Android pin code needs to support non numeric keys (like the browser extensions do)

Bitwarden by using only a numeric keypad is lessening the security on the Android app. Why not open my full keyboard???

I use non numeric key for my open vault on my browser extension. However I cannot use that same key on the Android phone or tablet.

1 Like

I have to admit that would be nice, but I don’t know if its needed. You can set a 8-9 digit PIN and the “bad guy” only gets 5 guesses until you are completely log’d out. Try and guess a 8 digit numeric number in only 5 guesses!!

Is it 12345678? :stuck_out_tongue_winking_eye:

Just disable the pin code and use master password everytime

Bryan2023,

I am too lazy to enter 40 characters every single time to access my vault!

Kinda shocked at the responses considering this an important security product. I thought the idea was to make this as safe as possible not the cavalier answers I got. I’m not going to input my 57 character string of well mixed characters each time I want access.

Enough of that. What I was saying is that BitWarden needs to make their products the same across devices and browsers, as much as possible. BTW, I’m not some newbie, I spent 45+ years building highly complex and secure applications for large banks and law firms where security was number one priority.

Apologies for my off-topic comment to @OpSec earlier.

I don’t know why the mobile apps only allow numerical PINs, but I have to assume it’s a technical limitation, as Bitwarden strives to be cross-platform compatible as much as possible. I looked through the original Feature Request for PIN unlock support on non-mobile apps, but couldn’t find any clues (although I did see that the mobile implementation only allowed 4 digits at the time). A search through the Github pull requests suggests that PR #446 may be relevant, although I believe that is just for the keyboard displayed (the restriction to an all-numeric code preceded this PR); you may find additional clues by digging through the Github repos.

FYI, a Feature Request identical to yours was made in 2021, but apparently did not gain any traction.

Part of the reason for the lack of interest may be that most users consider the threat profile of their mobile device to be sufficiently well-managed that a PIN with 27 bits of entropy should offer sufficient protection against a local attack (especially since it is apparently not clear whether it is even possible to extract the local vault data from a non-rooted device), perhaps because they also lock the device itself when not in use.

Those users who are concerned about being able to maintain sufficient operational security to guard their mobile devices still have the option to unlock using their master password instead of a PIN. You are making this option much too difficult for yourself by using a random 57-character string as your master password, which is also atypical for most Bitwarden users. Such a password has 374 bits of entropy, which is overkill. You gain zero security advantage for any password that has more than 256 bits of entropy, and even 256 bits is overkill. All the additional characters only create problems (making it difficult to memorize and type the master password), with no added benefits.

Unless the total value of assets that would be lost if your vault were compromised runs in the billions, a master password providing 65-90 bits of entropy should be sufficient. A randomly generated passphrase containing 5-7 words will provide this level of security, and such passphrases can be memorized and typed out without too much trouble.

Thank you for a sane rational response to my original question. Yes, my 57 character key may be overkill, but since I’m not an expert on crypto it was my choice of out naivety. I still would like conformity across platforms if possible. Bitwarden is a great product and only wish I had it back in the early days of the Internet when passwords were short or non-existing for some sites.

1 Like