I’m afraid to change my bitwarden password to something completely brand new very often because it’s a password I have to memorize, and if I make the new password sufficiently complex and unique, there’s a risk of forgetting it. I wish I could create a new password without deactivating the previous password until I have enough experience with the new password to be 100% sure that I will remember it.
LUKS encryption in Linux provides this exact feature. Since my system login is one of the few passwords I memorize instead of storing in a password manager, I find this feature to be incredibly useful and use it every time I change my password. The way it works is it just allows you to add or remove as many passwords as you want at any time. You could have, for example, 10 passwords that each decrypt the master key which ultimately decrypts your system drive.
Hi Drew. Interesting suggestion. Out of curiosity, why do you feel you need to change your master password frequently? If your master password is unique, sufficiently complex, and not guessable, I would think you could just stick with the same one.
I agree. Current advice from the likes of NIST, NCSC, etc. is to only change a password if you suspect it has been compromised. If you’ve memorised a sufficiently complex and unique password, I would definitely stick with it.
Maybe you would consider me a bit paranoid then. But after typing my password into so many internet connected devices over the course of years and then losing track of some of those devices, I feel there is a risk of my password being compromised. Maybe one of those computers had a keylogger. Maybe someone got a hold of a cached store of the vault in browser storage and brute forced it. My imagination starts running wild and I see a bunch of attack vectors. My bitwarden account is by far the most important account that I need to keep secure. So I’d like to change it once a year or so just to keep the distant past at bay.
That should be mitigated with 2fa. If you use a yubikey, they would not be able to login even if they have a key logger. I also use a different set of pin for every device so that I only have to type in the master password once.
I agree with @paulsiu - especially if you are using many different computers that you can’t be certain are secure, employing some form of 2FA is far more secure than repeatedly changing your password.
Hardware security keys, such as Yubikeys or FIDO2 keys, are convenient and very secure. But you could also install a free authenticator app on your smartphone, such as Authy or Google Authenticator, that will provide one-time passwords (OTPs) as a second measure to login. Emailing the OTP is available on Bitwarden as a basic 2FA system, and while it is the least secure, it is also better than no 2FA at all.