Closed Bug 1559986 Opened 5 years ago Closed 1 year ago

Add special characters / symbols to generated passwords

Categories

(Toolkit :: Password Manager, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
113 Branch
Tracking Status
relnote-firefox --- 113+
firefox70 --- wontfix
firefox71 --- wontfix
firefox113 --- fixed

People

(Reporter: MattN, Assigned: bugzilla)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [passwords:generation] [fxcm-password-generator])

Attachments

(1 file, 1 obsolete file)

Some sites require special characters and including them adds more entropy to generated passwords.

I recently had one of those sites and had to add a special character to the generated password.

Blocks: 1570215
Summary: Add special characters to generated passwords → Add special characters / symbols to generated passwords

My experience, since the password generator landed in the Firefox release channel, is that over half the sites I've tried require special characters in passwords. Conversely, I've also run into sites that require all-numeric passcodes, or reject Firefox generated passwords as too long. Lack of Firefox support for these cases makes the password generator far less useful than it should be.

This feature needs to be much more flexible for it to be effective at combating password reuse.

Looking further ahead, it would be nice if there was an HTML extension for sites to communicate their password requirements without user intervention.

(In reply to ch-bugzilla from comment #4)

My experience, since the password generator landed in the Firefox release channel, is that over half the sites I've tried require special characters in passwords. Conversely, I've also run into sites that require all-numeric passcodes, or reject Firefox generated passwords as too long. Lack of Firefox support for these cases makes the password generator far less useful than it should be.

That's unfortunate… our data says something very different than your experience: only 3.5% of filled generated passwords get edited.

This feature needs to be much more flexible for it to be effective at combating password reuse.

That's one reason we make the field unmasked upon focus, allowing easy additions of special characters. It's easier to add a character than to get the caret in the right spot to delete all of them if the site doesn't allow them.

Looking further ahead, it would be nice if there was an HTML extension for sites to communicate their password requirements without user intervention.

Sites can already use minlength, maxlength and pattern attributes to tell password managers about the most common requirements but we don't honour them yet and that is off-topic for this bug. I filed bug 1634783 and bug 1634787 on those.

That's unfortunate… our data says something very different than your experience: only 3.5% of filled generated passwords get edited.

This data may not necessarily reflect reality. Typically if I can already see that the password being generated doesn't fulfill the requirements, I don't even click on the auto-generated password.

On at least two occasions, I have had to open chrome to generate the password, save it on google account, copy that password and make firefox remember that password by loggin in to the website as a workaround. On one occasion I edited the firefox generated password.

Most recently, I could not use the firefox generated password while creating an Amazon Lightsail account.

I think this is a fairly common usecase which is getting ignored because the password edit data does not reflect how often this feature is needed.

Ideally, one should have on/off flags for common password options (special characters, alphanumerics, use special chars in middle etc) in the auto-generated password pop-up.

If this issue won't be fixed, is there a recommended workaround (such as a firefox plugin which can manage the passwords instead of firefox) ?

Will it be helpful if a list of websites which require special characters in the password is added to this bug? I encountered this again while resetting password for last.fm.

I'm also not able to edit the password entered by firefox, since the show password option is not available on every webpage. Is it possible for the browser to add a show password in the context menu in a password field, as a workaround?

See Also: → 1652464
See Also: → 1691744
Blocks: 1691744
See Also: 1691744
Blocks: 1691742
Blocks: 1691741
Blocks: 1691966
Blocks: 1692166
Blocks: 1692156
Blocks: 1713585
Blocks: 1713592

Hi,
In France it's now an obligation for Web shops to force a password with at least 3 of theses 4 types (Uppercase letter, lowercase letter, digit, special character), so it would be useful to update your password generator or at least add an option to use special characters.
You can see the rules here : https://www.cnil.fr/fr/mot-de-passe (sorry only in french)

Wow I never thought about using minlength/maxlength for password fields, that’s interesting. Will start using it!

While there is discussion about length and parameters, already adding some special characters would be very helpful.

