I’d really like to see Bitwarden remember the particular password generator settings you use for each site. And that includes allowing you to specify a custom set of special characters. Sites vary in all the various requirements but many don’t clearly tell you what those requirements are.
I always want to create the most maximally robust passwords possible, so not knowing the maximum requirements is an obstacle, and having to configure the generator each time once I do know them is cumbersome.
This feature is important because it’s good practice to change your passwords on some relatively frequent basis, and thus the process for doing that should be made as easy as possible, or you won’t bother doing it.
@Davidz I work at a large global bank where information security is at the forefront of everything we do. Passwords are changed every 3 months. So I’m interested to know whose current thinking you cite.
In any case, this is a digression from the point made by @JerryL. There are all kinds of reasons that someone might want to change their password, and it’s BitWarden’s job to make that as easy as possible.
Peter_H: If you are still a fan of this “change your password”-idea, please take a look at this: Nist.gov: “Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.”
If you search for this recommendation across other sources you will find that the issue is to not mandate the periodic change in order to avoid users cutting corners by simply appending a suffix or other minor variation to their previous password. But that’s not relevant when you’re using a password manager with a generator, like BitWarden. It’s easy enough to simply auto-generate a new completely different and robust password. The point of my feature request is to have BitWarden facilitate this operation by remembering the maximum requirements for each login.
dh024: Again, the problem is with organizations mandating the policy in the absence of an easy, automatic way to generate new robust passwords. The guidance seem to have changed only in recognition that users will otherwise take counterproductive short-cuts.
But users armed with an easy to use password generator wouldn’t be so easily led to take such shortcuts, and suffixing an already inscrutable, hard to remember password makes no sense. Under these circumstances, changing passwords on some frequent basis is then still good policy.
BitWarden should step up and take the initiative to make the frequent and robust changing of passwords as easy as possible.
If I create a new account. I normally would use the max password length of 128 characters. The big issue is, some websites don’t allow so many characters in a password. Most of the time the sign-up form says that the password is to long, and then I can just change it to a password with less characters. But I’ve also had instances where the sign-up form didn’t return an error and just made an account. But when I then would try to log in with that password, it wouldn’t work. This has happened multiple times and I suspect that it was because the password was to long.
Maybe there could be a button in the extension where you can report the max length of a password per URL. Then, when someone else wants to make a new account with that URL, they get a warning about the max password length, and they can give a thumbs up if this is correct and a thumbs down if it is not correct.
Apple has an open source project that has the same goals (documenting password rule quirks), but your idea to crowd-source the collection of rules is interesting.
I will list below several other Feature Requests related to the ultimate goal of being able to generate random passwords that are compliant with different websites’ idiosyncratic password policies. Some of these should probably be merged, but your suggestion may be sufficiently different that it should stand as its own request. I’ll let you and/or the mods decide about that. Here are the related topics that I could find:
It’s taking a long time for Bitwarden to address this problem and I don’t quite understand why. The simplest and most reliable thing, IMO, is to store the generator settings with each login, as I suggested in my post which you cited,
Thanks for the feedback @JerryL rather than reluctance, it comes down to there being a large number of feature requests for the team to consider/implement. Rest assured the team is aware of the feedback.
@dwbit I understand. So, is there a roadmap available somewhere that lays out the order and priority of feature requests to help assuage one’s frustration a bit? There are a number of other issues I and others have been patiently waiting on.