Exposed password breach

I have used the free BW pass word manager for a couple of years now, with a total of over 130 saved passwords in the vault. Recently, 3 weeks or so ago, I signed up for a single yearly plan😀.

The last few days, I have been researching how to make the best use of BW, pass keys, etc. I am on Android mobile (Samsung) almost 90-95% of the time, with the rest of the time on an older iPad. I check on the computer maybe a half dozen times a year.

My question pertains to an exposed password breach when I checked the reports section the other day.

I have one password exposed almost 3000 (yes, 3 thousand) times. Should I be concerned😬? The password is actually a 4 number pin. It belongs to an app downloaded from the play store. The app is “Safe Note”, a supposedly secure note app. I store some personal stuff on it, nothing major, pw, etc ). The URI is something along the lines of “com.protectedtext.android”. The only way I found out that was to my safe note app was googling the URI.

I changed the pin this morning, but the old pin is still shown in the bw vault. I don’t know (can’t remember) if I’ve used that pin on other sites or not?

Sorry for the long post.

This means that there are 3000 user accounts world-wide that currently use or have previously used this 4-digit PIN as a password, and that have been included in one or more data breaches known to HIPB.

It does not imply that your “Safe Note” account has been compromised. However, it does imply that if ever a hacker were to attempt to crack your “Safe Note” account, this PIN will most likely be used for one of the attempts to guess your password — and this guess would then be successful, giving them access to your “Safe Note” account.

Hopefully you changed it to a randomly generated string of gibberish, 13–15 characters in length (see example).

Did you update your Bitwarden vault entry for the “Safe Note” account?

If your “Safe Note” account login item in Bitwarden has your new password (not the breached PIN) but is still included in the “Exposed Passwords” report, then try logging out, clearing your browser cache, and logging back in to re-run the report.

If you did, and if those logins are also in your Bitwarden vault, then they would show up in the “Exposed Passwords” report

1 Like

I would add, that for few special situations, this could be okay. And the situation would be: if your max. characters is 4 and you can only use numbers (0-9), then there would be max. 10,000 possibilities for that PIN.

(= 10 x 10 x 10 x 10 = 10^4)

For those kind of PINs it is not really possible to have it totally unique… Almost every possible PIN here would be exposed - some more than 3000 times, some less… And then, that would be (more or less) okay, because not possible to do it otherwise.

But you already changed it. Hopefully longer than four characters then, and if it is a PIN*, then maybe you could choose an alphanumeric PIN, which allows numbers and letters

*Though, a PIN is a kind of password in the end…

PIN = Personal Identification Number, so this is an oxymoron (albeit a common usage of the term, including by Bitwarden).

The 4-digit PIN that appears in the fewest number of breaches (in HIBP), appears to be 0738, which appears “only” in 553 breaches (this is based on checking the 20 least frequent 4-digit PINs reported in a 2012 blog article by Nick Berry, which deserves to be read in its entirety) — this can be compared to the most common 4-digit PIN (1234), which appears in 2,633,239 breaches.

But the bottom line is that there is no 4-digit numerical PIN that is safe.

1 Like

Yes. I think on e.g. Android phones I saw it also. I don’t know why they don’t call it password then. :man_shrugging:

:+1:

Yes. And I meant situations, where it is not possible to do differently. E.g. on my banking card (here in Germany I think it is mostly like this - I don’t know if it worldwide the same), I only have the option for a four-digit-PIN. But in those cases, there are hopefully some additional security measures in place.

I don’t exactly know at the moment, I must admit, but I think with my third failed PIN-try on an ATM, my banking card would be contained in the ATM / or deactivated?!

But I had those kind of situations in mind, where it would be more or less “okay” - or at least has to be accepted due to lack of other options…