I’m getting conflicting advice.
Would you advise people that do not like typing out their master password on their home PC repeatedly make up a new 4 word phrase, or should they use 8 randomly generated characters?
What is your advice?
To be clear, I did not advise that you (or anybody else) should “make up” a passphrase. Passphrases must be randomly generated by random selection (using a random number generator or dice rolls) of four or more words from a list of at least 5000 words, with no cherry picking (i.e., no rejection of words or phrases that you don’t like).
Generally, I advise using a 4-word random passphrase, because something like tyrant-loads-misty-skirmish is typically easier to remember and to type than something like 6=+2g{oW, even though it is longer.
In your specific case, though, if you have already memorized a “super long, super complex” character string that was randomly generated (e.g., something like _n&e=7qsv!yfr(~U&>[k), the best solution may be to shorten your master password to 8–10 characters (e.g., _n&e=7qs or _n&e=7qsv!), to facilitate typing.
This is cross-topic now, but why did you assume what my current password is?
A “4-word random passphrase” is of the same length and complexity and randomness of my current password. I consider it long and annoying to type while sitting in my Zero Threat living room on my personal computer when I’ve instructed my password manager to remember who I am for a while, and it forgets who I am. Changing to a NEW “4-word random passphrase” does not solve my existing problem. It just gives me a new problem - memorizing a NEW passphrase to replace my old one.
I have not made any assumptions — note that I’ve always used the word “if” when it comes to details that you have not shared.
Four-word passphrases generated using Bitwarden’s passphrase generator (and similar generators) have 31 characters on average, and contain only lowercase letters and hyphens when using default settings (not what I would consider “super complex”). If you are using a random character string of equivalent length and complexity, then it would look something like hdwbsf-hmggoan--n-ayulj--w-oolx (or, if you allow for randomly selected special characters, which would increase the complexity relative to the passphrase examples, it might look like this: yhqmp*#gll*tohpnvuzm&^bn%rbelyv). If this is representative of what your master password looks like, then you would only need to use the first eleven characters to get sufficient protection for your Bitwarden vault (or as few as 9 characters, if your special characters include all 33 non-alphanumeric printable ASCII characters).
This being said, it would be very helpful for any continued discussion if you could disclose whether you are in fact using a randomly generated character string (computer-generated without human decisions) as your master password.
OK, if you are already using a randomly generated 4-word passphrase, then there is no point in generating a new one. Your characterization of your master password as “super long, super complex” may have misled me (as I would consider a 4-word passphrase to be neither “super long”, nor “super complex”).
Just for general information: Bitwarden has a minimum requirement of 12 characters for a master password.
3 Likes