Do you think you should change your master password, say after a year?

Hi,
I’d be more than reluctant to change my master password. Chatgpt said I should do it after a year. But I’m not convinced. The thing says also that it should be16 caracters long at least.
mine is a little shorter. (not a lot) and the Bitwarden strength page test says it would require centuries to be forced.
What do you think? Do you change it yearly for example? It would surprise me. once you found a good password you don’t want to change it. It’s always possible to add some caracters of course.

BW changed my internet life, it made it lighter, easier. A fantastic tool.

Last minute : I’ve decided to add 3 more caracters. Not a big deal. giving a little more margin. easy to do. My master password is super strong. I’m not worrying.

Please don’t take security advice from ChatGPT!

  • No, you should not change your master password, unless you have reason to believe that your master password has been stolen or leaked (e.g., if you get notifications from Bitwarden that a login attempt did not succeed as a result of failed 2FA).

  • No, the strength of your master password should not be evaluated based only on the number of characters it contains. A completely random number sequence consisting of 16 digits (e.g., 9052754832154531) or a string of 16 random characters (e.g., 2Tyvu9!Oyh%7mT#O) would make for sufficiently strong master passwords to your vault, but nonrandom sequences (e.g., 1 (312) 867-5309 or FootgearStruggle) would make for very weak/unsafe vault passwords, even if they are 16 characters in length.

Also, please don’t take security advice from so-called password “strength” calculators (even Bitwarden’s own)! They don’t work, and should be used for entertainment purposes only.

To properly secure your vault, use a random passphrase generator (e.g., the one provided in Bitwarden’s apps and browser extensions), and generate a random passphrase consisting of 4 random words. Write it down on your Emergency Sheet, and then memorize it. Set your Bitwarden master password to be this random 4-word passphrase, and then don’t change it unless you have good reason to believe that the master password was compromised.

1 Like

You should worry! Unless your master password is random, and produced with the help of a cryptographically secure pseudorandom number generator (CSPRNG) or a true entropy source (such as dice rolls).

I would add, that a change in master password recommendations would also be a good reason to change it. (e.g. (example!) when in a few years the recommendation would be to have a 5-random-words-passphrase or something like that)

Maybe, but more likely, the recommendation will be to update your KDF settings, not your master password.

1 Like

Thx for your answers. I understand what you mean. But no, I absolutely do not worry about the password. It took a lot of time to make it strong, characters are unpredictable, and at the same time based on words, somehow, I can remember when typing it. I can’t show it to you, here, of course. I’m sbsolutely certain It s very strong even though made by me. Maybe a future super powerful computer will be able to find it in the future, not for now.
Do some people type that secret phrase instead of the password? Is that possible? it sounds weard to me.

That’s the problem here.

Of course, the master password should be well memorable. That’s one reason why passphrases are recommended. (like “corroding-jockey-untwist-detective” - just generated with the Bitwarden generator)

It sounds really worrysome, that it took you a long time to make it strong, characters are unpredictable and that at the same time your 16-character password is based on words. Humans are really bad at “creating randomness”. That’s not my opinion, that’s science.

As @grb wrote before, since 16 characters is too short for a 4-random-words passphrase and would only provide a length of 2 words, you cannot choose a passphrase if you want to “stay” with 16 characters - and your password then should not contain any words, but should look something like this: 4TEsQMmw#Oc$l@S8 (16 random (!) characters, generated by the Bitwarden password generator).

Well, according to what you have written about your master password, there is not much basis for that absolute certainty.

It is way more secure than your master password-setup. (again, if we speak about an at least 4 random (!) words passphrase as a comparison)

Hi Nail.
I have a lot of years of experience with computers behind me. I have a certain background, fortunately. Of course it’s not the case for everyone.
My password looks like your example. Don t worry for me. Bitwarden didn’t generate it. I did.
BW generates all my other passwords, of course.
I thought a lot about the question and built it in order to get a good strong password.
Many people have no idea about what does it mean and I understand why you warn me.
I’m using BW for one year now, it’s an awesome tool as you know.
I tried to convince friends ans some pals to use it, without success. I stopped insisting :slight_smile:
It not possible to everybody, sadly. It’s a fact. It s a question of experience with all this.

