Ugh… I’m sorry to say it, but I am very disappointed that Bitwarden is contemplating going down this path…
Unless I have misunderstood something, this is a tool that would allow a user to enter a password, perform analysis based on bad math and invalid assumptions, and then spit out feedback like the following:
Why would you want to create a tool that misleads users, and that strays from known fundamental principles of password security? This will dilute Bitwarden’s brand as a security-focused password manager.
I frequently have to educate Bitwarden users about the dangers of relying on these types of calculators, but I’m dismayed that Bitwarden staff now seem to need such an education!?
I would strongly encourage everybody involved to carefully read the discussion in Comment #28 through Comment #37 in the relevant feature request thread — especially Comments #36 and #37.
In addition, the survey itself does not seem to be well thought-out. For example, in response to the question “Which of the following best describes your process when creating passwords?”, the only selectable options (except for “Other”) are the following:
- I come up with a unique combination or phrase that is easy for me to remember
- I use a random password that my browser or password manager suggests
- I open a password generator tool to generate a password to fit my needs and then memorize it
- I reuse a password I already can remember
None of these correspond to the best practice:
“I open a password generator tool to generate a random password to fit the requirements of the website, then store it in my password manager.”
The available options make it seem like the survey is geared to individuals who are not currently users of any password manager — and why would that be the population from whom you’d want input for designing a tool for Bitwarden users?