Bastien, I’m not a native speaker, but from what I understand, these CNIL criteria are recommendations.

Yet, in my personal experience, ⅓ of websites for which I created passwords recently, asked for a special character and I edited the password in the password fields, easy enough. For statistics it might be worth it analysing the data more. Which passwords are not accounted for in that data? What’s the methodology?

To choose these characters, one would probably need to analyse which are available on a wide range of keyboards, right? You wouldn’t want to generate a password that a user is not even able to type when logging in on a machine without synchronisation.

What would the best approach be to create such a list?

Andy,

it's not a recommendation it's an obligation.
Here is the legal statement :
https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000033928007

You are right for the list of characters, not a simple task...

Hi everyone,

As a Firefox/Lockwise user for quite a while now, I think that being able to edit the parameters for the password generator is a real need.
I see a lot of companies allowing their employees to use the Firefox password manager/Lockwise. And it would be nice to be able to force or at least set a basic level for this kind of parameters.

As Bastien stated there is a legal obligation in France for companies to force these standards upon the accounts (users/customers).

In France "recommendations" from the CNIL is not to be taken lightly, as the companies could be held responsible or even sued for not respecting these recommendations (if data leak or other GDPR issues where to happen).

Here is some documentation that I was able to find on respectively the CNIL website and the ANSSI website.

https://www.cnil.fr/sites/default/files/atoms/files/recommandation_passwords_en.pdf

https://www.ssi.gouv.fr/

https://www.ssi.gouv.fr/uploads/2021/10/anssi-guide-authentification_multifacteur_et_mots_de_passe.pdf

4.5

As stated in here:

Afin de pouvoir donner aux utilisateurs les moyens nécessaires au respect des contraintes imposées
lors de la création de leurs mots de passe, il est important de les sensibiliser à la nécessité de créer
des mots de passe dont la robustesse respecte les règles de la politique de mots de passe. Il est
également important de fournir aux utilisateurs des ressources leur permettant de générer des
mots de passe robustes
comme des coffres-forts de mots de passe (voir section 4.8) ou bien des
outils d’assistance à la génération et mémorisation de mots de passe robustes (comme l’outil de la
CNIL [25]).

4.2 R21 - Table 3

Ces exemples de longueurs minimales concernent surtout les mots de passe devant être mémorisés
par un humain. Pour ceux ne devant pas être mémorisés, il est recommandé que la longueur mi-
nimale soit très grande (supérieure à 20 caractères par exemple).

For the CNIL and the ANSSI the users must be able to at least reach the moderate to "robuste"/strong level using a password generator, the password must at least be 12 characters long.
A strong to very strong password must at least be 15 characters long.

All these types of password must meet at least 1 of these:

  • Number(s)
  • Uppercase character(s)
  • Lowercase character(s)
  • Punctuation marks or special characters

https://www.silicon.fr/mots-de-passe-cnil-durcit-preconisations-168183.html

Hope that this can give you an insight on what we are facing/needing in France !

I did report a bug regarding this, also for providing a way to change length.
The notion is that there are only a few websites that have this issue, but a major website that can be considered is Workday, and it does need special characters to make the password work.

Why is this bug not taken seriously, when the whole point of password generator is to have quite a robust password. Which Firefox is not doing at the moment, other browsers take it more seriously, a good example is Safari.
Also, the internal Firefox's password manager tool is also not quite helpful, in terms of showing user about vulnerable password and compromised password does not work at all. The safari's manager tool works quite good.

How is this bug still open? It's bugs like this that get me wondering what Firefox is prioritizing.

Yes, how is it still open in 102. It should be a feature.

What is the next step in order to make progress on this?

I support what many commenters have either stated or implied above - in my opinion, configurability of password generator parameters is table stakes in '22. I believe usage data will show that over time but I'd rather add the feature and keep the users if possible.

See Also: → 1762028

I get more and more denials on 'secure' generated passwords not being secure. Would be nice if there were some settings available to set length/complexity or something like that.

