Master password and very long forgetful master password

Hello Everyone.

With all the hackers out there & cyberattacks… I am trying a new strategy to keep my passwords safe.

What I’ve decided to do is change my Bitwarden master password, it’s so long now 30+ characters lower case upper case numbers symbols etc…that now I can’t remember it.

So, I have done the following, so I don’t get locked out.

1, I changed on my Chromebook the way I log in to my Bitwarden now I use the >>> “with pin”<< instead of password so much easier to remember & log in.

I’m also able to log into Bitwarden with my mobile device with my fingerprint / password and I can see my master password there in my secure notes. Hopefully this would be a great 2 nd way to “get in” should I not be able to on my Chromebook.

as an example the other day when my chromebook booted up Bitwarden wanted my master password instead of my PIN number I don’t know why because I have it set to unlock with pin and not require master password on reboot but somehow someway it wanted my password so it was a little difficult to get in I went on my mobile device, found the master password there and with great patients typed all 30+ characters & logged in to Bitwarden on my Chromebook that way.

This login issue with Pin/ password happened only once. I use the Bitwarden Chromebook extension & have for a long time no issues so far except that one time.

2, I have an encrypted exported .csv file of my passwords stored in Dropbox with 2 fa & file lock & encrypted .csv files that I update monthly with any new passwords. Worse case scenario, If I can’t get in, I can “start over” and import my passwords and begin again.

3, I also have LastPass and set it up identically to my Bitwarden account. With my LastPass I also have a 30 + character master password which obviously I can’t remember, but IF I can get into my Bitwarden with the 8 digit PIN I can look for my LastPass password then copy and paste the password and login to my last pass this way I don’t need to remember that master password for LastPass.

Also, the way my LastPass is configured, I can login with my mobile device if needed, and it’s heavily secured with fingerprints & A PIN number. And I can reset my LastPass master password and change my pin via my mobile device that way if needed.

I can also look for my Bitwarden password that is in my LastPass & get back into Bitwarden that way should I not be able to “get into my Bitwarden,”

3, I also have it written down and put it in my safe my master password to Bitwarden and LastPass,

although I’m not real happy with that idea. I tried to disguise it by not saying that it’s my Bitwarden password, but I will know what it is.

Does anybody else have really long Master passwords that are impossible to remember, if so how do you handle remembering it?

Also, this is probably for another thread, but I’m curious what everybody thinks of biometric fingerprint security on a mobile device?

I have a Samsung Galaxy Note 9, and I was told that’s one of the best devices for fingerprint security?

It’s so convenient to press your finger to get into something, making it easier than putting in a password.

I sure don’t want to let convenience though create a security issue.

This is the first time that I’ve had a master password so long for my Bitwarden / LastPass account that I can’t remember them

I figured for safety reasons, it’s probably best to have a 30 + character Master login password.

It’s going on 2 weeks now since I did that 30+ character master password change, other than the one time password/pin hiccup I have had no issues logging into Bitwarden or LastPass on my Chromebook.

I’ve never had any issues with my mobile device, it works all the time every time.

Also, I use two-step authentication on anything that I can, when its offered I use it. I use Authy.

I have recently changed all my passwords, they are as long as possible. Some are 35 + characters hard to crack I hope!

I have a 100% security score according to LastPass. & I want to keep it that way.

FYI>> Bitwarden is my go-to password manager, I only have last- pass as a backup.

Both have very long Master passwords and both have 2FA enabled.

I use 2FA on my Bitwarden as well as my LastPass I use Authy.

Any suggestions would be appreciated.

I’m sorry, but why do you use Dropbox to store your passwords? It has a history being breached in the past. Read the news here: Troy Hunt: The Dropbox hack is real

If you are looking for secure cloud storage to store sensitive data, Sync.com is better. As for the rest, you can read this article. https://restoreprivacy.com/cloud-storage/best/

I would avoid using the same email for password manager and social sites. Use a unique email just for password manager and sensitive data only. If the hacker gets my email, the first thing he would do is hack my email first, because most people are not using password manager. I personally use Tutanota Mail just for that. You can check out this list for secure email providers. https://restoreprivacy.com/email/secure/

As for your question on generating a master password, this guide might help: https://passwordbits.com/make-master-password/

If you want to write down your master password, but don’t want anyone else to find out, you can write some kind of password hint on paper instead of the real password.

