This video will demonstrate how password cracker works. This tool will crack a short, 10-character password in a few minutes.
Yes, I agree with @RandomGuy above that your password should be memorable. While you can write down your master password on paper, if your house gets burned, you will lose that paper.
If you change your master password, the best would be to write on paper first until you memorize it but never rely on the paper to memorize that password for the longer term.
I need to make this point as it seemed to have been missed among the fog.
If you have 2FA on your account and lose your Yubikey or Phone and don’t have your recovery code written down somewhere you will be locked of your Bitwarden account forever. It won’t matter how much you know your master password, you need that random recovery code.
The recovery code is the only way to turn off 2FA on your account and get back into your account if you lose your Yubikey or Phone.
If you’re going to write down your recovery code please also write down your master password too. This forum and the subreddit is full of people who forgot their master password. It’s okay to write down your recovery code and master password so long as you keep it somewhere safe. You’re only human, mistakes happen, no one is perfect, so please write down your master password and keep it somewhere safe.
If you have premium, also consider setting up emergency access too.
There are a lot of “ifs” in that sentence… yes, if you have 2FA…and if you lose your yubikey…and if you lose your phone… and if you lose your recovery code…then yes you will be locked out of your Bitwarden account. I don’t see how any of that supports your position that you should not remember your master password though.
Not true, if you remember your master password you don’t need your random security code if you have your security key, or you have your phone, or you have access to your email, or you are logging in from a recognized device.
To be fair, @dangostylver is only making a legitimate point that if you have 2FA turned on but lose access to that second factor, you will be forever locked out of your vault. It’s essential to save your recovery code in a safe place. This is good advice that everyone should follow.
If you lose your security key or your phone you do not need to turn off 2FA and get back into your account, you only need to get back into your account, you can skip turning off 2FA. And you will be able to get back into your account if you lose your security key OR phone, as long as you don’t lose your security key AND your phone. And even if you lost your security key and phone you would still be able to get into your account if you enabled the option of getting a code sent to your email as a second factor.
If you lose both your 2FA device and Two-step Login Recovery Codes, you won’t be able to log in. For example, if your house gets burned.
Some of the solutions that work are:
Write the Two-step Login Recovery Codes in a notebook. Then, store that notebook somewhere far from your home. Like in your relative’s house. Keep the 2FA device (Yubikey/smartphone) with your computer at home. Memorize your master password. This way, if you want to login into BW vault, you can use the Yubikey + master password. If your house gets burned, you can go to your relative’s house, log in and disable 2FA with the backup codes.
Use Authy as the 2FA app, memorize your master password and Authy backup password. Authy will backup your accounts online and sync them with your phone number. Should your house gets burned, you will be able to recover your TOTP tokens by getting a new SIM card with the same number.
You need to memorize your master password for the longer term in all situations. But, if you just change your master password, it is recommended that you write them on paper. This way, if you have a problem memorizing it at first, the paper can help.
That’s the thing, most people’s 2FA device is their phone. So if you lose your phone you also lose your 2FA. Not everyone uses a Yubikey. Either way, it’s still important you write down your recovery code as 2020 taught us anything can happen.
Most people don’t turn that on and it’s not a default option either. But even if you did have email 2FA turned on you still could be locked out because most people use a random password for their email and have 2FA on it too, so you’ll need to store its password and recovery codes on paper too.
If you’re going to have 2FA all roads lead to paper or run the risk of being locked out.
And how do you know this? Bitwarden offers 5 forms of 2FA… an authenticator app, a Yubikey OTP security key, Duo, any FIDO2 WebAuthn enabled security key, and email. And even for those who use an authenticator app, it doesn’t necessarily have to be on their phone, an authenticator app can be on a variety of devices, including tablets. And even if what you say is true, some people may also have other forms of 2FA set up.
This was in reference to using email as 2FA…how do you know that most people do not turn on email as a 2FA option? I would be curious to see the basis of your conclusion.
How do you know that most people use a random password for their email? And have 2FA? I am skeptical. I certainly do not use a random password for my email and in my general experience I do not think that other people do that either. And my general reading on the topic of security leads me to the conclusion that most people do not use 2FA, so I would be curious to know the basis of your conclusion that most people use 2FA for their email because I doubt that is true.
I think you are making a number of false assumptions which are leading you to faulty conclusions.
I don’t know why you’re making excuses to not write down your recovery code? You act like your phone, computer, Yubikey, email account, or whatever will always be there no matter what. We don’t live in that perfect world so it’s smart to at least write down your recovery code and keep it somewhere safe.
Sounds like strengthening your password was a great idea you just need to bombproof the system behind it all.
Storing an encrypted JSON export is good, I wouldn’t put anything else in DropBox. Maybe consider keeping that export on a thumb drive in a safe or in SpiderOak or some other encrypted cloud storage.
Remember anytime you change password or rotate key you need a new export or it won’t open when you need to export from it.
Having a 2nd PW manager because of not being able to remember the 1st PW for main manager is complex and you can def make a memorable password with enough entropy (and easier to type but still complex not have it casually spied and memorized by others who happen to see you type it but avoid that too). Think Ed Snowden with towel over his laptop.
2FA on Authy is smart and make sure to backup that account too in case you lose device or get a new one.
Def put recovery codes on paper and in a safe. The likelihood of someone getting those AND your json AND your 2FA device are usually really low (or you need to make them low). Same advice for using a separate email for BW account. Yet one more “new” part of the puzzle for a hacker, they’ll never crack it if they’re brute forcing the wrong username. Again you obvi need a new encrypted export json if you do a new account like that.
