Vivien Muller
24 November, 2021
Changing requirements for what makes a strong password means that password managers must adapt. Let’s have a look at the latest improvements of the password generator.
Being able to generate strong passwords when creating accounts on third party systems is an important part of any password management software. Requirements for what makes a password strong are becoming more complex, while also differing from system to system.
Passbolt, previously, had a simpler password generator that produced safe defaults, but didn’t allow for customisation of password parameters — including the strength or the type.
The updated password generator, as part of the third version of passbolt, allows for the customisation of the password parameters and introduces support for passphrase generation. This much awaited evolution will improve user experience.
Based on our February 2021 security audit by Cure53, and customer feedback, we considered switching the default setting to passphrase, rather than password. However, after some initial testing, we decided against it. We found that the majority of websites still expect “traditional passwords”, e.g. a mix of around 8 to 10 letters and numbers and special characters.
Switching the default to passphrase, when most websites won’t accept them, would have created unnecessary friction. However, it’s possible for an administrator to switch the configuration to use passphrases as the default generation method in the server settings.
Specific changes to the password generator
We’ve made a variety of changes to the password generator, to improve your ability to make strong passwords that fulfils whatever requirements are needed.
We removed the security token from the password “create” and “edit” forms. This reduces cognitive load, while giving us some additional space. For consistency the security token will now only be presented when requesting the OpenPGP private key passphrase.
Also, the “eye” button to preview the password is now displayed as part of the password input field rather than being a separate button on the right.
A “cog” toggle button has been added. By default this toggle is unselected. When you switch the toggle on, a “password generator” dialogue opens.
The password generator section contains a type selector that includes the following algorithms: passphrase, random, letters and numbers, numbers only, custom. This means you can even choose to include emojis in your strong passwords. How cool is that? 😎
The complexity indicators are updated whenever the content of the input field is changed. This means that when you update the type or one of the parameters (for example the length) a new password matching your new requirements is automatically generated and updated into the input field.
New settings
There are also some new settings that the passbolt password generator is utilising to improve its performance, usability and capability to create strong passwords with customisable elements.
Passphrase default
The new passphrase generator produces nice words using the diceware method. By default the words aren’t separated, but the user has the option to define a set of characters (e.g. “ ” or “_”) that’ll be used to separate them.
Similarly, you can control the number of words and if either lower case, camel case or upper case is used.
Password
This method is similar to what we have in the current version of the password generator. You can choose to further edit the options, in which case the title changes to “Random (custom)”, unless it matches an existing setting, like numbers only.
You can change:
- the length from the default 18,
- the types of characters used (using toggles),
You can also exclude look alike characters, like Homoglyphs.
Did we mention that these new changes have been fully audited prior to release?
Yes, that’s right. Because the password generator is a critical component of any password management system, we wanted to make sure that this feature is as secure as can be before we release it. We asked Cure53 to review it, along with the other changes from the same release.
The audit report is available here.
Greater password/passphrase customisation
The goal of these changes to the password generator is that it will be more user friendly, while also giving you more opportunities to customise your passwords — making them stronger.
It’s also important to us that you’ll be able to create strong passwords, regardless of what a third party system’s requirements might be. Update to the newest version of passbolt (or ask your admin to do it), so you can check out these changes for yourself.
If you feel like you want more details on the password generator revamp, you can take a look at the documentation. Also, we’d love to find out what you think! Let us know by giving us feedback in the community forum.
