Is this a secure method of generating master passwords?

Hi All

I was trying to think of a method of having a very long and strong master password.
The idea I came up with is this:

  1. Have a folder called, for example, photos.
  2. Bung 100 or so family photos in there.
  3. Using a particular photo, generate a hash from the file
  4. Copy/paste the hash into BW as the master password.

I’ve had a think about it, and the risks are:

  1. Having stuff on the clipboard is pretty risky, so once in BW, select any password, and it will clear the clipboard after X seconds.
  2. I use Windows, which by default, logs the last access time of a file, so it could be determined which file I use from this. The answer is to turn this windows feature off.
  3. BW doesn’t seem to mind invalid logins, so if someone knew the method, and files they could try every combination of file/hash. Not sure how to address this.

The bonus of this method is I can have very long complex master passwords that I don’t need to remember or type.

What do you think? I’m new to BW and would welcome any comments.

Thanks for reading!


Your title says “master passwords” in plural, so are you setting up multiple Bitwarden accounts? Normally, you would only have a single master password.

In any case, bright people have considered this issue before you, and there is no need to re-invent the wheel, here.

What you need is to create a password that is unguessable by an attacker, but that you can memorize and type from memory. This is possible using a four-word passphrase (e.g., barcode-astride-lint-plod), as long as the words were selected completely at random (i.e., using a cryptographically secure pseudo-random number generator, or a true entropy source such as dice rolls or coin tosses) from a sufficiently large list of words (at least 6000 words). If the passphrase was randomly generated, an attacker would have to try over a quadrillion possibilities before chancing upon the correct combination of words (and that is in the worst-case scenario, for which the attacker knows that your master password is a passphrase, and has a copy of your word list). Using a high-end GPU, it would take thousands of years to run through all the passphrase possibilities in a brute-force cracking attempt. For an attacker willing to invest millions of dollars to attack your vault using a distributed attack involving thousands of GPUs working in parallel, it would still take years to guess your passphrase. Unless you are an extremely high-value target or an Enemy of the State, no attacker is going to bother going through that kind of trouble to get into your Bitwarden vault.

The question remains: how do you securely create a passphrase? This depends on how paranoid you are. If you already have Bitwarden installed, you can use its built-in password generator, which is also able to generate random passphrases. Alternatively, you can use Bitwarden’s online password generator, but that means you would have to trust that the generated password is not transmitted anywhere by the website, or that no-one is able to access your computer’s memory (or any traces of those memory contents that may be left behind in swap files, hibernation files, or memory dumps). You could mitigate some of these risks by using a client-side passphrase generator like The Little Password Helper, but first save the HTML as a local .html file, then disconnect your device from the internet and open the locally saved HTML to generate your passphrase; close your browser before reconnecting your device to the internet.

If you are super paranoid, you can use the Diceware method, in which base your passphrase on the results of rolling a set of five dice four times (or one dice rolled 20 times). Then use the EFF word list, or any other list containing 7776 distinct words (you can even create your own diceware word list, using a tool like Tidy), and translate each group of 5 dice roll values into a word (e.g., 3,6,4,2,2macaroni in the EFF word list); write down each word on a piece of paper, and use the written down passphrase to help you memorize it. Here are some additional tips from the original Diceware website:

1 Like

Hi no, I just meant master passwords in general, not for multiple accounts. I have one account.

In any case, bright people have considered this issue before you, and there is no need to re-invent the wheel, here.

I’ve searched the forum, and haven’t managed to find this discussed. Do you by any chance have a link?

Thanks I know about pass phrases, but don’t trust my memory. i’m 60 years old and have had a stroke, which is why the suggested sytem was appealing to me.

I’m not high net worth, but did lose £4.00 down the back of the sofa last week :slight_smile:

Thanks for all the options, but I’d quite like to see a discussion on the method \I’ve suggested - if anyone has a link to it i’d be very grateful.



OK, so you need a single master password, then.

I was referring to people like Arnold Reinhold, Randall Munroe, the folks at the Electronic Frontier Foundation, and others.

Using a passphrase as your master password will still have benefits in your case, because it can be manually typed, thus avoiding the risks associated with clipboard leaks.

