Support for password generator profiles

[t4777sd]

In KeepPass you can create generator profiles which lets you define specific password features such as length, symbols, etc. When generating a password you can select the profile to automatically make a password like that. In KeePassX there is no generator profile so each password must be setup individually.

[mandulaj]

Question, in KeePass are the profiles saved in the global config file or are they part of the database?

[TheZ3ro]

@zpiman I don't know, I need to test it out but I think they are outside the database. PS: Are you planning to work on this?

[mandulaj]

I just had a look at the Keepass code and it looks like the profiles are stored in the local program configuration... Personally I think it should be part of the database since knowing ones password profiles can give an attacker an idea about what passwords the owner is using. And yes @TheZ3ro, I am planning to work on this :smile:.

[mandulaj]

@TheZ3ro I notice you did some work on the diceware password generator. Would be nice to integrate it with the password profiles.... I am not yet fully familiar with all the options in the original KeePass password generator, but having something like {diceware}-{diceware}-{diceware}-{diceware} to generate a pattern of 4 random words or simply {diceware: 4} would be very nice. I am going to look more into this.

[TheZ3ro]

@zpiman Yes, I was asking since after the diceware I want to help with/develop the generator profiles

[mandulaj]

@TheZ3ro nice! I would be glad for any help/guidance... How far are you with the diceware?

[TheZ3ro]

@zpiman Almost finished and merged, just 2 UI problems away https://github.com/keepassxreboot/keepassxc/pull/373

[mandulaj]

I think the password generator widget should get a redesign. First of all high ANSI is not supported yet (I know about #343 and I can't wait :+1: ). It would be nice to have that working first. Next, all special characters are included in one set. I often have the problem that some apps allow say a space and other dont. I think the approach of splitting the class into 'minus','underscore','space', 'special' and 'brackets' the original KeePass takes is really good. On the other hand its nice and neat to only have one button to rule them all. Perhaps we could have some way to quickly enable all of the special sub-classes but also have the ability to toggle each subclass individually. Finally the widget should also have a text line (similar to KeePass) that gives the user the ability to include other custom characters (ANSI support here would be nice)

I then imagine a separate tab to specify the password using a pattern (see http://keepass.info/help/base/pwgenerator.html) Finally there would be a drop down menu located above the password common to all tabs that lets the user select a Profile or create a new one from the current setup. As I said, personally I would like to store the profiles in the database (Maybe we could add this as an option??? Stop me if I am making this too complicated :smile:).

Internally the setup in every tab would be stored as a pattern. For example a 10 character password with classes a-z and A-Z would be represented as A{10}, in the 'diceware' tab something like {diceware:5:#} to represent a 5 word password with # as the separator and in the 'pattern' tab, we not have to do anything. This way all we have to do is write some logic to convert the selected classes (in the 'random' tab) into a pattern, re-implement the password generation code to use these patterns and pass/store everything as patterns.... PATTERNS FOR THE WIN!!!!!

I would be happy to hear what you think about my suggestions?

PS: What do you think @TheZ3ro, should I open this up as a new issue/feature request? Because it is related to the password profiles, however I feel like if we choose to upgrade the password widget, we should work on these features concurrently...

[TheZ3ro]

The high isn't implemented yet but, yes there will be different button for various characters groups.

The password generator UI is already pretty full. I was thinking about a totally new view (like the password generator view) under the "Tools" menu where the user can create new password profile easily, friendly and with a simple UI. Then in a different tab of the (new) password generator the user can load a profile from the saved one.

If the KDBX format don't provide the option to save password profile we can't really change the format

[phoerious]

I'm absolutely against making the password generator any more complicated than it is. Adding high ANSI characters is a nice feature and we can add it, but allowing the user to toggle usage of every possible character (sub)group would be absolute overkill. I know there are services which have stupid password rules and require character X to be present and disallow character Y, but they are quite rare. In those cases, you can fix that by simply hitting the "Generate" button again or manually replacing a character from the password.