Biometrics on iOS have a secure track record overall. I’m going to assume Android has also reached secure levels and this “image” (stored locally / encrypted) or it’s key seems unlikely to be used to hack your PW manager.
Make sure your “time outs” are set to where you like them where BW locks or logs out. The latter is safer but less convenient than a vault lock and PIN or biometric unlock. Also the time for clipboard to clear should IMO be <1 min.
It seems in slow mo what ever that is you cannot edit your posts. my response to my method of not remembering my master password (edited) so it makes more sense is below…
I have both a laptop & my smartphone so IF I lose my mobile device I can use my laptop which has authy on it as well, to get my 2fa code. Having a 30+ character master password which I cannot memorize >>te#d4PrwB&b8#f0IaLLPF0hx^Pi@<< that is what it looks like & so far I have had no issues, of course that is not the password BUT it is just as complicated.
So, I have a 30+ master password 1 smartphone, one laptop and copies of my master password & recovery code in a fireproof safe. Also, I keep my master password & recovery code in a file encrypted in the cloud.
So, in this scenario>> if you lose your phone… and if you lose your recovery code…then yes you will be locked out of your Bitwarden account.<<< the way I have it set, I cannot lose it, I have copies in the cloud that are encrypted, as well as all that info including my recovery code in my LastPass as a safe note I have Authy on 2 devices(actually 3) I have a spare mobile phone In case my note 9 dies, it is an emergency spare with authy on it as well and is password protected.
I have saved my login information to Bitwarden in my LastPass, so I can log into my Bitwarden vault if needed.
My method as described earlier works for me.
I don’t see how any of that supports your position that you should not remember your master password though.>>> because my method works for me & I feel secure having a huge password, I also have authy on both my Chromebook & my smartphone. It has been a month now, and I have not gotten locked out yet and if I do, I have all my info in the cloud encrypted and in my fireproof safe.
Huh? I really think you are trolling just to argue. When did I make excuses to not write down your recovery code? The answer is never, I did not do that, you are making up things that I didn’t say and then arguing about them. I never said that someone should not write down their recovery code nor did I ever make up excuses why someone should not write down their recovery code. To the contrary, I think it’s a good idea for someone to keep a record of their recovery code in a safe place.
The worse case scenario happens, I can start over I have an encrypted updated imported password.csv file saved & encrypted ready to use to "start over’ if necessary.
In the past 6 weeks I have had 0 issues. Both Bitwarden & LastPass work 100% on my secure mobile device & on my Chromebook.
I log into Bitwarden with the extension and put in an 8 digit pin that is memorized.
On my Chromebook, If I need to get into LastPass, I first get in my Bitwarden via my 8 digit pin & look for my LastPass log in info & copy the password and go to the LastPass extension and paste it in and log in.
I get into both LastPass & Bitwarden with no issues at all.
Six weeks strong no issue yet, I am going to keep it as is and see how it goes.
Remember were talking about security & passwords, I feel better knowing my password is so long/strong that I can deal with the “complexity” of how I do this.
It works for me and was curious if anyone else does anything similar.
I was not trying to start arguments, so please reply respectfully, so they don’t block replies.
Just reminding people that the amount of entropy needed to make a master password uncrackable by brute force, is actually not that great. 14 characters upper and lower, plus numbers gets you 84 bits, which would take centuries to crack. I think most people could devise such a password that they can reliably remember. A favourite pasta dish, your wife’s shoe size, a rule only you know such as always capitalise the 3rd character of any word etc. Add it a hyphen here and a full stop there, and you’re safe as houses.
There is no need for 24s6#aYV8tK3tgHs when carBonara-69/tirAmisu-84? is just as good if not better.
Ron,
you are probably right & I get what you’re saying, BUT since my system works for me, I am going to keep what I have. I use Bitwarden 95% of the time. I like having options and using more than 1 password manager, more than 1 cloud service & keeping my passwords in my safe and ultimately having .csv copies encrypted of my current passwords/ safe notes. I have 3 devices all with the capacity to “get me in Bitwarden or lastpass” so having my system working for me, I am going to keep it. And again, worse case I get “locked out” I simply start over with Bitwarden or my LastPass by making a new account & importing my .csv files.
Everyone’s situation is different and for me my system works.
Using 2fa on everything, having my recovery codes & backups I have in place makes me feel a bit more secure having a password like this>> bvW3YR5nLuANJ*9u6znOr4&*SVZZ
instead of this>> 69/tirAmisu-84.
Personally I also lose ZERO sleep over potentially being locked out since I have a well encrypted .csv file backup offline, should the worst come to the worst.
I spend much more time worrying about my vault getting hacked. Hence my obsession with FIDO2/U2F, about which I have posted plenty and doubtless would get slapped for straying off topic if I were to go on about it further
Did you use numbers as your PIN? Rather than using numbers as your PIN, you can use part of your master password as the PIN. If you are using the browser extension/app, you can also use letters or special characters as the PIN.
For example, if your master password is Lemonade-makes-me-sneeze-42-ferrets?
Then, you can use Lmms42f? as the PIN. This is the hint of the above master password.
Or you can just use 42ferrets? as the PIN.
Therefore, less passwords to memorize. The purpose of a PIN is to save time typing but it is no replacement for your master password.
I’ve seen that many times before on both Lastpass and BW. Some of the reasons are:
They rarely type their master passwords. For example, they unlock the app with biometrics and eventually forgot their master password.
They are using a complex password that is hard to remember.
They don’t write down their master password on paper.
I think Bitwarden should add a reminder/notification on their biometrics tutorial or app to remind users that if they are using biometrics or PIN, they will risk forgetting their master password.
you cannot edit your posts. my response to my method of not remembering my master password (edited) so it makes more sense is below…