As for the rest of your setup, I’m not going to criticize those. Because everyone has a different level of convenience, trust level and I respect that. My setup is a lot different since I am using Bitwarden on Linux PC only.

Thank you very much for the reply!!

I am going to take a serious look at the email suggestion you gave to me.

As for Dropbox, I have used them for 15 years I think? And never even had a scare. Or issue of any kind. I have 2fa on my Dropbox & the files in there are encrypted as well as the folder that I keep the .csv files in.

Even if someone got in my Dropbox by getting past my 26 + character password then getting past the 2fa and got in, they would need the decryption key for the .csv file I have there that is NOT named password manager. IF they found the file, and IF they figured out my 30 character decryption key passcode, & got my passwords and went for important stuff like my banking credit cards ect they would again be faced with 2fa on those accounts.

I also have cloud storage with Mega and have my .csv files there as well just like in drop box in an encrypted folder. And my mega account is 2fa protected with a 28+ password. I just don’t like leaving all my eggs in one basket that’s why I have two cloud storage accounts and extremely long passwords two-step authentication on everything that I possibly can.

The email suggestion you gave me, I think is a GREAT idea.

I am still trying to figure out a way to remember such a long master password that I now have.

Being almost 60 and only 1 computer that always stays here with NO ONE having access to it unless somebody broke into the house is one reason I am less of a risk than someone the travels with their laptop all around for work ect.

With my mobile device so far 20+ years I have been careful enough to not leave it anywhere and if I don’t get robbed I shouldn’t have an issue there either. I do keep my mobile locked and password protected.

I am trying to be security conscious and that’s why I’m asking in the Forum about how to remember this long password and anything else that I might be able to do to make things more secure.

Thank you very much for your reply

1 Like

My brother does this and I’ve tried it for a few months too and thinking about going back to it.

The weakest point of a password manager is the master password and people suck at making passwords. So a random master password just seems the most logical but also the riskiest too.

It starts to make sense when you realize that if you have 2FA on your account you’re pretty much doing this already. The 2FA secret key is randomly generated and so is the recovery key and if you don’t have either you’re locked out of your account. I’m for sure not remembering those things so why should I waste time remembering a master password too?

There were a few things I did to make it easier on me. I would do all lowercase master passwords that were 20 characters long and space them out.

Example: yzep tkrg jycc vxmv tzjd

It’s easier to read and type especially on mobile if you ever needed to. I would also add a pepper to the end of it so I could store it at home in more convenient places but without fully giving away the master password.

The real master password: yzep tkrg jycc vxmv tzjd 1234
What I store: yzep tkrg jycc vxmv tzjd

This way I only really need to remember a PIN, it kind of works like a secret key that 1Password uses.

A password like this would be 94 bits strong which is more than fine, at 10 trillion guesses per second it would take 63,183,731 years to crack and that is not including the 100k interactions that Bitwarden does so it would take much longer.

I’ve thought about doing a hexadecimal master password too as it would be more simple and easier to enter.

Example: 7e62 aa3a 4723 3672 a9be 63a6

You would have to go to 24 characters but only have to deal with 0 to 9 and a to f for characters is nice though. That hexadecimal password above is 96 bits of entropy.

Any master password over 60 bits is considered fine, 80 bits is ideal, and anything over 128 bits is way overkill. I personally would consider over 80 bits overkill as a password manager uses iterations to slow down cracking, the faster computers get the more iterations they use so we pretty much stay the same through the years.

When I did it I had the master password in a local vault inside of KeePassXC which itself had a simple master password as it never left that computer and the Bitwarden master password was peppered too. The reason I stopped is that I felt I needed to have a master password that I can remember as I was not using 2FA at the time. Now that I use 2FA I’m already having long digits I can’t remember so what’s one more? With computers getting better at cracking I keep thinking about moving back to a random master password I don’t have to remember. People suck at making passwords, thus the reason we use password managers, so it just makes sense to use a random master password too.

I hate recommending it because it feels complicated especially to someone new. But then again 1Password does it with the secret key so it might not be a huge leap for people?