For you, I would recommend simply writing down your passphrase on a slip of paper. You should do this in any case, because a recommended best practice for using password managers is to create an Emergency Sheet, as insurance against the loss of your master password (by temporary or permanent memory failings) and/or 2FA second factor.

Bitwarden is designed so that you can remain logged in indefinitely, securing your vault by locking it when not in use. If you use the options available for using a PIN or biometrics (fingerprint or face recognition) to lock and unlock your vault, then you will only need your master password when you restart your browser (assuming that you are working with the browser extension). If you minimize your browser instead of closing it when not in use, and if you put your computer to sleep instead of shutting it down when not in use, then you will need your master password very infrequently. On those occasions, you can refer to your Emergency Sheet.

Ho @grb
Thanks for your reply. I can see the benefits of using a passphrase and of wiriting it down and puting it in a safe place so thanks for that.

I already have my 2FA disable code in a safe place as I recognised this as something that could trip me up if I lost my 2FA device.

Mostly, I use the Windows BW app, login and do some surfing and then close the app. I had noticed if I didn’t close the app and shut my laptop, sending it to sleep, when I started it again, the BW app was still there and logged in. and thought eek! Now this is really the most convenient method as you don’t need the MP again, but must be the least secure. So my position is that I want excellent security with the brain of an ant :slight_smile:

I did consider biometrics and as far as I understand it, I can buy a USB fingerprint reader quite cheaply, but the camera I would need are available, but quite expensive. I’m not very confident with face ID as I read a little about spoofing it. This applied to mobile phones and a report was compiled by, I think a dutch company who found that the Iphone as pretty good as it projected multiple dots on the face to form a proper 3D image. However some Android phones were pretty easy to spoof with a decent quality photo of the person.

A fingerprint reader might be a good option as it’s physically small and could live on my keyring, meaning I don’t forget it when travelling. Probably unlikely, but if some bugger cut my finger off, they would be in, but I’ve probably watched too many films :slight_smile:

I did a bit of googling on my original thoughts and found a couple of debates that were interesting.

Thanks for the links. I see two are about diceware, although the Randall Monroe appears to be dead, with the site down. so can’t comment on that.

I’m still interested to find aout about using a hash from a file. If it’s a bad idea, I’d like to understand why.

Anyway, have a good day :smiley: :grinning:



The site seems to be experiencing difficulties currently, but a copy of the webpage I had linked is available here (courtesy of the Wayback Machine).

Leaving your vault unlocked for prolonged periods of time is not recommended, which is why you should configure your Settings (under File > Settings in the Desktop app) with the Vault Timeout period set to the shortest acceptable time interval, and the Vault Timeout Action set to “Lock”.

Biometrics for unlocking is unfortunately not available for the Desktop app, so you would have to switch to using the Browser Extension if you want to use a fingerprint reader.

On the other hand, you can enable the Unlock with PIN option (but if you do this, it is safest to leave the Lock with Master Password on Restart as is — i.e., enabled). Even though this is called a “PIN”, on the non-mobile apps, this can be a non-numeric character string, as well. So this “PIN” can be password similar to your master password, but perhaps somewhat less complex.

When analyzing cryptographic security, one principle that is used (Kerckhoffs’s Principle) is to not rely on “security through obscurity” — i.e., one assumes that an attacker knows the exact method that was used to generate a password or cryptographic key, but does not know the specific result (i.e., password or key) that was produced by this method.

In your proposed method, the worst-case scenario under Kerckhoffs’s principle would be that the attacker has access to your folder of image files and knows the hashing algorithm used, but they do not know which of the “100 or so family photos” that is the basis for your password. As you noted, they can still break in to your vault by simply trying the method on each one of the photos. So your entire protection is based on relying on the assumption that the attacker does not know your password generation method — in other words, “security by obscurity”.

Hi again

Thanks for the tip. I’ve now configured the app for a short vault timeout, just in case I forget to close the app.

I can see the big hole in my idea so will rethink, possibly with your pass phrase suggestion. I read the wiki page with interest.



