Do you use password strength indicators? Complete this survey!

We value your feedback! To improve the Bitwarden Password Manager password creation process, we are looking at adding a password strength design to the Generator and the Login item type views.

View a design concept and provide your feedback here.

As always, thank you for your time and support!

Edit: Responses for this research are now closed. Thank you all for your time and participation. I will update this topic if additional feedback is needed.

3 Likes

Ugh… I’m sorry to say it, but I am very disappointed that Bitwarden is contemplating going down this path… :-1:

Unless I have misunderstood something, this is a tool that would allow a user to enter a password, perform analysis based on bad math and invalid assumptions, and then spit out feedback like the following:

image

 

Why would you want to create a tool that misleads users, and that strays from known fundamental principles of password security? This will dilute Bitwarden’s brand as a security-focused password manager.

I frequently have to educate Bitwarden users about the dangers of relying on these types of calculators, but I’m dismayed that Bitwarden staff now seem to need such an education!?

I would strongly encourage everybody involved to carefully read the discussion in Comment #28 through Comment #37 in the relevant feature request thread — especially Comments #36 and #37.

 


 

In addition, the survey itself does not seem to be well thought-out. For example, in response to the question “Which of the following best describes your process when creating passwords?”, the only selectable options (except for “Other”) are the following:

  • I come up with a unique combination or phrase that is easy for me to remember
  • I use a random password that my browser or password manager suggests
  • I open a password generator tool to generate a password to fit my needs and then memorize it
  • I reuse a password I already can remember

None of these correspond to the best practice:

“I open a password generator tool to generate a random password to fit the requirements of the website, then store it in my password manager.

The available options make it seem like the survey is geared to individuals who are not currently users of any password manager — and why would that be the population from whom you’d want input for designing a tool for Bitwarden users?

2 Likes

Hi @grb. Thank you for your feedback. We have several user requests to add a strength indicator to the Generator and the Login password fields. The goal of this strength indicator is to leverage logic already used by Bitwarden (similar to that in the Weak Password report) to help guide users to create (and hopefully randomly generate) stronger passwords, without requiring them to run a report.

As a reminder the work here is a concept shared to gather feedback–I appreciate you taking the time to provide your’s here, we’ll review the linked discussion here and consider it while continuing to iterate.

I will also note the survey was designed to gather feedback from both existing Bitwarden users as well as users who may not yet use a password manager.

@dflinn Thank you for taking the time to respond. I hope that you (and anybody else involved in the development of this feature) will read the discussion that I linked above, and take it to heart.

The zxcvbn tool currently used by Bitwarden is slightly more sophisticated than some other calculators out there, but all such tools (tools based on analysis of user-supplied passwords) are fundamentally invalid, and will more frequently than not produce misleading results. The only valid way to determine password strength is to estimate password entropy based on the user-selectable settings that have been configured in the password generator (e.g., character sets and password length). An example of such a tool is the password strength calculator from the PasswordBits.com site. If the user enters their own typed password instead of using the generator, then the only feedback they should receive is a warning that their password may be weak (because its entropy is impossible to determine).

However, even if the entropy (essentially, a measure of the number of possible permutations that a password cracker would have to test in order to find the user’s password) has been correctly estimated, it is impossible to translate this into a valid judgment about whether the password is likely to be crackable or not, because the results of such analysis can vary by multiples of many billions, depending on what assumptions are made (and assumptions that may be valid for one password are not going to be valid for other passwords).

For example, Bitwarden’s current password strength calculator assumes that an attacker will only be able to test 10,000 password guesses every second. At this rate, a password that is a random 15-digit number (e.g., 291630688660687) would take an average of 1585 years to crack, and would presumably earn a rating of “Excellent” from the new tool — Bitwarden’s current password strength calculator assesses it as “strong” and claims it would take “centuries” to crack.

