When a password is generated and Upper, Lower, and Numeric is checked, the password may NOT contain either of those checked.
The password SHOULD contain at least one checked requirement.
Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think, that the second poster did make a suggestion.
But I don't think, that this is useful, bcause of this: the more different signs can be used to create a password, the more secure it will be (the same length given). So in the optimal circumstances ALL groups of signs should be checked. But there are sites / applications, which do not accept all possible signs or in a given localization of Windows Auto-Type does not work with all of them. Then obvioulsy it is neccessary to exclude these critical groups of signs.
But if there is no need, to exclude a group of signs out of the described reasons, than it SHOULD be used. An option MAY be used does not make any sense IMHO.
I take this opportunity to ask Dominik again to split the group "Higher ANSI signs" in the passowrd generator, because there are some problematic signs, which may not work on any localization of Windows, and there are others, which do not have this problem. At the moment I have to disable the whole group and lower the security of my passwords. Also these problematic signs should never be used for the passwords, that KP auto-creates for new database-entries (otherwise this option becomes useless, if you are in the situation of such a localization.
Thomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
A Password rule with "MAY" clauses may make sense ;-)
It is because: If you can afford it, a "MAY rule" makes narrows the knowledge of an attacker about the password consistency. Extreme case vice versa: If an attacker knows, that your password MUST contain Upper chars and MUST contain 1 special char etc., he also has some valuable information.
What I see in reality is the downside of MUST clauses. Companies want their users to e.g. use 8 chars at least, at least one upper and 1 digit. For an attacker that means: Very likely the user passwords start with one upper char, 6 lower and end up with 1 or more digits, i.e. the birth date of someone, or an increasing counter at any password change.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
the attacker would have an advantage only (if at all) in the case, if he was able to observe, which settings you made, when setting the password generator rules. But if an attacker would have this opportunity, than the user has much deeper problems on his system or in his / her environment.
Thomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I thought I might be the only one that needed these requirements. After generating a password with Upper, Lower, and Numbers I pasted into a form which complained that I didn't meet the password requirements.
Now every time I generate a password I have to visually check to see if it meets the requirement. That sucks.
KeePass is not the only one though. I downloaded other password programs, because I really want this requirement feature. They also do not meet checked requirements. It must be the generation algorithm.
Thanks for the discussion.
Doug
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I experience the same issue as Doug. My network requires a certain number of Upper Case, Lower Case, Numbers, Special Character, etc. It even excludes certain special characters. Once the network requires the password to be changed I must change at least a certain number of characters.
Since KeePass’s password generator doesn’t allow the user to ensure certain requirements are met I must visually inspect each generated password meets the requirement.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This program has an English (beside German and Polish) user interface but the help file is only in German :-( But you could use babelfish ( http://babelfish.altavista.com/ ) to translate it if you should need help although the GUI is pretty simple.
You can click your own generation rules and save them as a set for later (re)use with a name and a comment.
You can also exclude special characters from use and even force the generator to use characters just once and you can generate up to 999 password at once and even save them to a file.
E.g. your company network password must be 8 signs long and must have one and only one number as second sign and a capital letter as third sign and there must not be special chars, then your generation rule would looks like:
[aA][nN][A][aA*5]
Look at the screenshot as it tells more than words ;-)
Cya Ryushi
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I need to make passwords that contains at least 2 letters and 2 numbers. At least 1 of those letters must be upper case. So I would like the option not only to set a MUST contain, but also the minimum number of MUST contain characters. As far as I'm concerned a tristate checkbox is not enough.
Bob
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
When a password is generated and Upper, Lower, and Numeric is checked, the password may NOT contain either of those checked.
The password SHOULD contain at least one checked requirement.
Thanks
The checkboxes states should be:
[ ] Empty = DOES NOT CONTAIN
[x] grey = MAY contain
[x] black = MUST contain
The Check Box does not have 3 states.
I am using 1.06 on XP. It has a 2 state Check Box, ON or OFF.