1 Like

I have chosen memorable passwords using a somewhat similar system that worked well for me - I have used a passphrase plus a numeric pin. The passphrase is something memorable, like a song lyric, memorable saying, movie title, etc., just as long as it is a string of easy to remember words, and at one end I would add a numeric pin (again, something memorable). Unless a hacker understands your system, the number of characters is long enough to be guessed and they can’t rely on a passphrase dictionary because of the pin.

1 Like

I don’t like going that route because of Brain Wallets.

People would store Bitcoin in Brain Wallets and used common phrases from songs, movies, and so on and the money would be taken. Even long phrases would be stolen, if it’s been written down somewhere someone was stealing it. Even an obscure poem in “Afrikaans” was stolen.

The Brain Wallet examples are perfect as there is money behind them and makes them worth stealing. This also tells us that poems, movie titles, song lyrics, and so on don’t make for good master passwords.

I’ve even done my own tests with a Bitcoin Brain Wallet and changed a saying from a poem slightly and it too was taken. I do have other Brain Wallets test running that hasn’t been stolen yet, mostly the ones that were randomly generated. It’s because of these Brain Wallets that I’m starting to consider a randomly generated master password.

You need to think more outside the box. Dictionary attacks are only successful if the attacker has access to a workable dictionary. By mixing terms and something like a PIN totally defeats it, assuming that the attacker does not understand your sytem.

For example, I might (or might have!) used this system:

GirlfriendFirstName + GirlfriendLastName + City + Year + PIN

Exceptionally memorable and essentially impossible to guess or brute force.

2 Likes

I think my master password looking like this is safer than a memorable phrase I feel more secure knowing it looks like this>>> rlL3$0&Zv&pfvIsLI5tjV1w03JQ0Pz2thDe
the problem is remembering it.This is why I have 2 password managers and I can copy/paste the password to get in provided I can at least get into my Bitwarden & using the pin makes that easier than trying to remember a master password that looks like this >> rlL3$0&Zv&pfvIsLI5tjV1w03JQ0Pz2thDe… <<< Of course that is not the password I use, but it is just as complicated…

If I cannot get into Bitwarden on my Chromebook for any reason having my smart phone and the ability to use a pin to get into my phone, it will allow me to get my master password and then log into my Chromebook that way because I have it in a safe note in my Bitwarden account.

I feel more secure using my super long random password than something like bonnie2345! Memaah.<< of course I made that up too, it is NOT a password I use.

Being extra careful is never a bad thing, especially considering the fact that your master password is the key to all your other passwords. That said, I would like to give you my honest opinion - I think you are overdoing it.

I will start with the thing that I found most disturbing - there shouldn’t be any possibility of you forgetting your master password!! If you don’t know it as good as your name, change it! While reading through all your elaborate setup, I nearly got a headache. 80% of all the shenanigans you posted can be avoided if you just remember your master password (while the security remains exactly the same!).

Another thing is that you grossly overestimate the “hackers”. More specifically the computers they use. To us, password №1 (Machinist-Unvalued-Shiftless-Approve-Elongated4-Defuse) looks very easy to crack compared to password №2 (rlL3$0&Zv&pfvIsLI5tjV1w03JQ0Pz2thDe). I can assure you, with all the computing power we have on Earth, the Sun will explode before we crack either of them. Technically yes, №2 is stronger, but does it matter if it takes 10 billion or 10 quadrillion years to crack? To clarify even further, there is absolutely nothing wrong if your password is №2, but if you can’t remember it and you have to think of backup plans in case you forget it, you literally defy the purpose of a password manager - to make your life easier. Also, generally it’s not a good practice to keep your master password in your vault.

My password’s structure is similar to №1, it’s 40+ characters and it took me 1 day to remember it. Everything @dh024 said is true, but the example he gave is not good. Don’t use names in general, as well as years and dates. If you add a PIN, don’t do it at the end. For example, separate the 2nd and 3rd word with it. This will make it infinitely more difficult for anyone to guess it. Watch computerphile on youtube about passwords. Choose just a single word in your passphrase and put a f*cking “!” somewhere in it, for example: com!puter. In the end, you’ll have to remember 4-5-6-7 words, what separates them, a “!” in one of them, maybe a “@” in another one, and that’s it! An unbreakable password. Why do you have to torture yourself with №2

Now I see where your worry is. Use this tool. If your master password takes centuries to be cracked, then it should be fine:

Example of a strong password: Lemonade-makes-me-sneeze-42-ferrets?
It takes centuries to crack that password.

