Product Ideas Portal

Got an idea for a new feature? Maybe a tweak to make something work even better? Wish there was an integration with another product to make you even more productive? You've come to the right place.

The Product Ideas Portal lets you submit whatever product feedback you have, good, bad, ugly, and anywhere between.

Want to stay anonymous? Don't worry, no email address or name fields are shared on the public portal. You can create an account which lets you vote on other people's ideas and receive updates when your idea's status changes.

To learn more about how an idea becomes a feature, check out this infographic.


24 Vote

Automatic generation of passphrases based on a dictionary of words

Would it be possible for passwordsafe to have a more granular password policy, to allow the generation of passwords which are more memorable for example

(((w|W)ords)[0-9]){3,6}
(((w|W)(o|0)rd(s|5))[0-9]){3,6}

where 'word' is from a full dictionary list?

There may be scenarios where users extract a password from passwordsafe, and then physically type the password into hardware.

Overly complex passwords are not particularly great for this scenario as users will often write them down or print them as they are unable to easily memorise them.

Recent guidance from NCSC and NIST corroborate this, would be interesting to have your feedback:

https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0
https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-p5w0rd

  • Guest
  • Apr 25 2019
  • Future consideration
  • Attach files
  • Guest commented
    16 Nov, 2020 12:00pm

    I would like to bump this thread, as we have had similar feedback from our user estate, regarding the use of random dictionary words in generated passwords to make them easier to remember (e.g "correcthorsebatterystable").

    I disagree with Brian's comment regarding a dictionary password not being as secure as an entirely random password for super accounts. Surely the security of a password is only as good as the entropy of the password (i.e. how long it would take a super computer to crack the password). It wouldn't take a computer any longer to crack a 12 character entirely random password that was constructed using 4 character sets (e.g. "JWe8G#jLS?96"), than it would to crack a 12 character password made of 2 dictionary words, which also used the same 4 character sets (e.g. Horseplane5!), as the entropy value of both passwords would be the same. The number of possible characters to the power of the length of the password (in our example 88 to the power of 12).

    The two use cases I have below can require some of our users having to type their password up to 30 - 40 times a day, which obviously has quite an impact on their productivity if the password generated for their account is not easily memorable.

    1) Being unable to paste the password into RDP sessions on target systems when completing UAC verification challenges when installing software.

    2) Being unable to paste the password into locked RDP sessions when the screensaver has activated (due to inactivity for over 10 minutes).

    This ultimately comes down to balancing what is hard for a computer to crack, against what is easy for a human to use and work with. It would be great if the system would allow us to use either approach in our password policies, so that the customer could decide on what suits their needs the best.

  • Admin
    Brian Chappell commented
    5 Oct, 2019 08:38am

    While the NIST guidance for end-user passwords is great for users, it's not as secure as an entirely random password for super-user accounts. The number of instances where a password needs to be typed into a physical system will be extremely limited. Assuming the need for the physical access is because the system has become disconnected from the network, once the password has been used (which would require physical access in this scenario) the system would be reconnected to the network and Password Safe would be able to change the password once the request is completed/checked-in rendering any written down/printed password redundant.