Feature request: Combo box for making the password satisfy different requirements

[polarka]

Nowadays, more and more sites check the password for having numbers, upper/lower case letters, marks...

Occasionally the generated password does not contain one of those.

For example, it may not contain a number character. It could be fixed by replacing a letter by a number.

What I would like to see implemented is a combo box or a drop-down list, where I can pick to force the final, generated password to have upper/lower case letters, numbers, other signs and the combinations of these.

Thanks, polarka

[heavensrevenge]

There's a situation, which I'm not sure how bad it is, but this jeopardizes the output of a cryptographically strong checksum if a character was altered since it will weaken the entropy or randomness of a generated password.

For passwords which have a failsafe of less than 10 login attempts it may be insignificant... but if a password database is copied and there are unlimited queries and attempts to crack a password, replacing even a single character weakens the attack surface substantially and allows a trend to emerge and work on and crack by brute force.

So... in terms of replacing a character to satisfy a requirement, I don't see there to be a security benefit but a usability or convenience addition. Unless you can give or suggest a solution which adds a character type without compromising security I'll need to think quite a bit more on this.

Btw, input or suggestion by you @polarka which upholds security would help me make this a reality but it would most likely alter every previous password ever created by this type of password construction algorithm.

[tasermonkey]

how about something more like a 'create new profile matching requirements' (or something).

What it does is: keeps incrementing the 'Modifier' by one until the password constraints are met. Then it creates the profile with that modifier.

or another possible way might be:

if (profile.validatePasswordConstraints) {
   var generatedPass = '';
   int count = 0;
   do {
        generatedPass = generatePasswordWithNumberOfRehashes(count++);
   } while(!matchesConstraints(generatedPass, profile));  
}

where generatePasswordWithNumberOfRehashes could append the count to the modifier before running the normal password maker algo.

It may be slower (but probably not noticable), and there in theory could be an input such that it would never generate a valid password, however, I don't think that would happen ... just may take more iterations.

matchesConstraints is a test function that just checks to see if there the constraints are met.

This doesn't change the entropy any more than the what the site is requiring you to do by matching an arbitrary constraint.

[polarka]

Tasermonkey's solution has no effect in regards to security.

My initial idea was to make statistics about the type of chars used in the generated password and choose the type that has bigger than 1 occurrence and change one of those chars to the one that has no occurrence.

About the issue that these changes would affect the previously made passwords. I believe that in the combo box for selecting the constraints on the password, the default value should be the original algorithm without constraints applied. So there will always be an option for generating that.

[heavensrevenge]

I've put a "Test Strength of Profile" checkbox above the profile configuration page a long time ago. That's probably as close to a character set/password modifier as I will go since passwords generated with a non-standard modifier will be incompatible with all other versions of PasswordMaker.