The example I use above is taken from this guide: https://passwordbits.com/make-master-password/

A hard-to-remember password is not necessarily secure, if it is not long enough. For example this 12-character password: I*qWff9O#ozZ
It takes just 3 years to crack that 12-character password.

1 Like

Nah, that’s not a rule - only something to avoid if you are naive about secure passwords. Names in a passphrase are fine when combined with a PIN. Assuming you aren’t using a very common first and last name (which a hacker will try first), there is a HUGE amount of entropy involved in name combinations, if you are choosy. Add a 5-digit pin, and you are far, far ahead of 12-15 digit random passwords (which is approaching the limit of what most people will try to remember).

1 Like

I agree with you about remembering my password I have had lastpass for years and most recently Bitwarden and with the free tier issue with lastPass it brought me here and glad it did & when that happened I got to thinking about being really secure. Not that my password I had before was bad I think it was rather secure I just wanted to “redo” all my passwords including my master password and of course use 2fa on everything I possibly can. My password score now is 100%, it was 93% I think before my redo. I have never had any issues, I think coming to Bitwarden had me thinking about making 100% sure I am as secure as possible.

I am going to look at this to make a memorable yet secure password. It may take a day or 2 to get one that suits me. At least I am concerned & looking to be as secure as possible. For the past 2 weeks I have had no issues getting in to my Bitwarden but yes, I do not know my master password.
Going to check this out soon>> How To Make A Master Password For Your Password Manager | Password Bits

A hard-to-remember password is not necessarily secure, if it is not long enough. For example this 12-character password: I*qWff9O#ozZ
It takes just 3 years to crack that 12-character password.

1 Like

Make sure that all your passwords are at least 20-characters. Then, test with the Bitwarden Password Strength tool above.
For my BW master password, I use more than 25 characters.
For my other websites, I would use just 20-character, random passwords. For example: Y6DCL9P0$bmZAob0TltM
The problem with longer passwords is most websites don’t accept them. Password managers like BW or Lastpass are some of the exceptions.

I use many numbers, letters & special characters over 25 if possible for all of my passwords along with capitols & symbols if allowed.

I have come across some websites that don’t accept those super long passwords or special characters but the ones that do I use at least 25 characters.

For my master password, I will use at least 25. Right now my master password has over 30 characters. Too bad I cannot remember it because it’s really strong.

I am curious about this. I used this password tool to help me make a new memorable (at least to me password) and found that some I tried were fair until I added 4 numbers and (!) or the (@) at the end, then it jumps to centuries. Just be adding 4 numbers and a symbol like >> ! Or @ can make it go from a few weeks to crack to centuries??
Just learning that’s all not being sarcastic.

The password tool is this one from Bitwarden

If that tool shows centuries, then it should be fine. That Bitwarden tool is accurate and strict already.

I tried other online tools, which I found on search engines, but that one is the best for an online password checker. If my password pass the Bitwarden tool, in other words shows centuries, it will pass the other online tools that I’ve found on search engines.

To everyone saying to make a memorable master password why should you do it if you don’t need to remember your 2FA secret or recovery code?

Without either your 2FA secret or recovery code, both of which are random and you don’t remember, you won’t be able to get into your vault no matter how much you know your master password. So what’s one more thing you don’t need to remember and keep written down in a secure place?

First, I use physical security keys for my 2FA, so there’s no code for me to remember, I just touch the security key once it is connected to my device. Second, once my device has been verified as a recognized device with my security key then I don’t have to use the security key as a second factor again for at least 30 days but I still have to type my master password each time I want to log in. So it’s important for me to remember my master password.

So correct me if I am wrong, but all the talk about how many years it takes to crack a password only applies if someone has hacked Bitwarden and has access to all of the password hashes and is able to brute force all of the hashes offline for as long as they want, correct? This is the only situation where someone could theoretically devote months or years to hacking the Bitwarden passwords and theoretically hack them. And if that’s true, isn’t that very, very, unlikely indeed that someone would be able to break into Bitwarden and get all the hashes offline and have unlimited time to crack them, and even if they did, wouldn’t we know about it and have plenty of time to change our master password?

