When forced to create unique passwords, many users adopt a schema for creating passwords. A tool to compare substring reuse between stored passwords would help identify such less-secure practices and encourage use of the password generator function.
For example, I’d like a report to tell me if one of my users was doing the following:
Google password: 9@g8Jgoogle7,4
Microsoft password: 9@g8Jmicrosoft7,4
Steam password: 9@g8Jsteam7,4
Please note that these examples use the name of the website, but the detection should be for the reused password substrings (though references to the website itself would be an excellent report as well)
I just wanted to suggest an alternative idea. I assume that your goal is to educate users who engage in practices such as the one you illustrated that they should be using Bitwarden’s passphrase generator to create unique, random passwords for each site. Would a feature that flags any passwords that were not generated by Bitwarden accomplish the same goal?
I think that something like that would be easier to implement, and therefore have a greater chance of seeing the light of day. The app would only need to determine whether or not any deletions were made within the password field after the “generate” & “select” functions were used, and then set or modify the flag accordingly.
The reports could then count the total number (and or percentage) of passwords that were randomly generated.
That would be a great report, but wouldn’t accomplish the same goals. It would be limited to passwords generated after the update, and therefore would require updating passwords for all imports; a significant impediment to user onboarding/adoption.
I’m looking to bring on my entire company (~100 users), and am trying to reverse decades of mixed password hygene.
Let’s take my personal vault, for example. I only recently imported a few hundred records from KeePass, with stored passwords predating KeePass’ inception in 2003. I had some seriously dumb passwords back then, and had several schemas I used over the years. I believe I got them all, but an automated tool would not only flag records for me, but could help me help my users transition into Bitwarden.
Very good idea! I use to have the same “technique” to generate password in the past. Now that I use a password manager, I would like to see in an instant which password are weak to change them.
Of course, I could go through all of them, but this would be very tedious.
This paper (section IV) tackles the problem in three different ways, but it seems to still be an open research question.
At the very least, I would like to be able to search for all passwords that match a specific phrase. Being able to expand that phrase to include shifted keys such as 1 and !, 4 and $, based on the system region, current keyboard layout, and optional selectable keyboard layout would be golden for that type of search. This way P4$$w)rD#- and p$4$W0Rd2! would match a query for all passwords containing variations of “p444w0rd” if a typical English/US keyboard is used or optionally selected.
This would help identify passwords that were created under older advice schemes where you would essentially use the same manually generated password typed slightly differently using the shift key, potentially with some sort of iteration added onto it, or help you find passwords that included some sort of abbreviation for the system or site + the same old password you’ve been using for 20 year, like BWp4$$w0rd or something like that for BitWarden but prefacing with MS instead of BW for Microsoft.