search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
21.26k stars 1.47k forks source link

Password Generator puts space character in passwords #8541

Closed BrerRabbit999 closed 2 years ago

BrerRabbit999 commented 2 years ago

Release 2.7.1 in Ubuntu 22.04 KeepassXC put a space character in a new password, which the target website rejected. I was using the default settings plus their list of special characters. I did not see the space until I tried to type if character by character into their webpage.

In order to generate an acceptable password I had to type a space character into the Do not include box, where it was invisible.

droidmonkey commented 2 years ago

Space is ascii character 32 which is not part of any character group: https://github.com/keepassxreboot/keepassxc/blob/develop/src/core/PasswordGenerator.cpp#L122

You must have added it yourself

BrerRabbit999 commented 2 years ago

New information. Their list of special characters has spaces between characters. I assert that spaces in that list should be ignored by KeypassXC <~ ` ! @ # $ % ^ & * ( ) _ - \ / |>

droidmonkey commented 2 years ago

Why would we ignore them? It is a totally valid character that people may want to include if they please.

BrerRabbit999 commented 2 years ago

OK, since A. websites publish lists that separate valid characters with spaces, B. passwords (but maybe not passphrases) usually cannot contain spaces, C. I don.t want to get into ANSI character sets as variables, perhaps KeypassXC could check the include list and if it sees CHRS$32 multiple times in the list, it could ask the user if it is intended to be an included character multiple times.

BrerRabbit999 commented 2 years ago

There are lots of ways to implement that concept. I leave it to you to find the best way.

JohnLGalt commented 2 years ago

OK, since A. websites publish lists that separate valid characters with spaces, B. passwords (but maybe not passphrases) usually cannot contain spaces, C. I don.t want to get into ANSI character sets as variables, perhaps KeypassXC could check the include list and if it sees CHRS$32 multiple times in the list, it could ask the user if it is intended to be an included character multiple times.

If they did not want the spaces used to denote the acceptable character list to be included when generating passwords, first and foremost, the onus is on the website itself to specifically mention that space should not be used and is not acceptable.

Because not all websites block it, and not all passwords for different items block the usage of space as a character when making passwords. So, to have KeePassXC arbitrarily block it would be the worse scenario for functionality, IMO.

droidmonkey commented 2 years ago

I won't be doing anything about this to be honest