I’d really like to see Bitwarden remember the particular password generator settings you use for each site. And that includes allowing you to specify a custom set of special characters. Sites vary in all the various requirements but many don’t clearly tell you what those requirements are.
I always want to create the most maximally robust passwords possible, so not knowing the maximum requirements is an obstacle, and having to configure the generator each time once I do know them is cumbersome.
This feature is important because it’s good practice to change your passwords on some relatively frequent basis, and thus the process for doing that should be made as easy as possible, or you won’t bother doing it.
Debateable. It was recommended for a long time, but tends not to be recommended these days. Current thinking is that they should only be changed if they are breached.
@Davidz I work at a large global bank where information security is at the forefront of everything we do. Passwords are changed every 3 months. So I’m interested to know whose current thinking you cite.
In any case, this is a digression from the point made by @JerryL. There are all kinds of reasons that someone might want to change their password, and it’s BitWarden’s job to make that as easy as possible.
Peter_H: If you are still a fan of this “change your password”-idea, please take a look at this: Nist.gov: “Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.”
If you search for this recommendation across other sources you will find that the issue is to not mandate the periodic change in order to avoid users cutting corners by simply appending a suffix or other minor variation to their previous password. But that’s not relevant when you’re using a password manager with a generator, like BitWarden. It’s easy enough to simply auto-generate a new completely different and robust password. The point of my feature request is to have BitWarden facilitate this operation by remembering the maximum requirements for each login.
Actually, in your original post you said the point was this:
And I think @Peter_H was just trying to provide some rationale and evidence to why this old guidance has changed, which is constructive.
Regardless, many organizations still apply this dated policy, so I see the need to facilitate it. I hope you garner support for your request so that it will be considered.
dh024: Again, the problem is with organizations mandating the policy in the absence of an easy, automatic way to generate new robust passwords. The guidance seem to have changed only in recognition that users will otherwise take counterproductive short-cuts.
But users armed with an easy to use password generator wouldn’t be so easily led to take such shortcuts, and suffixing an already inscrutable, hard to remember password makes no sense. Under these circumstances, changing passwords on some frequent basis is then still good policy.
BitWarden should step up and take the initiative to make the frequent and robust changing of passwords as easy as possible.
The key word in that recommendation is memorized. We’re using a password manager here, human memory is not involved.
The password manager needs to make it as easy as possible, which is the point.
Background:
I am coming from PasswordSafe and an enterprise environment. One thing PasswordSafe does well is allow you to define a “password generator” per item or give it a name and use it across items.
Key Features:
Ability to define a generator and give it a name.
Ability to assign generator to a specific item
Generator would define:
Required Minimum Length
Which character sets to use (Upper, lower, numbers, symbols)
Which symbols are allowed
++Bonus - ability to assign to a folder and all items below it get that generator.
When you click generate password for an item, it uses the given generator.
Benefits:
Provide consist passwords that meet minimum requirements across application categories:
For instance, we may have service accounts that have to be a minimum of 30 characters, but no symbols are allowed. Other accounts can only by a maximum of 16 characters, but #$%^ are allowed as symbols and you must have 2.
Once the generator is set for an item, the single click “Generate Password Icon” will result in a new password that meets the criteria. No need to remember what the criteria for that item / category of item is, no need to go edit it and make a mistake, by only making it 20 characters instead of 30 due to type.
In an enterprise environment some applications only allow certain types of passwords (length, complexity, certain characters, etc). This solves the problem by defining the generator for all passwords needed for that application.
Related topics + references
See PasswordSafe. It basically has this ability, except the ability to apply it to a folder and every child item automatically gets it.
I agree with Scott and his post. I also have been using PasswordSafe for a couple years. I have more than a dozen banking and other sites that all require different minimum and maximum password lengths. They also accept different sets of special characters. There is no way I can use a single, common password generator since I would have to remember the set of special characters that each web site allows and enter that information before I could generate a password.
Like Scott, I also would like to see the password generator associated with each password entry just like PasswordSafe.
I order to use more secure passwords, I have been using the password generator in PasswordSafe for most new passwords. With numerous sites allowing different special characters, using a single, global password generator is not feasible as in Bitwarden.
If I create a new account. I normally would use the max password length of 128 characters. The big issue is, some websites don’t allow so many characters in a password. Most of the time the sign-up form says that the password is to long, and then I can just change it to a password with less characters. But I’ve also had instances where the sign-up form didn’t return an error and just made an account. But when I then would try to log in with that password, it wouldn’t work. This has happened multiple times and I suspect that it was because the password was to long.
Possible solution
Maybe there could be a button in the extension where you can report the max length of a password per URL. Then, when someone else wants to make a new account with that URL, they get a warning about the max password length, and they can give a thumbs up if this is correct and a thumbs down if it is not correct.
Apple has an open source project that has the same goals (documenting password rule quirks), but your idea to crowd-source the collection of rules is interesting.
I will list below several other Feature Requests related to the ultimate goal of being able to generate random passwords that are compliant with different websites’ idiosyncratic password policies. Some of these should probably be merged, but your suggestion may be sufficiently different that it should stand as its own request. I’ll let you and/or the mods decide about that. Here are the related topics that I could find:
It’s taking a long time for Bitwarden to address this problem and I don’t quite understand why. The simplest and most reliable thing, IMO, is to store the generator settings with each login, as I suggested in my post which you cited,
Thanks for the feedback @JerryL rather than reluctance, it comes down to there being a large number of feature requests for the team to consider/implement. Rest assured the team is aware of the feedback.
@bw-admin I understand. So, is there a roadmap available somewhere that lays out the order and priority of feature requests to help assuage one’s frustration a bit? There are a number of other issues I and others have been patiently waiting on.
I came here to suggest something similar so I’m voting for this request.
The idea I have, coming mostly as an individual private premium user, is to make the password vault automatically keep the parameters used when a password was last generated with the entry so the next time a user wants to “rotate” the password the parameters are already set the same as last time.
An extra nice to have could be that Bitwarden will suggest a default parameter set for sites and apps it was taught about by the community (being careful not to propose unusually unsafe suggestions).