I’m migrating and testing out Bitwarden and wanted to understand how the Weak password report works? It appears that 1Password only asssess the password strength when the actual password is created or modified, is this also the case with Bitwarden Reports?
It’s interesting as 1Password reported some passwords as Good, which were really poor, but as they are hidden by default and shown as Good I would never know. For context, some of these passwords were more than 10 years old.
@SidKop Welcome to the forum!
Basically, Bitwarden uses the zxcvbn strength tester, and considers a score of 2/4 or lower to be “very weak”, which makes it appear in the Weak Passwords Report. The report results are re-evaluated every time that you re-run the report.
False negatives will occur in any password strength tester that is based on analysis of specific password strings. The opposite problem (false positives) also occurs.
For example, the zxcvbn tool used by Bitwarden will consider easy-to-crack passphrases such as it was the best of times or the good the bad and the ugly to be strong (4/4), but will rate a randomly generated 8-character string (e.g., =u[J8beW) to be “very weak” (2/4), even though such random strings have sufficient entropy (52 bits) to be suitable for use as a vault password.
Thanks, so if the strength tester updates it’s ‘algorithm’ old passwords would be picked up. That’s good to know, compared to 1Password.
The 1Password issue was more that it didnt evaluate passwords that had been created years ago, only new ones. Is there any articles as to why zxcvbn rates passwords the way it does? Is it that random 8 character strings aren’t that hard to break with enough computer power? I guess it doesn’t evaluate for common phrases that humans understand.
Not sure what you mean, but the zxcvbn repo has not been updated for 9 years, so it is unlikely that the algorithm will change. However, you can run an Exposed Passwords Report which will check all of your vault passwords against an up-to-date database of passwords found in data breaches.
Information about the zxcvbn algorithm can be found here:
The reason why randomly generated character strings are rated conservatively is explained here:
It does look for words, but not for phrases. Any sufficiently long string of words will be evaluated as a “strong” password, even if it is a commonly known phrase.
It’s probably not relevant anymore. 1Password incorrectly marked passwords created over 10 years ago as ‘Good’, if you edit the password field, it then marks them as ‘Weak’. If zxcvbn hasn’t been updated for 10 years this would tally with that, but make any future ‘risk’ quite low. Thanks for the info.