When deciding how to protect your Bitwarden vault, it helps to make an honest assessment of the plausible risks that you face (remembering that you are — presumably — not a Double-O Agent or a billionaire). It is true that all Bitwarden users at some point in the future may fall victim to a theft of data from Bitwarden’s cloud servers. Not to fret, as long as you have a master password that is a randomly generated diceware-style passphrase consisting of at least 4 words (the encrypted database records will not be decryptable in that case). But how likely is it really that someone will steal (or otherwise come into possession of) one of your devices that is logged in to Bitwarden? Do you use Bitwarden on a desktop computer, or on a laptop, or on a tablet or mobile phone? If on a laptop or tablet, does the device ever leave your home, or does it stay put like a desktop PC? Do you live in a “safe” area? What are the crime statistics for burglary in your neighborhood? When you travel, do you visit areas that may pose elevated risk, or not?

After answering some of these questions, you can begin thinking about how to mitigate or thwart the risks faced by your Bitwarden vault as a result of your circumstances.

For example, you can change the Vault Timeout Action to “Logout”, with a short timeout period. In that case, if your device is stolen, the thief would not be able to access your vault (after it is logged out), unless they know your master password and also have access to your 2FA. Thus, even if you keep your master password written down on a piece of paper that is attached to your computer, the thief cannot get into your vault unless they also have access to your 2FA (or if they, in addition to making a living as a burglar, also moonlight as a cybercriminal and somehow manage to break into Bitwarden’s servers to steal your vault data from the cloud — and in this case, they would have to successfully break into Bitwarden’s cloud servers before you discover that the piece of paper with your master password has been stolen, at which point you can simply change your master password and rotate your account encryption key to render the old password worthless). Of course, you can make things even more challenging for the thief by not taping your master password to your computer (maybe tape it to the bottom of your stapler instead).

Thus, one idea that may work for you, is to use a Yubikey to enable 2FA by FIDO2/Webauthn, in which case your vault will be safe as long as your Yubikey doesn’t get stolen at the same time as the piece of paper that has your master password (e.g., don’t leave the Yubikey plugged in
to your computer when not actively authenticating — or at least remove the Yubikey from the computer when travelling). There is even a “Yubikey Bio” that requires your fingerprint to be detected before it can be used for authentication.

Hi again @grb and thanks again for your excellent response. As is always the case on the forums I use, I’m learning lots.
I did have a dream that I was a OO agent and that I was a billionaire, but then I woke up lol.
While I don’t think I’m being targeted by the government lol, I do use bitwarden for pretty much everything - logins, passwords, financial, medical etc so it’s very high value to me. My background is IT and have decades of support experience and am a retired computer programmer. For any other coffin dodgers that are reading this, it all started with Dbase II running under CP/M lol. However, as far as cyber security goes, I would consider myself as an enthusiastic amateur and this has probably generated a little paranoia after reading about security and hacking.
So, back to the real world! I found your post reassuring, so thank you for that.
Your comments on keeping the master password on a post-it note on the screen, or under a stapler made me smile and took me back some years. It was common place to see sticky notes on screens with someone’s user name and password written on it. While this didn’t often cause security concerns, it was a bit of a bugger to try and identify an individual on the network that had performed an operation, like delete/change a file. Oh, yes it was FredBloggs, no it wasn’t it was JaneDoe using Fred’s login as the cleaner had discarded Jane’s sticky note. Blimey!

I took a look at the Yubikey Bio bio and it looks good. Here in the UK, it’s around £100.00 with tax so it’s quite expensive and given my recent reduction in paranoia, I’l probably not invest in one, but the tip is appreciated :grinning:

I do use a hardware 2FA device though and this is kept separate from the laptop, of course. I haven’t left it plugged in yet though!

On your comments on vault timeouts, I mentioned I would set a short one and did this. Last night, I forgot to close BW and closed the laptop lid, sending it to sleep oops! When I woke the laptop today, and clicked on BW, it wanted the master password. Brill! :+1:

I find the whole topic of cyber security very interesting, recently brought into sharp focus when my step-daughter was scammed out of a large sum of money by a solicitor’s invoicing scam.
My guess is as some point, I’ll take some course in cyber security and get some qualifications in it and stop suggesting dumb-ass ideas like generating hashes from files lol.
Anyway I ramble on. Best of luck to everyone that’s read this thread. Hope you found it entertaining in places :grinning:



1 Like