Entropy meter for the password/passphrase generator

Hey all!

I’ve recently started using Bitwarden and am liking it a lot. Especially the option for a passphrase generator.

Something I’d like to see in that section is an indicator that shows a rough level of entropy that the generated password would be. Something similar to what keepassXC does (see attached screenshot)

I didn’t make this as a feature request, but I mentioned as a “to-do” on the roadmap.

Please refer to this thread. Not a bad idea, btw.

1 Like

I think. This is good reference.

I guess this refers to what you’ve just mentioned there.

1 Like

Similar to how KeePass shows password strength for creating new/viewing existing passwords, it would be nice if Bitwarden showed a password strength meter (zxcvbn) , like the one shown when creating a master password, underneath passwords in both the Password Generation page and under existing password fields within entries.

Since the Weak Password report is a premium feature, perhaps showing the meter under password fields in existing entries should be limited to premium users as well if necessary.

The reason I believe this would be useful is because I have seen people using password managers who still set their password length low and create insecure, short passwords because they have no indication what a good/bad password is, or still think as long as they have a few numbers and symbols it means their passwords are secure. A strength meter to give inexperienced and experienced users an idea how to make their passwords better at a glance would be helpful.

This is, I think, the last key feature missing from Bitwarden.

1 Like

The problem with this kind of features is, that a passwort strength meter thinks that 123456abcABC! is a strong password, cause it is long, contains lowercase and capital letters, numbers and even special characters. But i think we all agree that this isn’t in case a strong password.

Then I’m sure it’s possible to create a meter that doesn’t think this :slight_smile:

This feature exists into KeePassXC and it is really useful!
That measure the Password Quality (or passphrase) based on several criteria

1 Like

They already have this feature when you change the master password:


Here also the following data should be shown:

  • Length of the Password (in characters)
  • Entropy (like 122 bit)
  • Crack time (how long it would take to crack the password)

The last part (how long it takes to crack) I have seen in two other password managers.
Here one example:

Source: https://www.password-depot.de/b/ss15-en/Main_.png


I am posting this as a new reply, because my last reply was 2 days ago.

I found some links that calculate a pasword crack time (to show how this can be implemented):

It is strange how the crack time differs at these services.
For the password Hello123 the following crack times are calculated:
1st service:4 Months and 4 Weeks (here I skipped the rest)
2nd service: 21 Hours, 21 Minutes

So these services are just an indicator, how this could be written in Bitwarden.
Here some suggestions of the output (note that there are only two values shown, so keep it short):

  • less than one second
  • 1 minute, 13 seconds
  • 14 days, 21 hours
  • 53 years, 7 months
  • 2.411191487389969e+32 years (a password generated by Bitwarden), maybe you write it shorter and more readable

Any news on this matter? I’d also really like them to implement this password strength meter just like many other password managers do.

I’d like to see the password strength of my existing passwords (Logins) in my vault + I’d like Bitwarden to indicate the password strength when it generates a new password for you or when you make up your own password.

Those able to afford US$10 per year can get reports which show this.

However, what I did when I started using the free Bitwarden was to change email account and financial passwords first. Having done that I slowly worked through my accounts, over a few weeks, changing the passwords.

Now that I have paid US$10 the reports show that the current passwords are uniformly strong. My only, minor, niggle is that the reports show my old and now unused passwords.

I also have several password strength meters/generators bookmarked/installed (having checked what they do) to see what they have to say about Bitwarden generated passwords/phrases and I occasionally use their suggestions too.

I like how Password Depot implemented their password generator: Password Depot 12: Using the password generator - YouTube

Could Bitwarden, by default show a password strength meter (based on zxcvbn) under EACH password and also say whether a password has been compromised or not, without having to click any additional buttons, e.g like this

1 Like

Are you asking for it to be injected into the webpage? The implementation could be tricky given the variety of different login webpage formats. Bitwarden’s current webpage parsing/detection for other features (e.g. autofill) still have issues.

A slightly less visible (but probably less intrusive) option would be for Bitwarden to add Overlay Feature and present the strength/compromise information there. Since it only injects a small clickable symbol into the webpage, it is less likely to break webpages (though I believe LastPass overlay occasionally does interfere).

Probably the easiest (but least visible) option would be to present the information in the extension itself since it doesn’t need to understand the webpage data and has full control over its own presentation. See: Show password strength (zxcvbn) under Password Generator and Password Fields

You aren’t the first one to suggest that and I honestly can’t find the logic behind this request.

As you (probably) are using a password manager, why do you need to check if the password is strong enough? All your passwords are stored in your vault and the only thing you have to do is to make sure that all of them are secure. I can tell you right now that a random generated password with 15-16 characters is unbreakable.

I want it integrated into the extension, not the browser. sorry for the lack of clarity

I have Enpass and Enpass rated 16+ length characters that were supposedly randomly generated (I cannot remember if I set the settings to pronoucnable though) as weak - they weren’t words though. Hence given my passwords have not all been generated by Bitwarden, I want to know if the ones that haven’t are secure

1 Like

I think this is already requested in the link I previously mentioned: Show password strength (zxcvbn) under Password Generator and Password Fields

If it matches, then this feature request will probably get merged into that thread and you can vote on that one. Bitwarden uses votes to help plan features, so make sure to use your votes if you are interested in a feature.

1 Like

It would be handy to have Bitwarden include an indicator of the quality of the password based on settings defined by the user.
KeyPass has something like that as you see in this screenshot.