Skip to content

Excluded characters tooltip is incorrect #11044

New issue
New issue
Closed
#11321
Closed
Excluded characters tooltip is incorrect#11044
#11321
Assignees
droidmonkey
Labels
documentation 📑user interface
Milestone
v2.7.10
@mhnestler

Description

@mhnestler
mhnestler
opened on Jul 8, 2024

Overview

The tooltip text shown when hovering over the "Exclude look-alike characters" checkbox in the Password Generator widget says: Excluded characters: "0", "1", "l", "I", "O", "|", "﹒", but the actual implemented exclusion set rather surprisingly also includes B, G, 6, and 8.

keepassxc/src/gui/PasswordGeneratorWidget.ui

Line 719 in afe634d

<string>Excluded characters: &quot;0&quot;, &quot;1&quot;, &quot;l&quot;, &quot;I&quot;, &quot;O&quot;, &quot;|&quot;, &quot;&quot;</string>

Actual exclusion implementation is done in the 5 references to ExcludeLookAlike in generatePassword() in PasswordGenerator.cpp, including:

keepassxc/src/core/PasswordGenerator.cpp

Line 145 in afe634d

if ((m_flags & ExcludeLookAlike) && (i == 66 || i == 71 || i == 73 || i == 79)) { //"B", "G", "I" and "O"

keepassxc/src/core/PasswordGenerator.cpp

Line 158 in afe634d

if ((m_flags & ExcludeLookAlike) && (i == 48 || i == 49 || i == 54 || i == 56)) { // "0", "1", "6", and "8"

Steps to Reproduce

  1. Open Password Generator.
  2. Click Advanced if the advanced pane is not already open.
  3. Hover mouse pointer over "Exclude look-alike characters" and observe the tooltip.
  4. Tick the checkbox "Exclude look-alike characters" and observe the generated password. For an easy test, try enabling only the Numbers group, set Length to maximum, and note whether there are any 6's or 8's in the password (answer: no).

Expected Behavior

The tooltip should accurately describe what the checkbox does.

I propose, in addition to listing the excluded characters, it should say something like: "Excludes these characters regardless of what character types are enabled".

Correcting this UI is the minimum fix, but perhaps the exclusion behavior should really be changed. I was surprised in 2 ways by this feature: 1st, that "6" and "8" are considered "look-alike"; 2nd, that the checkbox has any effect when only a single character group is selected (numeric). An all-numeric password loses a lot of entropy by only having six characters (when 0, 1, 6, 8 are excluded) instead of all ten digits.

Actual Behavior

The tooltip actually says Excluded characters: "0", "1", "l", "I", "O", "|", "﹒" which implies these are the only excluded characters.

The characters "B", "G", "6", "8" are excluded from all generated passwords when the "Exclude look-alike characters" box is checked.

Context

KeePassXC - Version 2.7.9
Revision: 8f6dd13

Qt 5.15.11
Debugging mode is disabled.

Operating system: macOS 14.5
CPU architecture: arm64
Kernel: darwin 23.5.0

Enabled extensions:

  • Auto-Type
  • Browser Integration
  • Passkeys
  • SSH Agent
  • KeeShare
  • YubiKey
  • Quick Unlock

Cryptographic libraries:

  • Botan 3.1.1

Finally, thank you so much for your work on KeePassXC. I have used it for years. This is my first bug report.

Metadata

Metadata

Assignees

Labels

documentation 📑user interface

Type

No type

Projects

WIP Tracker

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions