Master password and very long forgetful master password

Is this true? I was under the impression that if Bitwarden were breached and a hacker was somehow able to crack my master password (both very unlikely), the hacker would still not be able to access my vault without my 2FA.

This is a very simple question and the answer is either yes or no.

Bitwarden hasn’t gotten breached either. Also, Bitwarden encrypts everything with 256 bit key, like every other good password manager. Don’t praise 1password so much

1 Like

How do you log into Bitwarden for the first time if you don’t have your 2FA or recovery code? I would be in the same situation as anyone who uses 2FA.

I can understand remembering your master password if you don’t have 2FA.

But if do have 2FA you’ll need either your 2FA device or recovery code. Both things I would need to get and if I’m having to get those things I might as well get my random master password too. After I’m logged in I set the vault to unlock with either PIN or Biometrics which is far more convenient than any master password.

I’m not praising 1Password, I’m pointing out what they do different; I moved away from them for good reasons.

While Bitwarden has not been breached, LastPass has and both use similar ways of encryption.

1Password uses AES256 just like Bitwarden and LastPass, but that is for the encryption key and not the same as the secret key.

The secret key sets a baseline that LastPass or Bitwarden don’t have and that is why I have my theory on why they have not been breached. If this is true then it adds more weight to my idea that people shouldn’t be picking their master passwords.

We are going to have to agree to disagree about this, we would not be in the same situation. I am not referring to the 2FA, I am referring to the master password and you keep changing the subject to talk about 2FA. As I already explained, once my device is recognized I don’t have to use my 2FA for at least 30 days, so that’s a moot point. Yes, that would be true for you too so that is why I am not talking about what is the same, I am talking about what would be different, and since you are changing the subject, let me bring it back to the subject…

The subject is entering your master password, and here is the difference… in order for you to enter your master password, since you don’t remember it, you would have to go somewhere else to get your master password (another vault, a piece of paper, something else) and then carefully type out that random master password that you cannot remember character by character…and all of that takes time…wherease I don’t have to go anywhere else or look at anything else to get my master password because it is already inside my head and I can just start typing from memory…and since I type it many times my fingers have muscle memory and I can type it pretty quickly but you do not have muscle memory for that long password that you are now trying to enter carefully as you are reading it from somewhere else.

And your master password is more vulnerable than mine because yours is stored somehere else and mine is not, it is only inside my head.

1 Like

2FA is not used for encryption especially the Yubikey: https://www.reddit.com/r/Bitwarden/comments/ns0f9j/is_the_yubikey_part_of_the_decryption_process/

2 Likes

I dont log out of Bitwarden on my mobile and can see my master password there

1 Like

I think he’s saying that if you have two factor you already don’t know those random codes so you would have to get your two factor device anyway when logging into a new device. If you’re reaching for your two factor device you can also reach for your master password too as both you don’t know. So it doesn’t make a difference especially if you use an already unlocked device like your phone.

Then once you unlock the account you can set a pin to unlock it which is easy. There is no need to go find your master password if you have pin unlock.

No matter what side of the debate you’re on it’s smart to write down your master password. Things happen and people forget things all the time so writing down your master password and keeping it somewhere safe is a smart idea.

Absolutely agree with this kind of approach. Pick like the name of the hospital where your first child was born, and append it to the place where you had your honeymoon and stick something like the sum of the digits of your birthday in the middle and seperate the whole lot with £ signs. For example.

It’s easy to think up things like this which are unique to you (and therefore unforgettable) and which no system or brute force attack could ever crack.

1 Like

I understand what he is saying but I don’t agree. I very rarely log in to a new device, 98 percent of my usage is from existing devices so I very rarely have to get my two factor device. It’s true that I do sometimes have to re-verify my existing devices with my second factor, but it’s very easy since I keep a physical security key nearby or connected to my computer so I can just touch it. Easy peasy. Nothing to go looking for (like a phone) and I don’t have to open an app or copy or type out codes, so even in the rare cases when I do need access to my 2FA it’s an easy thing to do and I do not have to take the second step of finding my master password because it is memorized. And typing out a memorized master password on a regular basis makes it easy to remember and hard to forget and muscle memory takes over.