I can't speak to the priorities and resources for this team, but I do know that there's an open question about how to meet the goals of this bug, without adding a lot of complexity for end-users, and engineers to implement and maintain.

One proposal which I think I like was to rotate the suggested generated password through a few different patterns. I.e. if you didn't like the suggested password you could click a refresh button next to it to generate a new one. Re-generation might use slightly different rules to include special characters, use only lowercase etc. to improve the chance of meeting your and the site's requirements. That has the advantage of leaving the default behavior as-is which works for most people and sites, most of the time, while providing some mitigation for when that default doesn't work - without adding a lot of UI surface and user-configuration which are both awkward to use and expensive to maintain over time.

Thanks for the insight Sam. The proposal you describe sounds promising; I would support that for sure.

What is Mozilla's justification for refusing to fix this bug for over three years? This is a serious issue that literally every other major browser has already addressed. Why do you want your users' passwords to be less secure?

Your alleged commitment to user privacy and security is hollow and meaningless if you do not address issues such as this.

Does anybody know why special characters were not included in the first place, or what is holding the team back of simply adding them to new generated passwords?

the default behaviour as-is which works for most people and sites

I’m questioning this statement. Dealing with passwords is the primary pain point for a lot of people using the web, I’m constantly getting confirmation in usability tests. My hypothesis then is that the large majority of people will simply not edit the password after generating it with Firefox. You can see in the previous comments how cumbersome that is. It takes a lot of motivation to do that.

So your statistics probably is missing people who a) simply abandon the sign-up process b) switch to another browser to sign up c) abandon Firefox d) copy a password from another generator d) use a completely manually created password, most likely one they already use.

Also, if the password field does not have a toggle to show the password, and has a confirmation field, there is no way to edit it. There’s a huge amount of websites that do that, hence a huge gap in the data.

There has been movement on the market recently it seems, as I find more and more major security firms when googling “password generator”, demonstrating the need for those, potentially supporting point d) This includes LastPass, Avast, Norton, F-Secure, Kaspersky.

Me, personally, I’m using Avast’s password generator now, https://www.avast.com/random-password-generator#pc, which interestingly also made special characters opt-in.

I tried to pick up some special characters Avast use: ! ? ' . , ; + - { } ^ [ ] ( ) ^ # _ + @ %

I should add a special character manually at the end of both Password and Password Confirmation fields every time and think if it is really necessary to do it manually if it's an "automatic" password generator tool?!?!

I was quite surprised to find out FF did not include special characters in passwords...
For me it was self-evident that a security-conscious password generator should also take special characters into account these days.
In my opinion it should be considered a serious security issue if a password generator knowingly excludes a whole set of characters and thereby significantly reduces the security of the generated passwords.

So for the time being, the absolute minimum i'd expect would be to diplay a prominent warning whenever a password is generated, that tells the user to add special characters by themselves if they want an actually good password.

Regarding the problems with special characters in passwords:

  • In my personal experience i've only ever encountered one website (out of dozens) that had a problem with special characters in a password.
    That's in now way representative, but i strongly believe that in these cases, not the password generator but the website should be blamed.

  • regarding the availability of special characters for specific users i would suggest adding a setting, where the user can edit the list of characters they want to include in the generation character set.
    I think that all printable ASCII special characters (all from the range of 0x21 through 0x7E that are not alphanumeric) or maybe a slightly reduced subset would be a reasonable default for such setting, since i believe these are available quite universally, all around the globe, on old and new systems, desktop and mobile.
    And if really required, it should not be too difficult to provide a list of sets from which the most likely appropriate one is chosen based on locale, language and the likes.

I am aware that the password generator is not the main function of firefox and the developers can't or don't want to spend too much time on it, but a few simple settings like length (or maybe even min- and max-length) and an input field for special characters to use are really not that much to ask for.

I also support the idea of Mark Foster (Comment 24) to provide a few different patterns to cover a wider range of combinations but i'd extend it to allow the user to customize the patterns to their needs and select different settings for each.