Well, @misterp, I can see that there will be no convincing you, and of course you are an adult, so you have every right to make your own poor decisions.

Just for the record, it is an incontrovertible mathematical fact that your vault password will be easier for an attacker to crack (by brute-force guessing) than any randomly generated password of similar length. In addition, because you are using a human-created password, it is impossible for anybody (not even Bitwarden’s “password strength” tool) to determine exactly how fast an attacker would be able to guess your vault password — therefore, you will never know whether your password was crackable until it’s too late (i.e., after you find out that somebody has compromised your vault contents).

I don’t expect you to understand or agree with what I have written above; I have written it mostly for the benefit of other forum participants who may read this thread.

The only request I will make of you, is to please do not dispense security advice to other individuals! It is acceptable for you to jeopardize the security of your own vault, but it would not be ethical for you to put other people’s sensitive data at risk.

Thank you!

1 Like

GRB, wait. i’m not a native english speaker. if i summarize the thing well it’s that according to you i can’t have created a sufficiently secure master password by myself. impossible! (at least it’s not guaranteed) and that only a password created randomly by bitwarden would be. even if i had respected all the criteria, length, unpredictability of characters, special characters, numbers, uppercase, lowercase. and i told you that my password looks like your example. but, that’s not right., your reasoning is extraordinary. okay. and i mustn’t give advice! i didn’t come here to give advice. you on the other hand yes, and you judge that my password is not okay without knowing it. great. i can see how people can feel offended and get easily angry on forums. but i’m not like that. it doesn’t interest me. I read your opinion and also felt a certain contempt and feeling of superiority. By talking like that to me you certainly cannot convince me… I naturally want to say unpleasant things about you. Logical. Anyway. it’s clear that you don’t want to convince me, otherwise you would say it differently. Anyway. when I came last year, here, as a newbie, I found you nice, and your advice useful. this time it is different. So, that’s it. bye-bye.

You received two responses from very knowledgeable individuals, attempting to warn you about what you are doing. In each case, you responded saying that you are certain that we are wrong, and that you know more than @Nail1684 and me. This made it very clear that you are not the type of person who is open to being corrected when they are wrong. Because there are many users on the forum who need help, it is not practical for me to try to convince everyone who has an idée fixe about some cherished misconception.

And for the record, my previous responses (and this one) were not intended to be hostile, only matter-of-fact. I am happy to provide advice to anyone who is open to learning (including you, if you change your mind).

okay, let me think about this. To summarize : I’m annoyed by a guy I don’t know, who doesn’t know me either, with whom I occasionally exchange on a forum. WOW. that’s the magic of anonymous exchanges on the internet. it’s ridiculous. so I’ll reread the thread in a few days and think objectively about what was said, including by me. I may have said something stupid, I don’t know. a misunderstanding is always possible, especially in a non-native language. for the moment I don’t see any point in changing the password that I have worked out with great care, that I have been typing for a year, and in which I have of course 100% confidence. I’m told I’m wrong, which sounds super weird to me and totally incomprehensible but okay, okay… If I understood well, the point would be that a human just can not create a reliable password. But Okay. I will reread.

That’s the point @grb is making: Any password randomly generated will always be stronger than one made up by a human brain. That’s what psycology tells.

But you insist on the contrary. And that is why he asked you to refrain from giving that kind of bad security advice here.

And, in my opinion, he is entitled to ask you that in these forums. Check his activity history and you will quickly be able to get an idea of how many hours he has spent in this forums giving good advice to many people.

And If you do not want to check by yourself, I will tell you: A LOT.

1 Like

Allow me to offer a different perspective

It is perfectly possible for a human to pick a good password. And, if one has a good password and there is no suspicion of compromise, there is no need to ever change it – at least until the definition of “good” changes.

What is not possible is to know if the password is actually good. There are two reasons for this:

  1. Humans are predictable. We tend to capitalize the first letter, put punctuation at the end, replace “e” with “3”, etc. Bad guys know this and take advantage of it to first try passwords that fit our bad habits.