I agree it’s smart to write down your master password and keep it in a safe place as a backup even if you memorize it, but that is different than writing down a long and random master password and keeping it in a readily accessible place and looking at it every time you want to log in to Bitwarden. If you do that then either it is not in a safe place, or if it is, it becomes very inconvenient to go and retreive your master password paper from your safe place and then type it into Bitwarden, and then go put it back into the safe place. Part of the reason I use Bitwarden is to keep my passwords safe but also have convenient access and that does not sound very convenient to me.

1 Like

bitwarden post

that is correct. I keep my mobile device with me and have Bitwarden set to lock not log out. So with my fingerprint I can get back into Bitwarden easily & with my Chromebook, I have it set for “unlock with pin” so I don’t need to know my master password that looks like this >> vpjwrgiopwqrgj%ce43FF3_gkBKT@@!xpefed.
All I need is my 8 digit pin to get in and on my mobile, a fingerprint or pin. If I get logged off, then I go to my note pad on my mobile which is pin protected and look at that long master password.

As I mentioned before, I also use last pass with the same kind of log in set up and worse case scenario, I get logged out. I go to my phone or safe/ lock box, and get the master password that way.

Since I set my Bitwarden on my Chromebook to unlock by pin, I have only gotten logged out one time & don’t know why?

Because I have my settings set to unlock with pin and vault timeout action set to “lock” not log out.
So not knowing my master password so far works for me. My circumstance plays a lot into that because I m retired, don’t travel, don’t share passwords and I never EVER take the Chromebook out of the house. I have access to my mobile/smartphone and have that pin protected & can get my master passwords that way if needed and even a note pad pin protected in on my Chromebook & smartphone I can copy/paste the master that way if necessary. So, for me, I am on the fence about changing my 30+ character master password because so far for me, it works… and in the absolute worse case I just cannot get in, I have a .csv file that is encrypted I update it monthly and can just “start over”

But for the past 3 weeks except for that 1 hiccup I had where I wad logged out somehow, I got back in & had “0” issues since, and I know I have a very strong master password.

So will see, I am though reading all the comments and opinions…

2 Likes

You’re missing the point I’m making and thinking I’m changing the subject, so let me start over.

Imagine you end up naked in the desert. You try to log into your Bitwarden account, you know the master password but are stopped at the 2FA screen. You don’t have your Yubikey or your recovery code because it was too long to remember.

Without either your Yubikey or your recovery code you’re forever locked out of your Bitwarden account. Bitwarden will not turn off 2FA if you lose it.

As you can see, knowing your master password does not help you if you also don’t remember your recovery code too. Your recovery code and 2FA secret, which is in your Yubikey, are randomly generated codes. If 2 of the 3 things that you need to get in your account are random and you don’t put them to memory then what difference does it make to also make your master password random too? Unless you turn off 2FA, which most say you should have 2FA, there is no benefit to memorizing your master password.

The same logic you have about needing 2FA to get in your account is the same logic we have about our master password; It’s a rare event and mostly done on new devices.

If I need my master password I don’t go to my safe, I unlock my phone and get it from there. I keep a copy of my master password in my Bitwarden vault which most people should do especially after the BitSwarden event. All my devices use a PIN unlock that Bitwarden has so it’s rare I need to enter my master password. The only real time I need it is if I’m signing into a new device. I do have a copy in the safe as most people should but its rare it gets to that point.

I’m not making my life harder than it needs to be, it’s quite the opposite. I use PIN unlock so getting into my account is easy. It’s also quite relieving not having to remember another password. Knowing my master password is so complex that I don’t even know it is very nice too as I know if Bitwarden is breached I’m good on the cracking side of things. And if they are breached it’s just a matter of me pressing a button to get a new password, no need to spend time learning a new one. I also have emergency access setup if the worst happens.

I haven’t seen a good point about remembering a master password. I’m willing to have my mind changed but I’ve spent too much time thinking about this stuff and this is where I’ve ended up.

