[Mobile] Support for alphanumeric PIN codes

Feature Requests Password Manager
1

The mobile app currently only supports numeric pin codes for unlocking. If the smartphone does not have a biometric sensor, a pure numeric code is not very secure if you do not want to enter your master password every time.
The desktop app and the browser extension already support alphanumeric PIN codes. It would be nice if this could be brought in line with the mobile app.

1 Like
2

Feature name

  • Allow non-numeric pin (allow password/phrase) on mobile apps.

Feature function

  • The keypad on the Bitwarden android mobile app pulls up a number pad. We do not have the option for using other characters.

  • I would like an option in the mobile app to switch from number pad to normal keyboard so we can use a password/passphrase instead of a purely numeric pin.

Reasoning / Intuition

  • People are locking their database, which means it is encrypted with their master decryption key + pin (I assume).
  • Their pin basically becomes a temporary device-held master-password, while the database is locked.
  • If someone has somehow stolen your phone or managed to download the data stored in your device, you want to make sure that the pin is strong.
  • This is basically why I want the option of using a password-pin (with word characters) instead of just a pin.

Note: I think would prefer to keep my devices permanently locked, and secured with a pin/password - because typing the master password is less secure than typing a local password. It is more safe if a keylogger or shoulder-surfer obtains a pin, rather than the master password.

Note: Desktop and browser extension do not need to change because they allow any character to input.

This is a very simple feature and would be nice option to have. :slight_smile:

3

Bitwarden by using only a numeric keypad is lessening the security on the Android app. Why not open my full keyboard???

I use non numeric key for my open vault on my browser extension. However I cannot use that same key on the Android phone or tablet.

1 Like
4

I have to admit that would be nice, but I don’t know if its needed. You can set a 8-9 digit PIN and the “bad guy” only gets 5 guesses until you are completely log’d out. Try and guess a 8 digit numeric number in only 5 guesses!!

5

Is it 12345678? :stuck_out_tongue_winking_eye:

6

Bryan2023,

I am too lazy to enter 40 characters every single time to access my vault!

7

Kinda shocked at the responses considering this an important security product. I thought the idea was to make this as safe as possible not the cavalier answers I got. I’m not going to input my 57 character string of well mixed characters each time I want access.

Enough of that. What I was saying is that BitWarden needs to make their products the same across devices and browsers, as much as possible. BTW, I’m not some newbie, I spent 45+ years building highly complex and secure applications for large banks and law firms where security was number one priority.

8

Apologies for my off-topic comment to @OpSec earlier.

I don’t know why the mobile apps only allow numerical PINs, but I have to assume it’s a technical limitation, as Bitwarden strives to be cross-platform compatible as much as possible. I looked through the original Feature Request for PIN unlock support on non-mobile apps, but couldn’t find any clues (although I did see that the mobile implementation only allowed 4 digits at the time). A search through the Github pull requests suggests that PR #446 may be relevant, although I believe that is just for the keyboard displayed (the restriction to an all-numeric code preceded this PR); you may find additional clues by digging through the Github repos.

FYI, a Feature Request identical to yours was made in 2021, but apparently did not gain any traction.

Part of the reason for the lack of interest may be that most users consider the threat profile of their mobile device to be sufficiently well-managed that a PIN with 27 bits of entropy should offer sufficient protection against a local attack (especially since it is apparently not clear whether it is even possible to extract the local vault data from a non-rooted device), perhaps because they also lock the device itself when not in use.

Those users who are concerned about being able to maintain sufficient operational security to guard their mobile devices still have the option to unlock using their master password instead of a PIN. You are making this option much too difficult for yourself by using a random 57-character string as your master password, which is also atypical for most Bitwarden users. Such a password has 374 bits of entropy, which is overkill. You gain zero security advantage for any password that has more than 256 bits of entropy, and even 256 bits is overkill. All the additional characters only create problems (making it difficult to memorize and type the master password), with no added benefits.

Unless the total value of assets that would be lost if your vault were compromised runs in the billions, a master password providing 65-90 bits of entropy should be sufficient. A randomly generated passphrase containing 5-7 words will provide this level of security, and such passphrases can be memorized and typed out without too much trouble.

9

Thank you for a sane rational response to my original question. Yes, my 57 character key may be overkill, but since I’m not an expert on crypto it was my choice of out naivety. I still would like conformity across platforms if possible. Bitwarden is a great product and only wish I had it back in the early days of the Internet when passwords were short or non-existing for some sites.

1 Like
10

is there any news about this issue?