The problem with this conclusion is that a real hacker who is using a single high-end GPU (costing $2000 or less) is not limited to testing only 10,000 password guesses per second (the hash rate assumed by Bitwarden’s tool). If the website where the password hash was leaked from used MD5 hashing, then password cracking can be done at a rate of 164 billion guesses per second — which reduces average the time to crack to less than one hour. So, should Bitwarden really be in the business of telling this user that their password is “Excellent” and that they have achieved “maximum password strength”? :thinking:

1 Like

I strongly believe too, everything else as entropy is not sensible - and users have to get used to it. Info about reasonable entropy range for a password and the limitations of it’s estimation would be best. I think @grb wrote it already, but I want to emphasize it [PS: in the following text I elaborate on mainly one point which I think is often overlooked]: I think a lot of people still use personal information (presumably because they assume, they can retain it more easy in memory) for creating their own passwords. And here I agree completely with @grb: entropy is nonsensical here (but I think, most of the entropy estimation tools don’t take that into account…).

Simple example (completely fictional): Let’s assume, my name would be Jonathan, I would be born in 1975, my main hobbys would be football and cooking. My favourite movie would be Lord of the Rings. - Now I choose “Jonathan1975-football-cooking-LordoftheRings” as my super secret password. And in my social media every bit of this information about me could be found by strangers. The Bitwarden password strength tester shows me already “strong” and “centuries”, which are both absolutely misleading. [Okay, the password is at least long. I’m a lay person - I don’t know how fast hackers could get to the “solution” here in my example. But it would certainly not be a really strong password.] And there already is no info on this site, that personal information should not be in a good password. And the only hint to “randomness” (!) is in “How do I create a strong password? - Try the Bitwarden password generator.”

2 Likes

Yeah, I generally agree with what grb and Nail1684 have already mentioned. My distinct cringe about what is being proposed is, when an authority, especially BW, puts out nonsensical ideas about password securities, it’s really hard to get them out of the user’s head. “Hey, look, such and such (special cringe when from a PWM) says my password is secure!”

To increase security, I’d suggest people using a random password. It seems that PWMs should push this to the max extent, however they want to retain friendliness/usability. PWMs should definitely not propagate wrong ideas that are already all over the web.

That’s quite an understatement. The key value proposition of using a password manager is that it frees you from the constraint of having to remember passwords, thus opening up the ability to use random passwords.

A serious password manager should have a natural and simple work flow for creating random passwords, and put up barriers that discourage users from using anything but randomly generated passwords.

For example, when creating a new login item, the password field should pre-populate with a randomly generated password. There could be a button (similar to the current :arrows_counterclockwise: icon) to allow you to adjust the generator settings, but if you’re happy with the default settings, then no user interaction should be required to create a password. Conversely, the password field could have a :pencil2: button/icon for editing the password, which should first pop up a modal that warns the user (“Are you sure that you want to manually edit the random password? Manually edited passwords tend to be weak.”), forcing the user to click Yes before they are allowed to store a non-random password in Bitwarden.

1 Like

grb, I might put your last point more strongly.

In another thread there was discussion about modifying special character sets to cater for constraints at different sites. That should be the only user-modifiable element, and entropy calculated based on actually selected parameters. If the user then wants to modify the generated password in any other respect then I am inclined to agree with your view that “password difficulty” indicators should be removed.

“Time to crack” should not be stated at all, one reason being that you are talking about a probability, not a baseline. A summary or a link could be provided to discussion of that topic, as a general guide. There are some fair ones around the internet.

I think if a website/app allows longer passwords and you never have to type a password by hand, there is no reason to use 14 character passwords which have entropy of just 86 bits but considered having maximum password strength by this proposed password strength indicator. Why not to use passwords consisting of 42 upper and lower letters, digits and special symbols which have entropy of 257 bit?

The fact that Bitwarden uses 256-bit encryption has nothing to do with the passwords you save on websites. Also, even 14-character passwords are perfectly adequate if they have been randomly generated by Bitwarden. “Just” 86 bits of entropy is more than enough for almost anything.

1 Like

First,

Either I care about this account or I don’t. If you badger me to make an account, I will use a throwaway email and “1234” cause you made me do it, now it’s your problem. If I do, I will use a different email, a generated password, usually 16, caps, lower, numbers, signs and no ambiguous chars, generated by Bitwarden, almost always backed by TOTP.

“Strength” is irrelevant for me. I don’t come up with passwords, what’s the point. Bitwarden has 650 passwords for me, plus a couple other hundred in various browsers. I am never going to remember those.