Hey @dangostylver, you should know that not everyone here shares your experience. I have to input my master passwords every time my computer is rebooted or browser is restarted. This is acute on Windows PCs where, if you close your browser, you are logged out of your vault and have to use your password to get back into BW (unless you set your Vault Timeout to Never, which many/most? are unwilling to do).

And like many others here, I use 2FA on my account and remember authorized devices, so at most I use 2FA once every 30 days per device (not much).

So, it makes the most sense for people like me to have a memorable master password because I type it a lot, and I rarely have to use 2FA. Please be open to the idea that others may use BW differently than you do, and that’s why they are advocating for a balance of memorability and strong password security. And please think about how you might change your current rigid opinion if your situation changed and you had to type in your master password a lot, like I do.

With all due respect I don’t think I am missing your point, but I do think you are missing mine.

Nope, I can still log in while I am naked in the desert because I have my Chromebook which is a recognized device so I don’t need 2FA. I think that’s the point you are missing…I am almost always logging in from a recognized device so no 2FA needed in most cases.

This is also not true. Even if I am trying to log in from an unrecognized device I can still get it without knowing my recovery code…I only need to know my master password and have my security key.

I disagree that it is a good idea to keep a copy of your master password in Bitwarden.

But you do have to remember another PIN, which is a password by another name. So instead of memorizing your master password, you are memorizing another PIN. I don’t see how it’s more likely that I will forget my master password than it is you would forget your PIN. I am as confident that I will not forget my master password as you are confident that you will not forget your PIN.

I’ve made some good points and you’ve seen them, so I disagree. :slight_smile:

1 Like

That’s cool, I’m not forcing anyone to do it my way, just pointing out other options. Whatever works for you, that is the best thing about Bitwarden is that it gives us these options.

You can use the PIN unlock in settings and uncheck the “require master password on restart” option. This is how I have it set up on my Windows PC and works well, no need to enter your master password after closing the browser window.

I think we’re going to have to go separate ways if you think you’ll have your Chromebook if you woke up naked in the desert? When I say naked in the desert I meant you had nothing, not even the clothes on your back. I’m starting to wonder if you’re trolling me if this is what you say?

The good news is that Bitwarden allows us to use it how we like it. I just wanted to let OP know he’s not alone in his thinking and that there is no wrong way to use Bitwarden.

Seriously? You did not say I “woke up” in the desert, you asked me…

“Imagine you end up naked in the desert. You try to log into your Bitwarden account…”

How am I trying to log into my Bitwarden account if I have nothing, not even the clothes on my back? Obviously I must have an electronic device with internet access, how else can I try to log in to my Bitwarden account? I’m starting to think you are trolling me.

2 Likes

To get into your Bitwarden account from a new device you need either your master password and your 2FA

or…

Your master password and your 2FA recovery code.

Both your 2FA device and recovery code are randomly generated codes and you don’t memorize them. Without either of those random codes, you can’t get into your Bitwarden account from a new device. If those are random and you don’t memorize them and you need them to get in your account why also try to remember your master password too? Why not make your master password random like the 2FA code and 2FA recovery code?

If you’re concerned about getting into an extension or app you already unlocked before you can set a PIN lock and uncheck the box that requires you to enter your master password after restart. And since it’s good practice to have your master password and recovery code written down in a safe place and also keeping a copy in your password manager to stop phishing attacks as I’ve pointed out with the BitSwarden event having a random master password is not inconvenient. It’s just another random code just like your 2FA and recovery code, it’s also like them because you don’t need to do it often due to PIN or Biometric unlock.

A random master password you don’t remember is as inconvenient as the random 2FA code or random recovery code you also don’t remember.

You don’t have to do this if you don’t want to but it’s also not as inconvenient or bad as you make it to be.

If OP wants to use a random master password he doesn’t memorize but has followed all best practices let him do it. You guys shouldn’t force your ways of thinking on someone else as everyone’s situation is not the same. I have this very setup for my own mother as she would pick a very bad master password and it has not inconvenience her, if anything she found it easier as it’s one less thing for her to remember. She’s also had this setup for over 2 years now, so the track record is fine.

That’s the great thing about Bitwarden, it allows us this flexibility as everyone’s situation is not the same.