Is there a version with 3 states? Beta?
I think, that the second poster did make a suggestion.
But I don't think, that this is useful, bcause of this: the more different signs can be used to create a password, the more secure it will be (the same length given). So in the optimal circumstances ALL groups of signs should be checked. But there are sites / applications, which do not accept all possible signs or in a given localization of Windows Auto-Type does not work with all of them. Then obvioulsy it is neccessary to exclude these critical groups of signs.
But if there is no need, to exclude a group of signs out of the described reasons, than it SHOULD be used. An option MAY be used does not make any sense IMHO.
I take this opportunity to ask Dominik again to split the group "Higher ANSI signs" in the passowrd generator, because there are some problematic signs, which may not work on any localization of Windows, and there are others, which do not have this problem. At the moment I have to disable the whole group and lower the security of my passwords. Also these problematic signs should never be used for the passwords, that KP auto-creates for new database-entries (otherwise this option becomes useless, if you are in the situation of such a localization.
Thomas
This was me and a suggestion, correct.
A Password rule with "MAY" clauses may make sense ;-)
It is because: If you can afford it, a "MAY rule" makes narrows the knowledge of an attacker about the password consistency. Extreme case vice versa: If an attacker knows, that your password MUST contain Upper chars and MUST contain 1 special char etc., he also has some valuable information.
What I see in reality is the downside of MUST clauses. Companies want their users to e.g. use 8 chars at least, at least one upper and 1 digit. For an attacker that means: Very likely the user passwords start with one upper char, 6 lower and end up with 1 or more digits, i.e. the birth date of someone, or an increasing counter at any password change.
Hi Michael,
the attacker would have an advantage only (if at all) in the case, if he was able to observe, which settings you made, when setting the password generator rules. But if an attacker would have this opportunity, than the user has much deeper problems on his system or in his / her environment.
Thomas
I thought I might be the only one that needed these requirements. After generating a password with Upper, Lower, and Numbers I pasted into a form which complained that I didn't meet the password requirements.
Now every time I generate a password I have to visually check to see if it meets the requirement. That sucks.
KeePass is not the only one though. I downloaded other password programs, because I really want this requirement feature. They also do not meet checked requirements. It must be the generation algorithm.
Thanks for the discussion.
Doug
I experience the same issue as Doug. My network requires a certain number of Upper Case, Lower Case, Numbers, Special Character, etc. It even excludes certain special characters. Once the network requires the password to be changed I must change at least a certain number of characters.
Since KeePass’s password generator doesn’t allow the user to ensure certain requirements are met I must visually inspect each generated password meets the requirement.
KeePass Pro will have more generator options.
cheers, Paul
Meanwhile you could use this one which is pretty small (uncompressed ~ 170 kByte) but has pretty mighty password generation rules:
http://www.gaijin.at/dlpg.php (DL filesize 52 kByte)
http://www.gaijin.at/images/scr_pwdgen.gif (screenshot)
This program has an English (beside German and Polish) user interface but the help file is only in German :-( But you could use babelfish ( http://babelfish.altavista.com/ ) to translate it if you should need help although the GUI is pretty simple.
You can click your own generation rules and save them as a set for later (re)use with a name and a comment.
You can also exclude special characters from use and even force the generator to use characters just once and you can generate up to 999 password at once and even save them to a file.
E.g. your company network password must be 8 signs long and must have one and only one number as second sign and a capital letter as third sign and there must not be special chars, then your generation rule would looks like:
[aA][nN][A][aA*5]
Look at the screenshot as it tells more than words ;-)
Cya Ryushi
I need to make passwords that contains at least 2 letters and 2 numbers. At least 1 of those letters must be upper case. So I would like the option not only to set a MUST contain, but also the minimum number of MUST contain characters. As far as I'm concerned a tristate checkbox is not enough.
Bob
V2 generator has rules to do this, but you end up with a somewhat predictable pattern.
cheers, Paul