How to remember / where to store master password?

Hi all,

After 30 years of writing my passwords in a paper notebook I’m now using Bitwarden Premium for a month. I’ve also ordered some Yubikeys (One permanent in my desktop PC, One on my keychain to unlock my Android phone with NFC) and a third one with a lightening port to unlock my iPad.

I understand the difference between logged and locked out in Bitwarden and read the discussions about it, love it how my Bitwarden vault under Windows in the native app is unlocked only using my fingerprint with Windows Hello.

To the question: As recommended I’ve a strong master password. Not extremely long, but with lots of special characters and almost impossible to remember so I wrote it down on a piece of paper which I keep at home.

• I keep this password on a paper in my home. Is it recommended to buy a (hardware) vault to store this password? As I need to enter my master password every time with the firefox plugin on my desktop it would not be not very user friendly but maybe I can live with it.

• Unlocking Bitwarden is working great on my Android phone and iPad with fingerprint on a locked vault. But what if I get logged out and need to enter my master password (which I can’t remember) when I’m not at home. I don’t like the idea of keeping a copy of my master password in my wallet when I’m from home. Would love to hear some tips / advice.

• Is it recommended to use a (hardware) vault at home to store an (unencrypted) copy of my passwords on an USB stick or paper print?

• If I need a (hardware) vault at home would a cheap vault from Aliexpress be sufficient or would you recommend a more secure (fire resistant) vault?

Hello @Justme,

You could have a complex password but that you can remember. As example you could take a quote, first part of a poetry etc. and take only the first/second letters and add at the end small custom password. That way is not guessable

In general any way that minimizes the risk of losing the password without compromising security. That means:

• Paper: I know quite some people who have their passwords on paper, but they still lose them
• Electronic Hardware (usb stick, sd-card): If one has the hardware can easily use or copy your master password. If you have it encrypted in any way, then it is a good solution.

Possible solution
Save your master password on your bitwarden account. Then do one of the following to have access to it:

• Share it with a very trusted person
• Have a device that you onlock with one of these technologies (or similar): PIN, Fingerprint, FaceID, Iris scan, etc… This way you can access your master password if you forget it.
• Have another password manager (ex.: KeePassXC) locally to one device and save your master password there. That should have of course a different (maybe easier) master password but it should be difficult to access.

If you use PIN unlock, it could be easier (I personally still use Master Password).

Never encounter that, in either Android, nor iOS (iPadOS). In your bitwarden settings should lock bitwarden and not log you out on timeout.

You can have a password-protected qr-code with no hint of what it is. You will remember when you need it . Of course this should have a password easy to remember.

Summary

Remembering complex password:

• Create a master password that you can remember via memory tricks.

Storing:

• Hardware wallet like Ledger, Trezor
• Hardware like USB-Stick, sd-card, encrypted with password and made read only
• Encrypted QR-Code
• Stored master password inside bitwarden and have multiple ways of accessing it
• Another password manager with limited access

Hope this helps

Any feedback is welcome

Hi Pulsar,

Thank you very much for your comprehensive and very helpful reply!

My master password is now stored in my Bitwarden vault and am working on the rest of your advice.

I’m thinking of using my YubiKeys for the first parst of an (impossible) password, which i can append with an easy to remember second part. (Not my idea, but sounds good to me).

Thank you very much again BTW will look into you other solutions (Ledger, Trezor)

Remembering long complicated passwords is hard for (most) humans.

An alternative is a passphrase, as per xkcd. correct horse battery staple is the example and the principles outlined are valid. Bitwarden will generate passphrases, just as it will generate passwords. You can specify the number of words and a few other things. To check their strength password strength meters are available to experiment with.

A common approach is to use passwords for the things Bitwarden is remembering and a passphrase for access to Bitwarden.

This is interesting topic, where usability is fighting with security (and usually wins).

From my personal point of view, user should avoid using any tools, storing master password and requiring to use some simple analog (like pin) or biometrics, because at the end your master password has level of protection, equal to level of your pin or how easy it is to force you to use your bio (or steal it: like fingerprints)

So, my recommendation would be to disable all of these pins and biometrics on all your devices and always unlock by master password - this way you’ll remember it after few unlocks and won’t forget because of unlocks frequency. The password could be not so long, but very complex - you’ll remember any combination of chars in this case, but shorter password is faster to type. So, it should be strong enough and shortest possible (10 chars as a starting point)

This is how I use it, but assume nobody will like this workflow these days with FaceID, WinHello and other similar tools in each and every device…

10 characters is considered too short.

Protonmail have a good article on this which reflects other articles on the subject.

15 characters is considered hard for most attackers to force at the moment. However, assuming that they are stored in password manager, 20-25 random characters gives some headroom without adding any inconvenience.

I went a controversial route and chosen to not remember my master password.

"back up your vault before changing the master password"

My master password is long and completely random. I print it out and put it in my safe along with the backup code for the 2FA. No one expects me to remember my backup code so why remember my master password? I’m not getting in my vault without one or the other.

For all my devices I use the PIN unlock. Your data is still encrypted if you use the PIN and unlocking with the PIN is so much easier than your master password.