Because each of those things is different and serves a different purpose. That’s like asking “If you don’t memorize your passport number and your driver’s license number why also try to remember your master password?” It’s wise to use one’s judgment to determine whether it is optimal to memorize each thing on its own, just because you choose not to memorize one thing does not mean you should choose not to memorize everything. That’s a false equivalence argument.

I have already listed a number or reasons why it is a good idea to memorize your master password. Here is another reason… I do not think you can access the Bitwarden web portal with a PIN, I think you need to use your master password, and there are some things that can only be done through the web portal. And I think it would be very inconvenient to have to constantly go and retrieve my long and random master password that I cannot remember and slowly type out each character, then go and return my master password to its safe location every time I want to access the web portal. Geez, just thinking about that sounds awful and very inconvenient.

I do not agree that it is a good practice to keep your master password in your password manager. I also do not agree that having a random password is not inconvenient, I think it is inconvenient.

I do not agree that a random password I do not remember is as inconvenient as a random 2FA code that I do not remember. I’ve explained this to you several times. For one thing, the random 2FA code is saved on my security key and I never have to remember it or type it, even when I use my security key all I have to do is touch the security key while it is connected to my device and that’s it. Easy peasy. No codes to find or retreive or read or type character by character. That is much more convenient than retrieving a master password from a safe place and typing out random characters one by one and then returning the master password to it’s safe place and if you can’t recognize that there is big difference in convenience between those situations then I can’t help you. And if I am not at home, I have to have my phone and open the app and retrieve the master password and type it out, character by character. And what if I don’t have my phone? Or I can’t find it? I do not keep my phone with me 24/7, that would be inconvenient wouldn’t it? I don’t have to worry about that since I memorized my master password, I always have it inside my head no matter where I am, no matter if I have my phone or not, and it’s very convenient to retrieve in no time at all and only takes a few seconds to type because of muscle memory.

You also keep repeating “a random password I do not remember is as inconvenient as a random 2FA code that I do not remember,” but that is simply not true for all of the reasons I have already explained. Repeating something that is not true does not make it true.

I am not forcing my way of thinking on anyone.

1 Like

Yes, that is correct. The PIN never leaves your device.

But if you have 2FA on your account you’ll also need either your 2FA device or 2FA recovery code to get on the web portal too.

So if you’re logging for the first time or not your usual computer you’ll need your 2FA or 2FA recovery code and both of which are randomly generated so you would need to get them just like I would also need to go get my written down master password. We’re in the same boat.

But if I’m logging from a device I already used before I just let the extension autofill as I keep my Bitwarden login info in my vault. This is the ideal way to log into the web portal because it helps protect against phishing as pointed out in the BitSwarden event.

It’s been fun but I can’t keep going. I do thank you for keeping the debate calm and productive. Cheers!

1 Like

I’m not sure why this is hard for you to understand, but we are not in the same boat. It doesn’t matter whether the code on my security key is randomly generated because I don’t know what it is and I never need to know it and I never need to type it, even if I am logging in for the first time from a new device (which itself is a rare event) all I need to do is touch the security key and that’s it, the security key does the rest and I’m in. Easy peasy. And my master password is in my head and I can type it out in a few seconds from muscle memory. Nothing to retrieve, nothing to “get,” nothing else to do. And in the vast majority of cases my device is already recognized so I don’t even need to touch the security key. That is much different than you having to “get” your master password from somewhere else, every time you want to log in to the web portal, regardless of whether you are logging in from a new device… every…single… time…and type your master password character by character, then return your master password to its safe place. So no, the boats that we are in are not the same, they are different.

I would also point out that Bitwarden itself states that having a memorable master password is “critically important.” The following is copied from Bitwarden’s help page…

## About your Master Password

Your Master Password is the primary method for accessing your Vault. It’s critically important that your Master Password is:

** Memorable: Bitwarden is a Zero Knowledge/Zero Trust solution. This means that the team at Bitwarden, as well as Bitwarden systems themselves, have no knowledge of, way to retrieve, or way to reset your Master Password. Don’t forget your Master Password! Bitwarden won’t be able to reset it or recover your Vault data if you do.*