In all other situations, such as someone continually trying to log in to Bitwarden and guessing our password, doesn’t Bitwarden stop random guesses after so many tries? Doesn’t that make it practically impossible to “brute force” Bitwarden directly? Also, if someone phishes you or has a key logger, or they know you intimately and they have access to your password…it doesn’t matter how long or complex your password is because the attacker simply has it, they don’t need to guess it.

So all the talk of having very long and complex passwords that take centuries to guess only applies to one situation that is very, very unlikely, and even if it did happen we would have time to change the password, and if you have 2FA set up then it would be impossible for a hacker to get in anyway even if they somehow guessed your password. Isn’t that correct?

You still have the recovery code you need to store in case you lose your security key. Keeping track of your security key is the same as having to keep track of your 2FA secret, it’s just that your secret is hard encoded into your USB dongle. Both the secret key in your security key and recovery code are randomly generated and you need either one to get into your account.

The same is true if you use a random password. Once logged in you can even set Bitwarden to unlock with a PIN or Biometric Auth to make it easy to get in your vault. There is no need to remember your master password and if you need it you go get it from the same place you store your 2FA recovery codes.

And if things really get bad you can set up and use the emergency access feature which bypasses both your master password and 2FA.

Yes, but when it comes to security it’s best to assume the worst. I’m hopeful Bitwarden will never be hacked but thinking it will keeps me grounded in reality. Also, if Bitwarden is hacked 2FA won’t mean a thing and the only thing left keeping your data secure is your master password.

They block IP from trying too many times but an attacker could use multiple IP addresses and try. Even then that type of attack I’m not worried about. A simple but unique master password would stop that as the time to communicate and hash is too slow. It’s when the attacker has obtained the database that it becomes a problem.

Yup, but this is out of scope for this conversation. At that point, your master password would not matter; if your computer is infected it’s not your computer anymore.

LastPass has been breached several times so far and so has many password managers. In fact, the only password manager I know that has not gotten breached is 1Password and that is interesting because they use a secret key. The 1Password secret key is a 34 random character password that users don’t remember and without it, you can’t get in your account. The secret key is combined with the user master password to make the key to unlock their vaults, so you’ll need to store it somewhere safe if you need to get in your vault.

I wonder if the reason why 1Password has not been breached is due to their use of the secret key? There is no point in breaching them to get their database because at the very least all accounts have a 128bit key protecting the data. Where with Bitwarden you have a chance of a user reusing a poor master password or picking one that is weak.

2FA has nothing to do with the encryption of your account. If Bitwarden is breached only your master password is what protects your account. 2FA is only for authorization.

I’m not a fan of OP’s way of making a master password, but I’m not against using a randomly generated master password. I think a simple master password that looks like “qosb vzui yryr meyh sjwr” is fine and more than secure enough. It’s also easy to type on mobile and with enough time someone could remember it if they wanted to.

I don’t speak this way without good reason. As I’ve stated before, brain wallets give us a great baseline on what cracking power exists today because there is money behind it. There is also money behind cracking someone’s password manager.

If brain wallets that use this long phrase are being cracked it makes me wonder…

"It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair" source.

  • It makes me wonder how strong should my master password be?
  • It also makes me wonder… if people are bad at picking passwords, and thus why we get them to use a password manager, why are we letting them pick the one master password to rule them all?
  • I also wonder… if no one remembers their 2FA recovery code and 2FA is highly recommended for password managers then what is one more random code I don’t need to remember used as my master password? I’ll just store my master password with my recovery code in a safe place. I could even turn on emergency access for a failsafe option.

I’m not trying to be rude or crazy but I’m starting to wonder what benefit does it bring to remember my master password?

I see it as different. With a physical security key, I don’t have to remember a password or a string of random characters, all I have to do is maintain possession of the security key and push the button on the key and it automatically enters the random code. So while it’s true that the security key has a security code hard coded, that doesn’t change the fact that I don’t have to remember that hard coded code. It’s a different thing. There is no button for me to push to enter my master password.

So the net result is I don’t have to remember anything or any codes related to my 2FA, but I do have to remember my master password.

The benefit to having a master password that you can remember is being able to log in to Bitwarden without having to access another database or find where you wrote down your master password. If you have a long random master password that you cannot remember, how do you log in to the Bitwarden web vault for the first time after logging out? What about logging in to the browser extension for the first time after logging out?