A more advanced password generator

The current state of the built-in password generator is ‘good enough’, which is perfectly adequate to use and safe to say a 50 character password is not going to get cracked any time soon.

However, it would be nice to see more options in regards to the rules you could set for said password generation to offer a bit more entropy to the output. Such rules could include, but would not be limited to, only using a single character once, avoiding sequencial characters, being able to use the full array of US keyboard characters etc.

What I use right now to generator my passwords is https://passwordsgenerator.net/plus/ but it would be very useful to see Bitwarding having similar features, so there would be no need to rely on a 3rd party password generator.

How safe is it to generate a a password on this website? Do we know anything about the person that runs it?

A password generator is fundamental.

The biggest problem with generators is when you can to manually enter the password for some reason. Reading a bunch of characters and entering them causes (me at least) multiple attempts.

I therefore use a passphrase generator. This is an awesome tool (given the parameters are strong enough - lets not get into it here please).

The passphrase generator on bitwarden is unfortunately useless. There are not enough options to actual make it safe enough to use. With the given parameters (1 - yes only 1 separator character - and number of words) makes the generator useless unless you select a minimum of 6 words. Even with 6 words (no choice of language, fakes words, capitals, numbers) make the generator actually DANGEROUS because with just 2 passwords discovered and therefore the knowledge of the FORMAT of the passphrase, the Entropy drops to 56bit from an un-crackable 200-400bit entropy of 6 words!!

Bitwarden!!! Please just add a few simple options to passphrase: multiple separator characters, adding a number, adding a capital letter somewhere, and is possible adding a different language or dictionary like fake words. This yields passphrase that are SHORTER than 6 words but mire importantly even if the pattern is discovered the entropy stays very high.

For example, 4 words, choice of only 3 random separator characters, 1 number at the end, and randomly capitalizing words, gives us an entropy of between 150-300but but more importantly is the pattern is discovered we have an acceptable entropy of over 80 bits.

I think this would actually lower password quality if they know you’re using it, and in the best case, make no difference. ex: if I know all characters are unique I can make my algorithm ignore a character after using it, cutting down the number of possible passwords significantly.

As a simple example, take a look at this:
With repetition (3276): https://www.hackmath.net/en/calculator/combinations-and-permutations?n=26&k=3&order=0&repeat=1
Without repetition (2600): https://www.hackmath.net/en/calculator/combinations-and-permutations?n=26&k=3&order=0&repeat=0

A more sizeable example a 20 character password from 70 possible characters:

With repetition allowed: 39,651,690,000,000,000,000
Without repetition:         161,884,603,662,657,876

Similar issue with sequential characters, if I know that I have an “a”, and the next character cannot be an “a”, then I know I’ve only got 25 other letters to check, rather than 26 reducing the number of permutations I have to try.

This is something I would support though, this would definitely improve security.

1 Like

A better passphrase generator does seem reasonable, it’s fairly limited right now. I didn’t even realize it existed.

That said, I’d still use the password generator, as with a managed password there’s little benefit to passphrases.

I’m surprised that we’re at a point that making a 18+ character password wouldn’t be strong enough - and BW generator goes up to 128 characters (not that most logins would allow that). I agree that an option for more keyboard characters would help, but some logins also don’t allow for those.

Am I simply not paranoid enough to think that 20-25 non-sensical characters are enough to fend off brute force?

I get that the NSA could probably do it, but at that point I might as well move into a cabin in the woods. :slight_smile: