Which languages do you want to be supported ?
Since the dictionary for generating usernames is in English, I’m talking about English.
On a side-note: “Unheilig” (German for “Unholy”) was a band that was very successful even in the mainstream media (*1). Perhaps see and listen for yourself (*2).
Yes, words have varied meanings in different contexts. Exactly for that reason, username generation should be based on more non-controversial words
Restricting any words is totally dumb. More words = better security. If a word bothers some user, the latter have the possibility to change it or the whole passphrase easily. It’s a complete nonsense to make anything like that. More, passwords shouldn’t take care of politics… Funny request, I think…
To conclude, I think I will make a request for more words choice by asking for an option to choose between more languages dictionaries and to even mix chosen ones into a single passphrase. For example : 1 Spanish word + 1 French word + 2 English word + 1 German word. That is a better way to go for Bitwarden than the one requested here.
You can simply keep generating random passwords if you don’t like the initial one. I want as much randomness as possible in my random password phrases.
I agree with the notion that simply regenerating a random username or passphrase is a trivially simple work-around for those who object to certain words and are willing to sacrifice entropy in return for keeping their passwords and logins halal.
A long-term approach that might work for everybody is to allow Bitwarden users configure their random word generators to use one (or more) out of several available word lists. Bitwarden is currently hardcoded to use the EFF’s so-called Long Word List, but EFF has other word lists, and the original Diceware site offers word lists in many different languages. There are many valid reasons for preferring one word list over another (for example, EFF’s second “short” list is designed to be compatible with autocomplete and autocorrect functionality).
Once Bitwarden is able to support user-selectable word lists, it should be possible to crowdsource the generation of specialized word lists (similar to the GUI translation collaboration on Crowdin). This way, a group of like-minded users who object to certain words in the existing word lists could create their own word list consisting only of words they consider wholesome.
Similar feature requests were made in 2018 (Choose the word list for passphrases) and in 2020 (Passphrase generator dictionary option or use the user language as default).
Hello, I want a passphrase generator in Bitwarden to also use tagalog/filipino words as its passphrase. I find that Tagalog words aren’t used often online so I thought it would be great if you also add this feature. ty
Hello,
maybe it would be a good idea to create the Passphrase generator based on the language? I think it would be a huge gain in security and a competitive advantage if it were made so easy for the user to use the passphrase (english is not easy for everyone).
I totally agree, but it should be customizeable by the user and it should be made transparent how “safe” the password will be depending on the currently used wordlist. I would also like a switch, which will reduce the words to “spellable” or “pronouncable” and then show the consequence, e.g. if the original wordlist (will all those strange words, which nobody uses) contains something like 70.000 words and the reduced wordlist only contains 5000 words. It just needs to be made directly transparent, how much “weaker” the passphrase will get, if the reduced wordlist is used or how many words would be at least recommended for the given/chosen word list.
I think the best way would be if the user could use checkboxes for different languages and different complexities, e.g. if there are different languages to check (e.g. Spanish, English, French, German, … ) and additional you can always check/uncheck if you want to use the full list or a reduced list (only words, which are really used). Somewhere could be a counter, showing how many words are within the resulting selection and how good the “baseline” safety is, which comes from the number of words.
However I would love if I could use a German wordlist, as it is my mother language. This would make it a lot easier to remember passphrases initially…
Would love to have an option to change the language of the dictionary as well. There is a Portuguese dictionary available here: (GitHub - thoughtworks/dadoware: Brazilian-Portuguese word list and instructions booklet for Diceware)
Chiming in to say that I, too, would like to use a custom wordlist. I don’t want to just switch languages. I want to use custom wordlists. The EFF wordlist has been dumbed down to be inoffensive, which reduces security. What’s wrong with me throwing in some profanities and maybe some Klingon words into the mix? These are my passwords, after all.
How? That the word list itself is known is assumed. The content of a given word list is then immaterial provided it follows no traceable pattern between words.
Any available profanities should be left to the random generator to select. If a sub-set of content is non-random then security is indeed reduced.
I sympathise with those who would find a pass phrase in their own language more memorable. Even in my own case, I spell some words differently from EFF (note the second word of this paragraph). Loadable word lists appears a relatively simple change also.
