Thank you for these details.
A complex topic. But I will “do” the dice variation.
1 Like
Yes. The 3rd row of the 6th column of table 4 (Reinhold’s second table) is the lowercase letter r.
It is easy ,but I needed this explanation grb , Table ,columns and rows , but I could not understand that the columns are inside the tables ,and also somehow I did not understand that those 3 tables in Reinholds examples are the tables itself. But maybe it went wrong as Neuron wrote columns ,the first 2 rolls decide the columns ,so I could not imagine those 2 columns - 1 of those columns is a Table ! Of course Neuron did nothing wrong - it is not that what I mean - it was I who misunderstood Neuron .
I understand that Diceware is not a small thing and that we can create truly random passphrases or passwords - I think that no any computer can create a natural random passphrase ! That is not possible . It is a real difference between if you are listening on a Youtube music or if you listen to the same music in a concert hall . Then I think it is wery good to use password generator , but for me that is now no more .Maybe EFF should increase the number of words?
In isolation, it is not possible for a computer to generate truly random numbers, only so-call pseudo-random numbers. However, for critical application (e.g., cryptography), computers now are able to read information from external sources that provide various degrees of “true” randomness (a.k.a. entropy) (for example, microsecond-resolution variations in the duration and spacing of key presses by the user, thermal noise in electronic components, as well as timing of hardware interrupts, disk activity, and network traffic). The randomness collected in this manner is used to create an entropy pool, which is then used to provide seeds for algorithms that create very high-quality pseudo-random numbers. This technique is called a CSPRNG (Cryptographically Secure Random Number Generator), which is considered to be just as secure as a true entropy generator (like dice rolls or coin tosses).
There is no need. The security of a random passphrase created using a CSPRNG (or a true entropy source, like dice) depends on both the number of words in the word list, and the number of words generated in the passphrase, so it is possible to obtain any desired passphrase strength by selecting an adequate number words, no matter how short or long the word list is.
For example, if I randomly select 4 words from the so-called “long” EFF word list (e.g., getting-grating-district-pound), I could get an equivalently strong password using the “short” EFF word list (which contains only 1296 words) by generating a 5-word passphrase (e.g., petal-decal-graph-spoof-shout). With a hypothetical word list that contained 60 million words, a passphrase containing only two randomly selected words would be equivalently strong to the 4-word passphrase generated from the “long” EFF word list (which contains 7776 words).
So you mean that a hacker has to exhaust all the possible - impossible combinations of the 7776 words before he can have access to my account ? The possibilities of those 7776 is not possible to imagine .I think in this case the short EFF list is well enough. I looked at the CSPRNG side ,but I could not generate any random passphrases there .This sound something new .Still for the time I will stay with the dices .
That’s it! Congrat for recovering your memory, etc.
Thanks .By the way I have macOS Monterey version 12.7.6 I heard that old browsers cannot login into Bitwarden in near future , is this version of mine are threatened ?
If the hacker does not know your master password (they could know it if you used your Bitwarden master password also for other website logins and there was a data leak from the other website, or if they spy on you while you log in to your Bitwarden account, or if they trick you into showing or telling them your master password), and if your master password is a randomly generated 4-word EFF passphrase, then the hacker would have no resort but to guess your master password from among the 7776×7776×7776×7776 = 3656 trillion possible permutations. Therefore, to have a 50% chance of finding your master password, they would have to make almost 2 quadrillion attempts, on average.
The short list only contains 1296 words, so for a 4-word randomly generated passphrase using this list, an attacker would on average “only” have to make a little more than one trillion attempts to have a 50% chance of guessing the correct passphrase. Keep in mind that with modern computing hardware, a distributed attack using 20 GPUs could test 1 billion password guesses per hour — thus, it may take approximately 8 weeks for an attacker with such hardware resources to crack a 4-word passphrase generated from the short EFF word list. Using the long word list instead, the time (and cost) required to crack a 4-word passphrase increases by over three orders of magnitude, to two centuries! Similarly, if you stay with the short word list, but increase your passphrase length to include 5 words (instead of just 4 words), then the average time to crack the password using the hardware described would again be 200 years.
The site that I linked above was just for fundamental background information about cryptographically secure pseudorandom number generators, which can be used for many purposes other than creating random passphrases.
If you would like to use a CSPRNG to generate passphrases, I recommend the Generator function available inside the Bitwarden applications and browser extensions, or the following third-party websites:
There was an annoucement on browser requirements to use this forum which didn’t mention anything about Safari,
As far as Bitwarden’s requirement on web browser, others using MacOS might be able to answer.
Sorry for the late reply . I looked up Safari Version I got this data Version 17.6 this is SAFARI web browser . So I do not know if I am in any danger ?
A 5 long Passphrase will take 200 years ! ,then imagine if you have 6 or 8 long passphrase ? Then this worry about the Quantum computers ? Crypographist says that AES256 will be wery much vulnerable to a QUANTUM COMPUTERS - that is 10 years from now ? Sometimes I think that the password we set would change every 30 seconds too,so if a 5 long passphrase changes every 30 seconds ,then a Quantum computer may newer catch up with it ? As the 2fa changes every 30 seconds ,so should the password too change . Only when a user logging in ,the password returns to its original. I think something else most be done against QUANTUM COMPUTERS than that of encryption strength . But I am happy - no any quantum computers as yet in sight . Then I am sure QUANTUM COMPUTERS will help us to create truly strong unbreakable encryptions too .
3656 Trillion guesses is indeed a big number . I think that many underestimates this Dice roll strength ,as in my sphere , - people do that they even newer heard about it . As people are afraid of Passwords generators ,so I will represent them this simple but wery powerful tool .And on top of that it is easy to remember the passphrases generated by dice .Still I do not understand why password managers are so scary ? This too is somewhat obscure to me .
The discussion about old browsers not being able to log in is in regards to logging in to this Community Forum, and has nothing to do with your Bitwarden vault. Since you’ve been able to log in and post to the forum since the change was made, your browser is fine.
Actually, the consensus is that symmetric encryption algorithms like AES-256 are not particularly vulnerable to quantum computing attacks. If you’ve heard differently, please cite your sources.
Nonetheless, Grover’s algorithm may (or may not) be applicable to brute force guessing of a password or passphrase. Thus, in the worst-case scenario, the password or passphrase would have to be approximately doubled in length to be quantum-resistant (e.g., a passphrase with 8–10 words).
I seen this on Youtube , I will look it up . Sure AES256 is not possible to break with todays computing. My BITWARDEN account is also connected to DUO MOBILE so I receive a push notification on login . I remember , it was a pretty much work ,for me , to connect Bitwarden to DUO MOBILE ,I had newer any problem with login to Bitwarden - or if I had I did spell a wrong password. Then proton mail did a great job too - since then I newer had any trouble with anything .I think that using strong security services is a good way towards a secure internet . Still I cannot understand how a Bitwarden account can be hacked ? Without 2fa yes ,it is possible - I think a Bitwarden account can be hacked ,but that is because the user is wery careless .
Yes, ultimately it is the user’s responsibility to keep their vault safe.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.