When forced to create unique passwords, many users adopt a schema for creating passwords. A tool to compare substring reuse between stored passwords would help identify such less-secure practices and encourage use of the password generator function.
For example, I’d like a report to tell me if one of my users was doing the following:
Google password: [email protected]google7,4
Microsoft password: [email protected]microsoft7,4
Steam password: [email protected]steam7,4
Please note that these examples use the name of the website, but the detection should be for the reused password substrings (though references to the website itself would be an excellent report as well)
minor edit: capitalized a letter in the examples.
I just wanted to suggest an alternative idea. I assume that your goal is to educate users who engage in practices such as the one you illustrated that they should be using Bitwarden’s passphrase generator to create unique, random passwords for each site. Would a feature that flags any passwords that were not generated by Bitwarden accomplish the same goal?
I think that something like that would be easier to implement, and therefore have a greater chance of seeing the light of day. The app would only need to determine whether or not any deletions were made within the password field after the “generate” & “select” functions were used, and then set or modify the flag accordingly.
The reports could then count the total number (and or percentage) of passwords that were randomly generated.
That would be a great report, but wouldn’t accomplish the same goals. It would be limited to passwords generated after the update, and therefore would require updating passwords for all imports; a significant impediment to user onboarding/adoption.
I’m looking to bring on my entire company (~100 users), and am trying to reverse decades of mixed password hygene.
Let’s take my personal vault, for example. I only recently imported a few hundred records from KeePass, with stored passwords predating KeePass’ inception in 2003. I had some seriously dumb passwords back then, and had several schemas I used over the years. I believe I got them all, but an automated tool would not only flag records for me, but could help me help my users transition into Bitwarden.
Very good idea! I use to have the same “technique” to generate password in the past. Now that I use a password manager, I would like to see in an instant which password are weak to change them.
Of course, I could go through all of them, but this would be very tedious.
This paper (section IV) tackles the problem in three different ways, but it seems to still be an open research question.