clients
clients copied to clipboard
bitwarden
[PS-1479] Smart Passwords - Using website annotations for password policies
Hey everyone!
As mentioned in this post, I set out to develop HTML annotations to describe password policies that could be easily read and applied to the password generator of Bitwarden.
This PR includes the base implementation of this feature for the browser extension.
It uses the same policy annotations - aka password rules - as Apple. It also uses an npm package - @passcert/pwrules-annotations - that I developed and adapted to typescript, based on Apple's own parser.
There is a new option on the dropdown - Smart Password - that will try to read the field passwordrules in an input form. This field contains the password policies specified by the website, making it easier for the generator to generate compliant passwords.
In this example, the site had the following rules:
passwordrules="required: upper; required: lower; required:digit; required: special; minlength: 10;"
So, the password must have at least 10 characters, and at least one lowercase letter, one uppercase letter, one digit, and one symbol. Since all character classes are required, the checkboxes are disabled and the minimum number of digits and symbols is also disabled because changing these values would generate a password that would be uncompliant. The minimum length of the password is also capped at 10, for the same reason.
You can read more about the password policy generation options here
TODO:
- Get the list used in apple's password quirks if a site does not have a
passwordrulesattribute. - Overall checks and possible optimizations
- Test against company policies
Hoping to get some feedback and more ways to test this feature, which I think could be a great addition to Bitwarden. 😄
⚠️ NOTE: This PR depends on a jslib PR that I opened earlier.
Thanks for the PR @mikibakaiki. I'm reviewing this feature with our Product & Design team to decide whether it's suitable for inclusion in the product. I'll post any further updates here.
Hi @BryceBarbara, our Product team has approved this feature in principal, it's just pending code review. We've been busy lately (around release time) and have a bit of a backlog of community PRs, however I plan to set aside some time for it soon.
@jff @mikibakaiki
I've been asked to re-review this proposal and continue discussion on the feature request.
I think that this feature request is interesting, and definitely worth pursuing. I know that one of our designers, @danielleflinn, has brought up this request a number of times, asking for viability of the effort. Initially, I had some concerns regarding accepted standards for defining password requirements. However, in reviewing the community discussion and becoming aware of Apple's efforts to establish an accepted standard, I think it's possible we consider incorporation of something like this in the near future.
For the moment, this isn't a priority for any of the teams at Bitwarden. However, I'll be bringing this up with my engineering and product managers to see if we can incorporate this feature work at some point in the near future.
Regarding this PR, at the moment at best this work can act as an archival source that we can reference. The project structure for the browser extension, and the clients repository as a whole has changed significantly since 2021. As a result, the work required to bring this PR in parity with our master branch would be significant.
For now, I'll be closing this PR with the intention of discussing this work further with the team. Any further discussion on the feature request should be done within the community post.
