Remember Password Generator Settings for Each Login

I’d really like to see Bitwarden remember the particular password generator settings you use for each site. And that includes allowing you to specify a custom set of special characters. Sites vary in all the various requirements but many don’t clearly tell you what those requirements are.

I always want to create the most maximally robust passwords possible, so not knowing the maximum requirements is an obstacle, and having to configure the generator each time once I do know them is cumbersome.

This feature is important because it’s good practice to change your passwords on some relatively frequent basis, and thus the process for doing that should be made as easy as possible, or you won’t bother doing it.

1 Like

Debateable. It was recommended for a long time, but tends not to be recommended these days. Current thinking is that they should only be changed if they are breached.

@Davidz I work at a large global bank where information security is at the forefront of everything we do. Passwords are changed every 3 months. So I’m interested to know whose current thinking you cite.

In any case, this is a digression from the point made by @JerryL. There are all kinds of reasons that someone might want to change their password, and it’s BitWarden’s job to make that as easy as possible.

1 Like

Please take a look at this:

1 Like

Peter_H: If you are still a fan of this “change your password”-idea, please take a look at this: Nist.gov: “Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.”

If you search for this recommendation across other sources you will find that the issue is to not mandate the periodic change in order to avoid users cutting corners by simply appending a suffix or other minor variation to their previous password. But that’s not relevant when you’re using a password manager with a generator, like BitWarden. It’s easy enough to simply auto-generate a new completely different and robust password. The point of my feature request is to have BitWarden facilitate this operation by remembering the maximum requirements for each login.

1 Like

Actually, in your original post you said the point was this:

And I think @Peter_H was just trying to provide some rationale and evidence to why this old guidance has changed, which is constructive.

Regardless, many organizations still apply this dated policy, so I see the need to facilitate it. I hope you garner support for your request so that it will be considered.

2 Likes

dh024: Again, the problem is with organizations mandating the policy in the absence of an easy, automatic way to generate new robust passwords. The guidance seem to have changed only in recognition that users will otherwise take counterproductive short-cuts.

But users armed with an easy to use password generator wouldn’t be so easily led to take such shortcuts, and suffixing an already inscrutable, hard to remember password makes no sense. Under these circumstances, changing passwords on some frequent basis is then still good policy.

BitWarden should step up and take the initiative to make the frequent and robust changing of passwords as easy as possible.

1 Like

The key word in that recommendation is memorized. We’re using a password manager here, human memory is not involved.
The password manager needs to make it as easy as possible, which is the point.

1 Like

The problem:

If I create a new account. I normally would use the max password length of 128 characters. The big issue is, some websites don’t allow so many characters in a password. Most of the time the sign-up form says that the password is to long, and then I can just change it to a password with less characters. But I’ve also had instances where the sign-up form didn’t return an error and just made an account. But when I then would try to log in with that password, it wouldn’t work. This has happened multiple times and I suspect that it was because the password was to long.

Possible solution

Maybe there could be a button in the extension where you can report the max length of a password per URL. Then, when someone else wants to make a new account with that URL, they get a warning about the max password length, and they can give a thumbs up if this is correct and a thumbs down if it is not correct.

1 Like

Apple has an open source project that has the same goals (documenting password rule quirks), but your idea to crowd-source the collection of rules is interesting.

I will list below several other Feature Requests related to the ultimate goal of being able to generate random passwords that are compliant with different websites’ idiosyncratic password policies. Some of these should probably be merged, but your suggestion may be sufficiently different that it should stand as its own request. I’ll let you and/or the mods decide about that. Here are the related topics that I could find:

1 Like

It’s taking a long time for Bitwarden to address this problem and I don’t quite understand why. The simplest and most reliable thing, IMO, is to store the generator settings with each login, as I suggested in my post which you cited,

Remember Password Generator Settings for Each Login

What exactly is the reluctance to do this? That storing this information would increase the size of the vault? Or what?

Thanks for the feedback @JerryL rather than reluctance, it comes down to there being a large number of feature requests for the team to consider/implement. Rest assured the team is aware of the feedback.

1 Like

@bw-admin I understand. So, is there a roadmap available somewhere that lays out the order and priority of feature requests to help assuage one’s frustration a bit? There are a number of other issues I and others have been patiently waiting on.

Hey @JerryL here is the roadmap, typically updated per quarter with any changes