Adding more and more options to the password generator doesn't make passwords more secure, but it does make the process a lot more intimidating and confusing, especially to novice users. The easiest way to make a password more secure, though, is to make it longer and the generator makes it extremely easy to generate stupidly long passwords.

Personally, I even prefer having less special characters, but instead longer passwords from a smaller alphabet. I often run into situations where I need to type them manually and depending on the keyboard, some characters are simply not available or a pain in the ass to type (especially on mobile on-screen keyboards).

If the KDBX format don't provide the option to save password profile we can't really change the format

You could save it in a custom attribute.

[mandulaj]

Absolutely agree @phoerious. My bad, I had my changes in mind for the the Password Generator under the Tools menu... I feel like that is the more 'advanced' menu where we could afford more options. In the widget I think we could leave it as it is and only add a button to get through to the more advanced Password Generator with profiles and patterns.

@TheZ3ro

[phoerious]

That is the exact same widget and I wouldn't add too many options to that one either. But having a slightly more advanced toolset for the stand-alone version is at least debatable.

[mandulaj]

@phoerious exactly what I have in mind, making the Tools>Password Generator stand-alone and more sophisticated. (And link it from the simpler Password widget with a button)

[phoerious]

Keep in mind, that our goal is not reaching feature parity with KeePass (if that were the case, we should better just work on a KeePass theme or something). Our goal is to provide a solid and modern password manager and not to support every imaginable feature. KeePass IMHO has way too many options.

[mandulaj]

@phoerious I agree with you on all of this, and the clean simple UI of KeepassXC is one of the reason I am using it. However I still think that giving the users the ability to customize everything perhaps even through advanced text configuration can be beneficial for someone somewhere with some particular problem. For the same reason do I use i3. It is clean, the default works but you can tweak anything to your desire.

KeePass IMHO has way too many options.

Yes, but they are stashed away under advanced menus and tabs

[droidmonkey]

The new password generator obviates the need for this feature.

[LabGecko]

Use case for password patterns: On mobile (Android) it can be quite difficult (if not impossible without installing new keyboards) to type some special characters. Further, KeePassXC is not yet available for Android phones, so in some instances this can necessitate looking at one screen and typing on mobile (unless there is an implementation of which I am unaware). For mobile, it is much simpler to have passwords that require a minimum of switching to special character pages. Patterns as seen at https://keepass.info/help/base/pwgenerator.html make this relatively simple to set up for users concerned with this security. Adding {word} to this pattern set to allow passphrase strings could make the password generator much more powerful without introducing a great deal of confusion.

The pattern would not require external scripts, and as mentioned above, should be stored in the database itself. It could be included as a single line below the "Do not include" field, with a button at the end to pull up a help page in the browser. On my screen this already scrolls, so one more line is not a great deal of real estate to give up. The field could have auto-removing text which says something on the order of "May reduce security! Use only after careful review of the details on Help!" as an added caution for users not already familiar with patterns. Such text would only show if nothing is typed in the field.

Considering the adoption of patterns in KeePass and the usage of patterns among my own peers I believe this has a high likelihood of acceptance by KeePassXC users migrating from KeePass.

Apologies if I put this in the wrong place. I don't know if this should be here or a new report, but it references https://keepass.info/help/base/pwgenerator.html so I am starting here.

[droidmonkey]

Please see #2628

[telesfilipe]

Must have feature.

[Massimo-B]

Ok, I was said the master of the duplicates is #2628 now.

[burnziii]

Would be great if a pattern like within keepass would be available to generate passwords that meet our business requirements.

[ohaucke]

I know there are services which have stupid password rules and require character X to be present and disallow character Y, but they are quite rare.

@phoerious They might be rare for you, but unfortunately that's not true for everybody. I have quite a few sites where i need to change the password regularly and they have some (really) stupid rules.

With the current implementation, i always need to change the selection back and forth, between four different configurations and that sucks quite a lot :(

I would highly appreciate it, if you/the team would at least give this request another thought.

Maybe give us the option to enable a feature like this through an option in the settings - that's by default disabled?

[droidmonkey]

2628, please don't necropost