I guess a disadvantage is that it opens the door wider for people to choose weak or non-random lists. Still, there could be a warning on list change, so have my vote.
In two ways: firstly, by eliminating so-called ‘offensive’ words from the list, you are reducing entropy. Granted, 7000 words vs 7010 words might not be a huge difference, but 7000 words vs 9000 is a different story. A certain user above me also suggested removing so-called ‘negative’ words like ‘avenge’ and ‘unholy’. I’m on the other side of this argument. Those words should be included — and even stronger ones.
Secondly, the presumption that a wordlist is known ahead of time is already erroneous. A custom word list does not need to be known by anyone except the person who creates the word list. Someone might choose to build a personal wordlist made up of an arbitrary selection of languages (maybe not even languages he speaks) to add further complexity.
I don’t think that allowing users to supply custom word lists is less secure. A user who wants to use a weak password will use a weak password regardless. He might not use the password generator at all, or he might town it down from 3 words to 2, or to 8 characters instead of 24.
The length of the EFF word list is not limited by the availability of inoffensive words, but is constrained only by the number of faces of a cube.
Firstly I neither assumed nor suggested a change in number of words in the list. I said list content (the words) is essentially immaterial given no internal patterns.
There is basically no such thing as a “stronger” word unless it is not a word but a random string. If the attack is based on a dictionary, all word lengths >3 are the same. For the rest you appear to be seeking security by obscurity of your word list. I use a very long word list but that is for more options, a little more entropy, not because I hope the list is unknown.
I am more concerned with the person who invents their own list, thinking it more secure whereas human selections are simply not random. Pass word or phrase length is their own foible, not my topic here.
A reminder that I voted for this change, for the user-convenence reasons I explained.
Hundreds of comments… hundreds of replies, a lot of votes but I don’t see any progress on this topic… why can I not provide a diceware worldlist with German words for example and just use this… it would be easier and - even more secure - as German is less common than English in general.
Is there any plan to adress this someday? It was postet 2018… 6 years ago. And it is not even on the roadmap…
But just for understanding it better: this is important for using the EFF list (or other such lists) for actually rolling dices, right? - For a “computer passphrase generator”, the number of faces of a cube… I mean, e.g. Bitwarden’s passphrase generator doesn’t “roll the dice” for each word (with result “1 - 5 - 4 - 1 - 5” or something like that) and choose the words by that, or does it? (and if not: wouldn’t then be a longer word list no problem?)
The EFF word list (and others like it, inspired by the original Diceware list) is designed to be compatible with entropy generation using dice rolls.
For passphrase generators using a CSPRNG to produce entropy, the length of the word list could be arbitrarily long or short. For example, The Little Password Helper uses a list of 11,500 words, and 1Password’s generator has 18,328 words.
Bitwarden chose to use a well-designed, open-source word list for its passphrase generator, and it happened to be one that is also designed to be used with dice (hence having a length 65=7,776). There are evidently technical reasons why they are reluctant to change it (I recall seeing a comment to this effect posted by @kspearrin some time ago, but unfortunately I have been unable to dig it up again). My speculation is that it may be related to the use of fingerprint phrases for identifying accounts and devices; there is apparently some reason why the word list must remain backwards compatible with the previously generated fingerprint phrases (perhaps they are stored internally in a coded format, like the 15415 example given above?).
It should still be possible to implement alternative word lists (at least ones that have a length equal to that of the current list), but I don’t think that undertaking would be as simple as one might first assume.
You could have an option to use the bip39 word lists, and these also support multi language. That would be an ideal solution.
I personally don’t need custom wordlists. A curated list of word lists (best practices per language) is perfectly OK.
Some examples for inspiration:
https://diceware.readthedocs.io/en/stable/wordlists.html
https://mko.re/blog/diceware-nl/
https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline
But there are many more.
Word based passwords are great - but if I can use my language dictionary (Polish) - this will be game changer for me (and I suppose that many pepople can say the same about other languages)
Does the Bitwarden development team sometime read the community messages? Could we have a reply from anyone working at Bitwarden to at least know if that’s something they at least talk about ?