Adding 4 additional characters to your Bitwarden passwords

Hi

I recently saw an article on the internet about password managers.
Even though the article said they are mostly safe, some had been hacked in the past, therefore it recommends adding a 4 character word just to make it safer.

I trust on Bitwarden, but i was wondering if adding 4 additional characters to every bitwarden password is a good idea or if it helps at all. What i mean is, i generate a secure password, i save it but when i log into any site or app, i manually type the 4 extra characters which aren’t stored in my vault and only i know.

Is it a good idea? is it necessary?
is there any remote chance of user data being compromised through a vault vulnerability?
i’m sorry if this post make me look paranoic, i’ve been hacked before so i decided to start using bitwarden to generate different and secure passwords for all my internet accounts, i’m putting all the eggs in one basket so i want to secure it as much as i can.

Thanks in advance

I’m not convinced it helps, it partially undermines the benefits of a password manager and it could become difficult to maintain in the long term.

The main point of a password manager is to protect you from website breaches by allowing you to easily manage a large number of unique complex passwords. Forcing you to enter 4 additional characters on the end of each password at login reduces this convenience and reduces the uniqueness of your passwords. If a website only allows a 12 character password then you have reduced the length of the unique section to 8 characters. And if 2-3 websites get breached then someone could guess your salt, forcing you to change all the passwords in your database.

I would focus on keeping your BitWarden account secure. Use a strong master password and enable two step verification using an authenticator app. For extra security you can use a hardware security key, e.g. YubiKey, and enforce this for every login. This stores a unique set of alphanumeric keys which cannot be accessed externally and are far stronger than adding 4 characters which will become public at the next website breach. To avoid being locked out, its worth having 2-3 hardware security keys.

3 Likes

Hi Carlos,

I don’t personally do this but I know some people do and it does add an additional layer to your defences I suppose, though I’m not convinced of the necessity. It all comes down to your threat profile. By using a password manager to generate and store strong, unique passwords for every service you use, you have already reduced your risk of being compromised massively. You should protect your Bitwarden account using 2FA, and use 2FA on any account that supports it, e.g. email, social media…

Your Bitwarden vault is protected with AES-256 encryption. Even if someone managed to compromise Bitwarden’s servers, they still wouldn’t be able to access your passwords without the encryption key.

2 Likes

@anon44418554 I started typing my response before I saw yours… I completely agree. Good advice and good point about maximum password lengths on certain sites :+1:t2:

2 Likes

That’s a very good point, i’ve enabled 2FA already. I use Bitwarden (TOTP) for all my accounts and i use a separate authenticator app for logging into my Bitwarden app, so even if someone managed to steal my password, which is already strong, they’d still have to get past an external 2FA app.

Thank you

2 Likes

One additional piece of advice… I also use BW for my TOTP codes, but I use another authenticator app (Authy) for backup purposes.

3 Likes

I use Bitwarden Authenticator (TOTP)
with all my accounts except Bitwarden itself of course, for that, i use a whole different app just to log into my vault. I saw another active thread
in this forum regarding to Bitwarden Authenticator safety, i honestly think it’s safe as long as you keep your vault safe.

1 Like

No, I agree. I use Bitwarden as my primary 2FA TOTP app. But Bitwarden themselves advocate for using a backup TOTP service as a failsafe to ensure you never end up locked out of an account.

1 Like

My view on doing this is to only do it for passwords to accounts that are that are very, very important-- Like your bank or brokerage account. Don’t do it for accounts like this one for the Bitwarden forum! This makes guessing your password salt much more difficult (and the fact that you are even doing it)!

Think of it more as another form of two factor authentication. In that you have to add something to the password from your password manager that only you know. Like all 2FA, it has strengths and weaknesses!

Remember that unique random passwords for every site are very important. Most attacks are made on information obtained by hacks of the sites that you are logging into. (I understand that up to 30% of all websites don’t even ‘hash’ your password before they store it…)

1 Like

Wdym with backup?
Do you put the qr code in both Bitwarden and Authy when setting up 2FA?

Yes, I store my TOTP keys in both Bitwarden and Authy.

i didn’t know that was possible, good advice :smile:

1 Like

This shouldn’t be necessary, but I can’t deny that it would add another layer of security that could slow down certain hypothetical attacks.

Downside: This is a bit paranoid and may not be a problem for you, but if you use the same 4 characters on all sites, then this could be used to link your accounts despite different usernames / email addresses / IP addresses / browser fingerprints / etc.

If that’s a concern, you could try to come up with a system that varies the characters (e.g., just repeat the first 4 password characters or the first 4 characters of the URL).

EDIT: and before people say I’m crazy because passwords are typically hashed … the OSINT folks love matching people via their passwords, in fact they calculate huge hash tables for all kinds of salt values. Besides, site admins often f*** up the hashing (e.g., choose an insecure algorithm).

Hi Carlos

You’ve received some good advice already, but IMO what you suggest is a good idea for your most valuable and important logins, such as your bank or savings accounts.

I believe the technique is called peppering (as opposed to salting) your passwords. It certainly would provide another layer of protection should the worst happen and your vault becomes compromised.

And I do not regard taking such steps as being in any way incompatible with other advice given about how to make your vault as secure as possible.

Sooner or later, someone, somewhere is going to get their vault contents stolen. There’s already a well documented approach as to how to phish the contents of a Lastpass vault - even with 2FA enabled - which would equally apply to Bitwarden on e.g. Android. And if you were the unfortunate one to find this had happened to you, you’d sure wish you had peppered your most important passwords! The criminals would have no immediate way of knowing your passwords were peppered and would simply find that they don’t work.

Yes, they could perhaps figure it out and brute-force your pepper but that would take time and in the meantime, you’d be safe, at least for long enough to realise you’d been hacked and to change your most important passwords.

1 Like

Perhaps you might be interested to read this:

It explains pretty clearly why I am so obsessed with Bitwarden implementing U2F on Android as soon as possible!

I do this but only for super important accounts. Doing every account would be frustrating and not worth it.

I often use peppering as a way to get people over the fear of password managers and it usually does the trick. I rather see people use a password manager and pepper than not use a password manager at all.

But there are real-world attacks that we have examples of showing how someone could get in your vault even if you have 2FA. Along with other things like a memory dump, someone snooping at your vault while you’re away, and the general fear of “keeping all your eggs in one basket”.

Safe to assume you are referring to using Bitwardens’ TOTP when you say “**keeping all your eggs in one basket?”