Bringing this back into the spotlight. I understand that our current password suggestion system is inherited from Chromium, but it really is inexcusable that in the year 2024 automatically suggested “strong” passwords include no special characters whatsoever. This issue has been brought up a few times before:
If the issue must be taken upstream, take it upstream. But allowing things to remain as they are is a disaster in the making - many people are not conscious enough to verify their suggested password is actually secure, and will use these suggested passwords for many accounts. Most people do not follow good password hygiene, and while automatic password suggestions will help reduce password reuse, these passwords will oftentimes be used for life - people do not change their passwords as they should. In a perfect world, yes, everyone would use unique, strong passwords for all accounts, and change them frequently. We do not live in a perfect world, and I think it is important to mitigate risk wherever possible. Please resolve this issue as soon as possible by either:
-
Including special characters as part of the default password generation.
-
Adding password suggestion settings as is the focus of this post which would allow users to specify the use of special characters (though I would still insist this should be enabled by default.
Brave is a browser, not a password manager. I understand. But when you include a password manager as a part of your browser and offer “strong” automatic password suggestions as a part of your browser, regardless of it being an upstream feature or not, you are accepting partial responsibility for the safety of your users who rely on these features and blindly trust them.
This issue was supposedly brought up to the Brave Security Team nearly 2 years ago, yet nothing has changed. Please take more responsibility for the safety of users.
I do not know for sure if disabling password suggestion entirely is a good idea. I fear this will only lead people to worse password hygiene in general - weak passwords that get reused often. Even in this state, what we have is better than nothing, I think. But “better than nothing” isn’t necessarily meaningful.
It has been nearly 3 years since this flaw was originally brought up. Brute forcing passwords only gets easier with time. Please do something.