I have used the free BW pass word manager for a couple of years now, with a total of over 130 saved passwords in the vault. Recently, 3 weeks or so ago, I signed up for a single yearly planš.
The last few days, I have been researching how to make the best use of BW, pass keys, etc. I am on Android mobile (Samsung) almost 90-95% of the time, with the rest of the time on an older iPad. I check on the computer maybe a half dozen times a year.
My question pertains to an exposed password breach when I checked the reports section the other day.
I have one password exposed almost 3000 (yes, 3 thousand) times. Should I be concernedš¬? The password is actually a 4 number pin. It belongs to an app downloaded from the play store. The app is āSafe Noteā, a supposedly secure note app. I store some personal stuff on it, nothing major, pw, etc ). The URI is something along the lines of ācom.protectedtext.androidā. The only way I found out that was to my safe note app was googling the URI.
I changed the pin this morning, but the old pin is still shown in the bw vault. I donāt know (canāt remember) if Iāve used that pin on other sites or not?
This means that there are 3000 user accounts world-wide that currently use or have previously used this 4-digit PIN as a password, and that have been included in one or more data breaches known to HIPB.
It does not imply that your āSafe Noteā account has been compromised. However, it does imply that if ever a hacker were to attempt to crack your āSafe Noteā account, this PIN will most likely be used for one of the attempts to guess your password ā and this guess would then be successful, giving them access to your āSafe Noteā account.
Hopefully you changed it to a randomly generated string of gibberish, 13ā15 characters in length (see example).
Did you update your Bitwarden vault entry for the āSafe Noteā account?
If your āSafe Noteā account login item in Bitwarden has your new password (not the breached PIN) but is still included in the āExposed Passwordsā report, then try logging out, clearing your browser cache, and logging back in to re-run the report.
If you did, and if those logins are also in your Bitwarden vault, then they would show up in the āExposed Passwordsā report
I would add, that for few special situations, this could be okay. And the situation would be: if your max. characters is 4 and you can only use numbers (0-9), then there would be max. 10,000 possibilities for that PIN.
(= 10 x 10 x 10 x 10 = 10^4)
For those kind of PINs it is not really possible to have it totally uniqueā¦ Almost every possible PIN here would be exposed - some more than 3000 times, some lessā¦ And then, that would be (more or less) okay, because not possible to do it otherwise.
But you already changed it. Hopefully longer than four characters then, and if it is a PIN*, then maybe you could choose an alphanumeric PIN, which allows numbersandlettersā¦
*Though, a PIN is a kind of password in the endā¦
PIN = Personal Identification Number, so this is an oxymoron (albeit a common usage of the term, including by Bitwarden).
The 4-digit PIN that appears in the fewest number of breaches (in HIBP), appears to be 0738, which appears āonlyā in 553 breaches (this is based on checking the 20 least frequent 4-digit PINs reported in a 2012 blog article by Nick Berry, which deserves to be read in its entirety) ā this can be compared to the most common 4-digit PIN (1234), which appears in 2,633,239 breaches.
But the bottom line is that there is no 4-digit numerical PIN that is safe.
Yes. I think on e.g. Android phones I saw it also. I donāt know why they donāt call it password then.
Yes. And I meant situations, where it is not possible to do differently. E.g. on my banking card (here in Germany I think it is mostly like this - I donāt know if it worldwide the same), I only have the option for a four-digit-PIN. But in those cases, there are hopefully some additional security measures in place.
I donāt exactly know at the moment, I must admit, but I think with my third failed PIN-try on an ATM, my banking card would be contained in the ATM / or deactivated?!
But I had those kind of situations in mind, where it would be more or less āokayā - or at least has to be accepted due to lack of other optionsā¦
