, it’s difficult to figure out which character is in which position. The only thing you can really do is manually count, which is tricky. Or worse, copy your password to another application to make counting it easier.

It wouldn’t take much to have a small indicator above or below the cleartext password that highlighted the position of each character. It would ideally have alternating shading on even and odd placed characters for quick readability as well.

Frankly, i would change any service provider, who does this. I can’t imagine how they would store your password safely and still be able to verify single characters.

This feature is not needed, provider need to stop this.

I don’t disagree that it’s annoying and there are questions on how it’s implemented on their end, but that doesn’t mean I have a choice in it.

Specifically banks tend to do this (and they often pair the above password with some kind of “memorable information” which you enter whole, which I can only hope is stored correctly). I’m in the UK and I actually don’t know of a single bank here that doesn’t operate this way. What’s more it’s not always easy to switch banks, where you might have say savings or a significant mortgage you’re locked into (or simply can’t get similar rates for).

However, it’s not Bitwarden’s job to police poor security from vendors, otherwise why bother specifying what characters are allowed or what password length to generate to - if the providers is doing it correctly, it shouldn’t Matter - right?

We live in a time where passwords aren’t properly handed in many, possibly even the majority, of cases. It’s up to Bitwarden and co to address these issues, not ignore them.

Sorry to hear, that you guys have no choice.

I understand the compare you are trying to make, on the other hand i think that would be a feature for a few people, that supports security by obscurity. I don’t see it happen.

As constructive idea how to help you, I’m just thinking about a system how to generate the passwords for this kind of services. Maybe you could add symboles to your password to make it more readable. Like a dot on ever 5th position or something (should not weaken a 20+ digit password too bad).
That would be a quick idea how I would try to deal with it.

Unfortunately Pavel that solution would greatly weaken the strength of the password. Aside from the fact that changing the password itself is a bad idea, there’s a risk that upon login the system might prompt for the 5th, 10th and 15th character of the password - giving your attacker a 1/60 (or so) chance of logging in.

That’s far too great a risk, even if the chances of it happening are relatively low. Anything affecting the entropy of the password (and in this case, especially individual characters within the password) would be an absolute non-starter.

I don’t understand the opposition to such a feature. You’re not in any way compromising the password itself - the position of each character is just as secure as it was before (i.e. hidden/unknown when the password isn’t shown and clearly visible when the password is shown). This feature is purely for convenience, ease of use and - crucially - accessibility.

Consider that in most cases, you shouldn’t ever need to view your password at all - just copy and paste it (or autofill if that’s your jam), one could argue that you don’t need a “show password” button at all - but there are clearly cases when it is important to view the password. Bitwarden already highlights numerals and symbols in different colours to make reading them easier, so it’s merely an extension of that concept.

not so much opposition as realism. there are so many good feature requests in this forum. but it seems like development is kinda slow. with the needed level of prioritization, this feature kind of vanishes to irrelevance in my opinion.

I appreciate that there are (arguably) more important feature requests on this forum. I am not trying to suggest that this should be a number 1 priority or anything. However, that doesn’t invalidate this (or any other) request. Small quality of life improvements like this are just as valid as major requests.

Sure, but you need people to vote for your request to get it up in priority as far as i know. I just don’t see that happen.

That’s fine, I suppose? It might take a while and if there’s no interest, then so be it.

1 Like