Oh i like this, although i think a label of "Advanced..." or "Extended ASCII..." would be more appropriate.

The ... indicates the button opens/reveals some more features.

Replaced FineTune button with Advanced button on the side. When clicked, it reveals advanced configurations. User can get back to simple configurations by clicking Simple button.

Added ability to create hexadecimal passwords, proposed in #1248 by splitting characters is subgroups.

Simple mode

Advanced mode

I really like this new UI, I will review in the next few days

What if I only want some specific characters among <*+!?= and only some characters among \_|-/ (as required by some programs / websites)?

If it is a frequent issue, groups should be adjusted. If it is just a couple of sites/programs, manual password edit is fine. I don't think adding more buttons would be a good idea. It would be too messy.

But what if I generate a lot of passwords, and they need to be 500+ characters (ie. encryption keys or something like that)?

Wouldn't a filter be more appropriate? Like a blacklist / whitelist pair or small input fields perhaps?

There was discussion of including a textbox where a white/black list could be applied.

Do you need this in GUI? Could this just be a CLI feature?

Yes it absolutely must be in the GUI

@droidmonkey @glubsy I've added "do not include" text input to gui and cli.
Buttons have precedence over this input. If all characters form some group are mentioned in "do not include" field, then all characters from this group may appear in generated password. It is done like that to ensure that there's no inconsistency between selected groups and generated password.

@seregaxvm this is looking great in my opinion! Thank you!

I'm still not sure about the purpose of A-F / G-Z filters though, sounds arbitrary and probably leads to less security in a sense. Perhaps it would be wise to replace those with something else... what about Unicode characters and non printable characters? That is, if it's at all possible without breaking things, since Unicode is multi-byte character encoding.

@glubsy Those are for hex passwords.

I don't understand the purpose of overriding the "do not include" entries if it covers the whole spectrum of a button. My opinion is if you put it in the do not include box, you mean it.

I would add a clear button similar to what we have in the search box to quickly remove the do not include entries.

If you hide the advanced fields, does it revert back to normal behavior?

@droidmonkey @glubsy

• Hexadecimal character buttons removed. One can generate hexadecimal passwords using "do not include" field. This is not very convenient but, as I understand, this feature is not so frequently used anyway.
• Clear button added to "do not include" field.
• "do not include" entries only applied when the field is visible. They are ignored in simple mode.
• "do not include" has precedence over buttons. Characters from this field are never in the password.
• When all characters, selected with buttons, are in "do not include" field, input is invalidated and no password will be generated.
• Added --exclude_similar and --every_group options to CLI generator.
• Conversion toLatin1 is used to calculate entropy so Unicode characters were not added.

Well this is looking very good.

Perhaps the only thing that might confuse the user is when clicking Advanced, the a-z button is shifting below, and the 0-9 button is shifting left.

Also it might be a good opportunity to add examples in the Exclude look-alike characters. I, for one, don't know which characters are targeted by this.

Awesome update!

@glubsy added tool-tip description with list of excluded look-alike characters.
The last one is from Extended ASCII group. Should "." from special group also be excluded?
a-z, A-Z and 0-9 are grouped like so, firstly, to move related buttons closer to each other, secondly, to have columns of buttons with roughly same width.

Fantastic! Thank you very much!

BTW, you are going to have to put all your commits into a branch. Recommend you do the following steps:

1. Create branch: "feature/finetune-password" at your current develop head
2. Rebase the new branch onto keepassxc/develop
3. Push to your fork
4. Change the base of this PR to your new branch

I tried this out and it worked perfectly. Recommend the following additions/changes:

The HEX button (oft requested feature) would very simply set the "exclude characters" textbox to GHIJKLMNOPQRSTUVWXYZghijklmnopqrstuvwxyz it is up to the user to select the A-Z (or a-z) and 0-9 buttons, but perhaps the HEX button could auto select the A-Z and 0-9 automatically on first press while also setting the exclude characters text field.

@droidmonkey, please create branch feature/finetune-password so I could rebase to it?

Checkboxes are hidden in simple mode. Added Hex shortcut. When clicked, it fills "exclude characters" textbox with predefined string GHIJKLMNOPQRSTUVWXYZghijklmnopqrstuvwxyz

@seregaxvm you create the branch on your own fork.

@droidmonkey I did but I'm not able to change the brunch to pull from. I only can change base brunch to commit into, but it should exist.

Crap true, you cannot change the base branch. That is fine, I can merge it right now without much issue. In the future make sure you make PR using a branch off develop.

I can change the target branch (ie keepassxc/develop) but not the base, GitHub doesnt even give me the option to try.

These are all my options. If it's possible I would prefer not to complicate things and to merge into develop. If it's not desirable, I will open another pull request.

@seregaxvm you want to merge INTO develop, so your current selection is accurate. The issue is the branch to the right cannot be changed (its locked with the PR). Its not that big of a deal, but sometimes rebasing and other actions get ugly when you don't have your PR in a new branch. IMO this is GitHubs fault for not enforcing that behavior.

I really like this PR and the new UI (my 2 cent)

This is ready for merge. Any more changes requested? I'm very happy with the results as well.

I will do a formal review very soon

Codecov Report

❗ No coverage uploaded for pull request base (develop@8391729). Click here to learn what that means.
The diff coverage is 30.76%.

@@            Coverage Diff             @@
##             develop    #1841   +/-   ##
==========================================
  Coverage           ?   62.44%           
==========================================
  Files              ?      269           
  Lines              ?    17887           
  Branches           ?        0           
==========================================
  Hits               ?    11170           
  Misses             ?     6717           
  Partials           ?        0

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8391729...9c81867. Read the comment docs.

It's great that these features are coming. Many, many sites happily accept the password during registration (containing the more unusual, non-allowed characters) but when it's time to log in, they will report "invalid password" with no further details.

I would like to suggest adding a check box called "SQL safe" that would remove things like "--" and ";" from the password. I am not sure how developers handle them. I have had trouble logging into websites after using a password generated by Keepassxc. The password is accepted at change password time, but not during login :-(

I had to tweak out certain sets of characters to get it working. This is completely the websites fault. But it would be ages before they fix it. I discovered at one site that the desktop site accepts longer passwords than the mobile version of the site. I had to use a shorter password :-(

Omg, if you are running into websites that can't handle those characters that means they are ripe for SQL injection attacks. RUN!

It is also a good indicator that the password is being stored as plain text in the database. RUN!

@lordloh You can just type ;-) or something like that into the do not include line.

You can just type ;-) or something like that into the do not include line.

The wink emoji of SQLi doom

@seregaxvm @droidmonkey Sorry I couldn't find anywhere the reason so I'm asking here. Why are the character types in the group that they are in? Seems they are arbitrarily chosen or at least I couldn't spot any real pattern. Is there any rationale behind what characters are in what group? (apart from A-Z, a-z and 0-9 which makes sense to me)

This is already merged. If you have a suggested grouping(s) please out them in a new issue.

I don't have any particular grouping suggestions. I was just wondering if there was any reason they were grouped in the way there are.

@sebast889 They are based on the personal experience with different sites password restrictions. The idea was to split Special Characters group into smaller ones. Their names are Braces, Punctuation, Quotes, Math, Dashes and Logograms.