password types: definitions, extensibility

TomRoche 4 years ago • updated by Maarten Billemont 4 years ago 2
I have *many* accounts, too many of which have fairly arcane password restrictions--not just WRT length, but also character set. Hence I'd like more details about your password types. I see[1]
password type description
Maximum Security Password 20 characters, contains symbols.
Long Password Copy-friendly, 14 characters, contains symbols.
Medium Password Copy-friendly, 8 characters, contains symbols.
Basic Password 8 characters, no symbols.
Short Password Copy-friendly, 4 characters, no symbols.
PIN 4 numbers.
Personal Password AES-encrypted, exportable.
Device Private Password AES-encrypted, not exported.
but need (e.g.) to generate strings of alphanumerics only with length=8, or that can contain any symbol other than '<' or '>'. (I kid you not!) Hence I'd like to know:
  1. Where (presumably in the git repo[2]) are the password types defined? (I have never coded ObjectiveC but can presumably read it if I know at which file to look.)
  2. Can the password types be extended? I.e., if one wanted to make a pull request to add a new password type, how should one do that?
[1]: http://support.lyndir.com/topic/421343-how-can-the-windows-cli-be-modified-to-provide-password-types-other-than-long-and-counters-other/
[2]: https://github.com/Lyndir/MasterPassword
Under review
I understand your problem.  As of passwords in themselves weren't difficult enough to get right, having to deal with various sites' often ridiculous password policies makes things even more complicated.  Usually, ridiculous password policies such as "no < or >" and "no more than 8 characters" are the artifact of terrible security practices by the company's back-end application such as failing to do proper sanitization or escaping of literal data when injecting user input into SQL code, or storing passwords in plain-text in fixed-length database columns.

The problem is made worse with regards to Master Password because we're limited to a stateless solution.  We can't allow the user to pick and choose his own perfect password template for each site, because if we did, and the user lost that template along with the rest of his data, he would have to meticulously reconstruct his template before he could resurrect his correct site password from his master password and username.

That said, I've tried to come up with a set of password templates that are a careful balance between the vast majority of password policies maximal password strength, while keeping the output passwords easy to copy, memorize or type using a tiny keyboard.  The result is the set of password types you mentioned in your post.

It is certainly possible to add to that set in a custom Master Password build - that's why it's free software!  To do that, you'd modify "ciphers.plist":

The data in this file is based on the algorithm as described here:

If you modify the file, you'll likely want to modify the Objective-C enums to match:

After that, just build & run and hope for the best!

If you want your changes to end up in the official Master Password app, you are free to make a pull request, but I'm going to have to sit back and think for a bit how much I really want to expand on the official list of password templates.  The thing is: if you change your site's password template from the default "Long", you have to remember that you did.  If you lose access to your passwords list and have to restart, you'll not get the right password for your site until you select the right type for it.  The more password types we have, the harder this will become.  But don't let me stop you!

Good luck!