Accessing the risk of PIN login

Interestingly, this is exactly analogous to the risk-benefit analysis that users of 1Password would/should do when deciding on the complexity of their vault password. In Bitwarden, the cloud vault is protected by a strong master password, but the local vault cache may optionally be secured using a weaker password/PIN instead (assuming that device security is good, and the probability of a targeted attack low). In 1Password, the cloud vault is protected by a strong secret key, but the local vault cache is instead secured by a weaker vault password. It seems that many Bitwarden users feel comfortable using a relatively weak password/PIN for local vault protection, and that many 1Password users feel comfortable using a relatively weak vault password for local vault protection.

Can we estimate a lower bound for an appropriate entropy for the local password (Bitwarden PIN or 1Password vault password)? Maybe, if we assume that a determined attacked has the resources to breach either your local device or the cloud servers — in that case, the risk of vault theft will be approximately equal to the probability of attack, which should be approximately proportional to the perceived value of the stolen data. For example, if Bitwarden has around 1 million vaults stored in their data base (it was around a 100,000 in 2018), and if we assume that the average value of the cloud hosted vaults is around 10× greater than the value of your locally stored vault (taking into account that the mean value tends to be skewed by a few outliers in the population), then the probability of a targeted attack against your device is approximately one-millionth the probability of an attack targeting the Bitwarden cloud servers. Thus, a rational basis for determining the required PIN entropy for a Bitwarden user’s PIN would be to make it 20 bits lower than the master password entropy (because, 220 ≈ 1 million).

I typically recommend for Bitwarden users who are not high-value targets to use a master password with an entropy no lower than 50 bits, which implies that a PIN entropy of around 30 bits should be reasonable. This is achievable using a 9-digit numeric code (if chosen at random).