I don’t come up with passwords. I either give you one of the 3 reused demo passwords and “Jim” as a name or you get a generated one.

Second,
I agree with the above take that complexity indicators are only good for grannies. Unless you boast a dictionary on all languages, the complexity indicator does little to protect against a dictionary attack. My name won’t be in the dictionary, which is VERY weak. Same for birthdays, reused numbers, reused passwords, etc.

All it does it a vague indicator of strength that is useful for beginners, which is not the target demographic of Bitwarden. If I went through research, looked up what a password manager is, looked up the safety records of others and decided to go with an open source password manager, I probably know how passwords work already.

Whenever I have shilled this to anyone, I have explained that the best way to do this is to press “+”, make a user/pass in Bitwarden and fill it, rather than save a password you make.

Who is this for?

If there’s a setting for it, I’d set it to off.

2 Likes

Off-topic advice: you may want to reconsider the above practice, as there is a small risk that it could cause you problems (as I’ve explained here).

The rest of your comment is spot on. :+1:

Hi all!

Thank you again for providing feedback on the initial concept. The team has reviewed the feedback and adjusted the design accordingly.

We are planning to focus on just the Add/Edit Item view for this work, using the existing strength calculator mentioned above.

The goal of this design is to help educate users who are new to password management / good password hygiene on how to create secure passwords–use a generator.

In this design we’ve:

  • Removed the strength indicator
  • Adjusted the field help text to drive users to the generator
  • Removed the “maximum strength” copy

Below is an example of what this might look like in the extension.

Thank you for sharing the progress. It is a marginal improvement, but if you are still providing assessment of password strength based on what the user has typed, then you have largely misunderstood the concerns expressed in this thread. If I have misunderstood the screenshot, and if the feedback is in fact based on the choices made in the password generator, then why are the messages not shown on the generator screen instead of main Edit screen?

If this is really your goal, then you should detect if a user is manually entering or revising text in the password field, and if so, show a single message (regardless of the output of the zxcvbn calculator):

Warning: User-entered passwords may be insecure! Use the generator to create a secure password.

You should also be able to detect when passwords have been imported, in which case you can adjust the message to read:

Warning: Imported passwords may be insecure! Use the generator to create a secure password.

Clear the messages when replaced by a randomly generated password or passphrase.


Edited to Add:

To see the futility of feedback like “Very weak”, “Weak”, “Okay”, or “Excellent”, consider the fact that a randomly generated character string like ;M@(d{OA has 50 bits of entropy and is therefore sufficiently strong to make an uncrackable vault master password — yet the zxcvbn tool assigns it a score of only 2 out of 4! Presumably this would translate to “Weak” or “Okay” in your feedback scheme.

Conversely, zxcvbn rates the strength of the 3-word random passphrase hacked-figment-provoking to be 4/4 (presumably “Excellent” in your proposed scheme). However, if this password is for an account with a service that hashes their passwords using MD5, then it can be cracked in a few seconds (using a single GPU in an off-line attack)! An off-line attack using a modest cracking rig with 4 GPUs could crack this password in less than 1 week even if it was hashed using bcrypt(MD5), or in less than a year if it was a Bitwarden master password hashed using the OWASP-recommended KDF (600k iterations of PBKDF2-SHA256).

The above doesn’t even touch on results produced by zxcvbn for user-entered passwords. It will give a 4/4 score to eeney meeney miney moe and even to Call me Ishmael (which was shown in an experiment to be cracked in just 0.670 seconds in an on-line attack against a crypto wallet using this passphrase).

1 Like

Thank you. What do you think about adding a setting where a user could choose what to see - strength hint, bitrate, estimated cracking time (with a possibility to specify cracking speed in settings)?

I think there should also be a possibility to clear this message manually, e. g. if I’ve imported/copied this from the password manager I used before Bitwarden.

I take it the proposal would be for a general warning on import, not a note attached to each such password. Unless globally clearable, the latter would be highly frustrating to say the least. We have reporting tools within Bitwarden to track down potential problems.

I don’t disagree with your point of view. I had proposed using warnings based on the password provenance as a more rational approach than using warnings based on attempts to analyze the pattern of characters in the password. In the mock-up posted by @dflinn above, it looks like the warnings are displayed as a message below each password.