I also have a copy of my master password in my Bitwarden vault in case I’m logged out of one device I can use another to retype the master password, but this doesn’t happen often. If that fails I still have a copy in my safe. When Bitwarden gets the emergency access feature that will be something else I can use too.

At first, I thought this idea was stupid but then realized this is what 1Password does for the secret key. The secret key is a randomly generated password that is attached to your master password, without it you won’t get in your 1Password vault. 1Password doesn’t force you to remember the secret key and instead, they have you store it somewhere safe. It’s also nice knowing no one is going to crack my master password because it’s random and super long, longer than what I could ever remember.

I also do regular backups of my vault too.

What I’m doing is very advance I’ll admit that but I did get a password manager so I would not have to remember any passwords. Just something to think about.

Ok, then if I’m an attacker and want to get your passwords from the vault, I have to just get physical (or even remote) access to some of your devices with locked BW and guess / compute your PIN - which is much easier comparing to any reasonable password

If an attacker is in your system it’s a lose-lose situation no matter if you use a PIN or master password. Waiting for you to enter your PIN or master password is no different to them. This is why it’s important to run a good AV along with your password manager.

What is more likely is an attacker to go after all of Bitwarden instead of focus on one person and gain physical access. Since my master password is randomly generated and long them cracking it is not possible.

A passphrase of 4-6 fairly long, unconnected and obscure words is equally difficult to crack, but can be remembered fairly quickly.

About pass-phrases: I couldn’t understand, if passwords should be random and unpredictable, so that cracking with dictionary doesn’t help, then why we accept pass-phrase to be strong alternative, while it contains only few words from dictionary and having that dictionary each word would be almost equal to 1 char in terms of complexity for cracking (the difference is only in # of chars vs # of words in dictionary)?

In 2014 the creator of Diceware, the passphrase list that Bitwarden uses, recommended 7 or more words.

In Reinhold’s Diceware FAQ, he writes that “Six words may be breakable by an organization with a very large budget, such as a large country’s security agency. Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030. Eight words should be completely secure through 2050.”

Link

To take a ridiculous example, if the list of words was 20, from which people had to select 3 then that would be easy to break.

However, as the number of words in the dictionary increases and the number to be selected from that dictionary increases, together with tricks like inserting the odd number in the middle words and adding “punctuation” to split up the words and make things easier, then the difficulty of breaking the passphrase increases exponentially.

This is similar to the way a number of similar things work. There are ways to break most codes and ciphers, the question is whether they are feasible in an acceptable time.

I am aware of that. However, it is a matter of balancing risks.

A large country’s security agency has other ways of trying to get at information. There is no point having an impregnable door on a vault if the walls are made out of breeze blocks.

I can’t be bothered to look up the precise details at the moment but Phil Zimmerman pointed out that PGP was not unbreakable, but if a government was expending the amount of effort necessary to break it on your messages then you should be thanked for diverting their efforts away from the rest of us.

Suggestion, write down your login/password/recovery code on paper.

Cut paper in the middle of login / password and recovery code.

Give each parts to different person. So, they have only half information.

That way, nobody can access your account, except in case your are in trouble. Both person need to be together.

Each year, refresh your persons about the importance of this paper.

This is my suggestion to people I support in usage of BitWarden.

Your comment are welcome !

You can get a hardware “wallet” like a Billfodl. These are meant to secure storage your crypto-currency secret, but can work for passwords as well. These are made of high grade stainless that shouldn’t corrode easily in salt water and will survive the hottest part of a normal file.

If you get multiple of these, say 3, you can split your secret in a way that bring together any 2 and you have the whole. Mind you, access to even 1 of these would mean part of the secret is exposed. These do some with security stickers that are each unique and are tamper-evident.

You could store one in your house, one in a bank vault, and one somewhere else, like a friend/family. They even have holes which can be used to run a lock through. Someone could cut the lock, assuming it’s a decent one that can’t be easily picked, but this would require someone to be determined.

Since my threat model doesn’t include the government, a split password plus 2FA is plenty fine for me. Any person willing to jump through these real-world hoops would be an adversary I’d willingly work with.

My 2FA backup setup is several yubikeys. Both my wife and I have on our persons and we’ve cross-setup our accounts. We have a shared backup in a safe deposit box. Access to the safe deposit box requires both our physical key and the bank’s key. The bank only allows people in if they’re on a list of authorized people. And we can’t just add them to the list, that person has to come in, they have to sign a form, and their license is documented. Of course they must show proof of identity when they want to access.

The only way someone else is allowed access is through court order. And even then, if they don’t have our key, the service to drill out our lock is next day and they will attempt to contact unless the court order says they cannot.

The vault itself has a nearly 1’ thick metal door. The locking cylinders are about 6" thick each, and these go all around the door. The structure of the vault is strong enough to support this door, which says something about the structure. I’m not trying to say how safe it is against some movie grade international thieves. What it says is how safe it is against disasters. It will survive anything our local mother nature could throw at it.

Can’t get accidentally lost, destroyed, and no unauthorized access short of a court order.