Another Idea would be to add an overlay or a popup after password-generation that allows to customize and re-generate the password for common problems like "password too long/short" or "the password must contain numbers/uppercase/lowercase letters/special characters"
When one of the buttons is pressed, a new password that fits the adjusted requirements is generated.
And if the password already contained a character class, the corresponding button would exclude these character for the re-generation.
These options could also be displayed in a popup prior to the password generation, allowing the user to specify their needs before the password is generated in the first place.

Happy to help code it if Mozilla neeeds the help. A password without special characters in it is unusable by all the sites that actually need security so what is the point of a password generator to ensure a secure password if it is not generating a secure password.

Severity: normal → S3

Looking at the source code (https://github.com/mozilla/gecko-dev/commit/4ca7c3542cc16420efd6f7e7931241ab102484f6) it appears that rules for special characters were implemented on Jun 9 2021, but deliberately left inactive by default.

It would be safer to enable special character rules by default, and have users manually remove special characters for the few websites that do not accept special characters.

It would be safer to enable special character rules by default, and have users manually remove special characters for the few websites that do not accept special characters.

That would be great!

All the excuses are silly. Why is a feature so crucial being denied? FF's password manager is retarded. 4 years passed and still not implemented. I understand this is free and opensource but why mark as "wontfix". There are thousands of people including me who would've loved to implement this feature. Open this issue!

FWIW, at this point some 50% or more of sites I visit require either a number, a special character, or both. This has made the built-in Firefox password generator pretty much useless to me. As such, I'm using the 1password plug-in instead.

And that is why Mozilla's data on how many people require this feature is completely faulty. One only gets unusable passwords a few times before the user switches to using another tool.

Every other site greets me with this or similar info:

Minimum 10 characters
Upper-case & Lower-case
Passwords match
Numeric
Special characters

And of course the last requirement cannot be fulfilled rendering Mozilla's password generator virtually useless.

Assignee: nobody → bugzilla
Status: NEW → ASSIGNED

Fixed special characters in generated passwords tests

Depends on D167062

Attachment #9312743 - Attachment description: Bug 1559986 - Added special characters to randomly generated passwords. r=#credential-management-reviewers → Bug 1559986 - Updated tests to expect special characters for randomly generated passwords. r=#credential-management-reviewers
Whiteboard: [passwords:generation] → [passwords:generation] [fxcm-password-generator]
Attachment #9312743 - Attachment is obsolete: true
Pushed by mtigley@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3a355dc30878
Added special characters to randomly generated passwords. r=credential-management-reviewers,sgalich,mtigley

This patch increases the security of the generated passwords from around 87.1 to 94.8 bits, so Mozilla could now also decrease the default password length from 15 to 14 characters it would still provide increased security of 88.5 bits. For comparison, Chromium's generated passwords provide 88.9 bits of security, while organizations like the EFF say only around 77.5 bits are needed.

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch

This seems like something we would want to call out in the release notes. Please nominate it by setting the relnote-firefox dropdown to ? and filling out the form if you agree!

Flags: needinfo?(bugzilla)

Release Note Request (optional, but appreciated)
[Why is this notable]: Changed the password generation algorithm to add special characters / symbols
[Affects Firefox for Android]: No
[Suggested wording]: Add special characters / symbols to Firefox's password manager generated passwords
[Links (documentation, blog post, etc)]: Possible special characters / symbols : -~!@#$%^&*_+=)}:;"'>,.?]

relnote-firefox: --- → ?
Flags: needinfo?(bugzilla)

Added to the 113 Nightly relnotes, thanks!

Duplicate of this bug: 1823483
See Also: → 1742989

Is it possible to disable special characters in about:config or somewhere else? This change makes passwords less readable and harder to input than before, especially on devices with hard to operate keyboards like TVs, while not being meaningfully more secure.

Chrome 114.0.5735.110 still gives me alphanumeric without the hard to read special character mix. 15 chars on mediawiki vs Firefox 15 unreadable chars on the same page. It may be a reason to switch to Chrome for password management due to this change.

You need to log in before you can comment on or make changes to this bug.