Need to generate passphrases that satisfy complexity requirements

I’m currently mulling over a local installation of XKPasswd - Secure Memorable Passwords

Basically, it’s a simple parameter-based generator that combines a couple of techniques that look very promising in terms of being 1) complex, 2) have good entropy/randomness, and most importantly, 3) reasonably memorizable, and 4) can be entered without massive amounts of frustrating hunting and pecking for capitals and special characters sprinkled at random points in an utterly non-rememberable passphrase, which defeats the purpose.

For example (default settings), “$$01-express-RECORD-tuesday-82$$” is claimed to have 52 bits of entropy with full knowledge of the settings and dictionary (and between 157 and 246 bits without).

And from a casual look, it seems pretty easily rememberable. Although personally, I’d bump the number of words to 5. More than that gets hard to remember before you get your muscle memory or are rusty and haven’t used it in a while.

How is that password any easier to memorize than something like absently-recall-lavender-murky (from by the Bitwarden generator), which has the same level of entropy?

See my criteria #1, complexity. That’s why.

Lots of places still have complexity requirements for “passwords” (aka special characters).

That’s why I would need something other than the BW generator, and the complexity parameters only apply to BW password generator, and not to the passphrase generator.

xkpasswd ticks both boxes.

For usability without a complexity requirement, I agree that the passphrase generator wins hands down. Far easier to remember, particularly for one-time short-term use like with the BW send feature.

If I have to remember it, well, that’s what BW is for. :wink:

With regards to complexity, the separator character in Bitwarden’s passphrase generator should fulfill the “special character” requirement (I’ve never seen a site that requires more than one type of special character, and if the default separator - is a non-allowed character, the passphrase generator allows you to substitute it for something else). The generator can also add a number and capital letters, if these are needed to satisfy “complexity” requirements. Is there another reason why the current generator doesn’t meet your needs?

What is your use-case that requires you to generate these passwords that you must memorize and type manually? (i.e., why can’t you use Bitwarden to auto-fill or copy/paste these passwords?) The majority of website passwords to not have to be memorable or easy to type, so it is normally best to use a random character string as a password (e.g., @HB2qwGn!Q3FaqZS), because these are less likely to cause problems with websites that have password length limits.

This use case isn’t for “the majority of websites”. Its for offline use. And yes, there are environments where online access or even a computing device is not allowed.

I’m not using the passphrase generator only for use with BitWarden.

Places like where phones are not allowed and for, oh, I don’t know, a master password.

Generating passphrases in BitWarden isn’t just for using with BitWarden alone, or on systems where BitWarden is not used or allowed.

Bottom line, the use case is passphrase complexity is required, and the BW passphrase (not password!) generator fails that requirement.

Just because you don’t have a use case or cannot imagine one does not mean nobody else can possibly have one, nor is it a justification for failing to meet a requirement - one which I clearly stated in the reasons I was looking at alternatives to BitWarden’s password/phrase generators.

I’m not looking for a reason to force people to use BitWarden and just accept its failure to meet requirements, which it sounds like you’re trying to do here. Don’t get me wrong here, I’m a huge BitWarden fan, and it does 90% of the heavy lifting with ease of use and features. But it does have useful features that are lacking and examples can be found in other password generators, and the devs need to know that. That is the point of this forum, is it not?

@mike808 I wasn’t implying that there aren’t use-cases for passphrases (obviously there are, or there wouldn’t be any need for Bitwarden’s password generator to include options for creating passphrases), I was just asking you to describe your use-case. In feature requests, it is important to be specific about this, since it plays a role in determining whether the issue is a wide-spread problem or a niche problem, and to determine whether there may be any work-arounds that can address the issue during the often lengthy development cycle for new features.

It is still not clear to me what your use-case is, since the complexity provided by the passphrase generator is typically sufficient for most cases. You mentioned that there “lots of places” where the available complexity is apparently not sufficient. It would be helpful to cite some examples, and explain the complexity rules being enforced by those “places”.

The point of the Feature Request forum is to propose new features. To be successful, such proposals would normally present some rationale that makes a case for why developing the proposed feature would justify the cost of development (and maintenance) of the code required to implement the feature — for example, a description of the problem that would be solved by the proposed feature.

P.S. I’m moving this into a new feature request, since it is off-topic to the OP. That way, other users who agree that an XKPasswd-style generator is an unmet requirement for Bitwarden can so indicate by voting on your request.

I am really not following your logic here. Which is it?

@mike808 the use case is passphrase complexity is required

@grb I wasn’t implying that there aren’t use-cases for passphrases (obviously there are,
@grb It is still not clear to me what your use-case is,

I don’t know how much more clearly I can state the use case:

a Passphrase with equivalent complexity requirements we have today with passwords.

The goal of the use case is to switch users to using complexity-compliant passphrases instead of complexity-compliant passwords.

This originally was posted in response to someone asking for how to do exactly the same thing that I was commenting on. It wasn’t a “I have a requirement for BitWarden do X” feature request. It was a post trying to help another person who was trying to do something that it didn’t seem like BW could do (their use case was to mimic IOS passphrase generator behavior, and mine was similar). Please stop trying to impose what you think I am saying onto what I actually said, because they are not the same. You are conflating my use case requirements (I need to do X) with imposing requirements on BitWarden (I need BitWarden to do X). That was the entire point of looking at other passphrase managers to see how they were addressing things like complexity which many people have real-world requirements to have, and they really do want to NOT use a password of random intentionally forgettable gobbledygook because they also need to remember them and use them separately and unassisted by BitWarden.

Use case requirements are not equivalent to BitWarden requirements!

That said, it turns out that it must have been a while since I looked closer at the “passphrase” option of the generator in BitWarden. From what I am seeing now in the 2023.02 release of the app and plugins, the passphrase generator interface has an option for a special character as the separator, mixed case, and numeric character.

That is why I posted a solution for the original poster (as well as my use case) on the original thread:

Have a nice day.

Seems like your problem is solved, so I will close the thread. A nice day to you, as well.