Limited the total characters length of passphrase generator and option to disable Word separator

Feature name

  • Limited the total characters length of passphrase generator and option to disable Word separator

#Feature function:
_Set an upper limit to the total characters count of the passphrase.
_Lower the minimun words count to 2 or even 1 can help (optional)
_Option to not use a word separator.
_Option to capitalize the LAST character of the word instead of always the first as it’s less predicable.

I ran into a problem with some websites that limited the number of characters a password can have.

I want passphrase because sometime i have to login to other devices that’s doesn’t have bitwarden (my TV, remote machine, other people’s device, i have 2FA so don’t worry about that), and typing words is much easier than 16 random characters.

But, some site doesn’t allow password longer than a certain length, let say 12 characters, or even doesn’t allow special characters at all. And Bitwarden only allowe a minimum of 3 words passphrase that’s can easily exceed 20 characters.

And if i remove the default word separator , it will be replaced with a space (i’ve never seen any site allowed password that contain spaces, ever).

1 Like

A one or two word passphrase would offer little to no protection. I don’t think Bitwarden should encourage those sort of passphrases. If you’re using a site that specifies a maximum number of characters for the password, I would strongly advise you to use a complex password with random characters. I know it’s inconvenient to type in, but it’ll keep your account secure. Passphrases are great when there’s no upper limit on the character count.

1 Like

That’s not the issue here. There are imaginable use cases where one could fathom an insecure password as being acceptable. Just from the top of my head (fictitious): the password my 8 year old should enter on the smart tv to access netflix is a 4 letter word and a digit (all lowercase). As it’s only used in the internal network, has a clunky user interface (remote control) and limited security risk (yeah, that l33t h4X0r can watch My Little Pony using it).

But the solution basically is pretty simple: just pick a part of the generated password or even tweak it.
This also prevents someone getting to see your generated password history to be able to use that info.

This may be a useful feature, but it should not be used unless the word list has been vetted to ensure that the concatenation of two (or more) entries cannot produce a valid word. For example if the generator produces a 5-word phrase opt-ion-pasta-headstone-work, then this could be matched to a 4-word phrase option-past-ahead-stonework during a brute-force attempt if the separators are omitted. This significantly reduces the entropy of the passphrase.

Maybe there could be several available capitalization patterns (xxxx, XXXX, Xxxx, xxxX, XxxX, xXXx, XxXx, xXxX) and the user can select (manually or randomly) which pattern to use for the majority of the words, and then a different pattern (randomly selected) is applied to one of the passphrase words (randomly selected). This could increase the passphrase entropy by 6-8 bits.

+1 for this feature. So many bad sites limit the password length now that a 3 word generated passphrase is useless and I’ve stopped using the generator entirely.

Preventing the user from setting a shorter passphrase is the classic security misunderstanding of human nature and not realistically improving their security. Blocking it from being generated or telling them to delete part of the passphrase only results in them using a human generated passphrase or another password manager that does allow what they want to do.

Show a warning banner if you want, maybe even throw some shade at the websites that limit password length, but don’t take control away from the user.

Perhaps the browser plugin could even search the text of the page to find the maximum password length and use that?

I have re-worked some of my generated 3 word passphrases by shortening some words, but it is awkward, and makes life more difficult to make sure I capture the password used.
Maybe I will work on creating some palatable shade to throw at the companies with the unreasonable limitations set as to length and send them an email with said shade. :slight_smile:

If you’re using a 3-word passphrase, why not use a 6-character random password string instead?

A three-word passphrase is much more secure than a 6-character string. And if any of the passwords/passphrases need to be memorised, it’s much easier to remember.

Edit: I read this out of context. Depending on how short the words/overall passphrase is, then I understand @grb’s point - passphrases are great, but if you make them too short then they’re as useful as a very weak “random” password.

I don’t see it:

3×log2(7776) = 38.8 bits
6×log2(70) = 36.8 bit

The difference is only 4 bits, so the passphrase requires only 16 times the resources or time to crack than the 6-character password. I wouldn’t call that “much more” secure, and the difference could easily be made up by using a larger pool of special characters than the 8 included in Bitwarden’s generator.

I’m all for passphrases, but they come at a penalty of inflated length. Thus, if the concern is password length, and in the context of creating weak passwords (<40 bits), I would suggest that the short random string would be the better solution.

I wasn’t reckoning on using only the 7,776 words in the Diceware list.

I see — I had made that assumption in the context of the thread being a feature request for Bitwarden’s passphrase generator (which is also why I assumed only 70 characters for the random string)…

1 Like

I understand there are security concerns, however I would definitely appreciate at least a few options in this regard.

Here are a few I have thought of which I imagine could be fast to implement:

  1. Give the user the length of the generated password in the UI. This would allows users to trim or modify the password listed to their liking and within the limits of the service they are using.

  2. Allow the user to type in the length limit requirement of the service they are using and have Bitwarden dynamically switch between a generated password and passphrase depending on whether the limit is too short for a safe passphrase to be generated reasonably.

hopefully my revival of this topic is not an issue as it is the most recent topic that seems highly related to the addition that I otherwise would have made a specific thread for.

Thanks.

2 Likes