  2. Objectively measuring the strength of a password requires knowing the algorithm so one can calculate the number of possibilities. For example, if the rule is 3 random letters, there are 140,608 ( = 52 x 52 x 52) possibilities.

Putting these together, it becomes impossible to count the possibilities when a human comes up with a 3 letter password because we will throw some of them out. It is this inability to measure the search-space that causes @grb to say that there is no way to know that a human generated password is good.

And, a strength tester is useless because it must guess at the algorithm used to generate the candidate password. Here is an example of Bitwarden’s getting it wrong. I didn’t create a “strong” password; I just managed to be predictable in a way that Bitwarden did not consider.

3 Likes

… the password generator of KeePassXC get’s such cases a bit better, I think (one of the reasons, why I still like that generator - and because it shows the entropy):

That said, all such strength testers have their weaknesses, as I understand it. If they are used at all, then with caution. (and I don’t want to say, that KeePassXC’s generator is “perfect”)

And if we would use them as they are “meant”, then we (or they) could only estimate randomly generated passwords by them. Strictly speaking, every password we “devised ourselves and enter it into a strength tester tool” has to be considered as non-random… And as entropy calculation is based on a randomly-generated password, it would be best to consider non-randomly generated passwords as having 0 (zero) entropy (or at least not reasonably calculatable entropy).

Maybe there are some borderline cases (e.g. if you have a website not accepting one specific special character: changing one special character for another one in an otherwise randomly generated password might be okay), but that’s the general direction.

Please correct me if I’m wrong.

Hallo Denbesten, danke schön.
Thank you for your enlightenment. Yes, you are absolutely right.
I understand what you say.
Personally, I am aware of those biases that we have as humans. I spent a lot of time thinking about the question and documenting myself. (I began to use computers as a programmer 40 years ago)
For the definition of my password, I proceeded by “several touches” by complicating, omitting, and other tricks but I cannot detail, of course.
I didn’t just make character substitutions, in fact some people without any background or knowledge of all this might believe that their password is strong when it’s not. Sure. I agree.
if I showed you my password you would understand but I can t of course

When I type my password I think of things I defined in clear text at the start but that I made totally opaque, the basis, the root, is really impossible to guess. I think so of course.
“But that’s what you think, you might be wrong”
okay okay

I can’t show you my password.
I think that It ’ maybe because I was talking about adding characters that some people thought I was simple minded about the conception of my password. I understand.
The idea was instead of simply adding even more difficulty and time required to a force brute attack. We can read a lot about quantum computers in development now
I’m almost certain that one day super powerful computers will be able to break almost any reasonably long and complex password Not for now hopefully

okay Nail1684
Merry Christmas to all of you

Okay. kpiris
Yes GRB is very competent. I know that.
I’m not here to give any advise. Absolutely not.
Have a good Sunday if possible.

(emphasis my editing)

Seems you have a lot of experience and indeed put a lot of thought to that.

Let me just say this (obviously without neither meaning you personally nor “your” password, because I can’t know both): there are at least two ways to a “bad password”:

  1. To not think about it and making “dumb” mistakes/passwords (we all know that)
  2. To think a lot about it and try being “clever” (I think we all know that as well) :sweat_smile:

The “beauty” of randomness is, that there is no “basis” for your password, no hidden patterns, “rules”, “algorithms”… really nothing to guess there. (or rather nothing to be deduced or “found out behind it”… but just randomness)

Usually those hidden basis/patterns/rules/algorithms in “cleverly” composed passwords are far more predictable or rather more “transparent” than one thinks… especially for modern computers, AI, …

Let me end with this: it took me some time to accept, that a “generator” may be better here than I myself. It hurt me as a human being. :melting_face:

But of course, you still have to decide for yourself. We can’t do more than explain it as best as we can.

PS: Ah, and Joyeux noël! :christmas_tree:

1 Like

Yes, I understand. The generator is better than me for that. Indeniable.
I agree completely.