New guy questions continued

Greetings all. The more I learn about Bitwarden, the more confused I get, even about simply setting up an account, so I’m just going to go one step at a time, ask questions along the way. So my plan is to first purchase a family account for myself, with the goal of having my family members get their own accounts, so I can set up an organization with collections, and invite them to join. I’ll follow the strict security measures I have seen recommended, e.g., a strong master passphrase, 2FA. Before I actually send invitations, I’ll play around with the account on my own, do so testing, get familiar with options, figure out my next questions.

How does that sound as a good place to start?

Also, I’m not sure about which tags I should chose for posting here other that “app: all”. There are only 3 other options in the drop down menu, none of which seem to fit my topic. I chose “cloud-default”, just to satisfy the two tag requirement. More confusion (on my part).


That’s fine, but I would suggest just coming back to this one thread for all of your questions (instead of opening a new topic each time).

Sounds good. You may want to review this guide for new users, if you haven’t already seen it.

That is the correct default value to use.

Thank you for this great advice. I will put it into action. The guide is very helpful, and I hadn’t seen it before.

I have 3 more questions at this point.

  1. I’m planning to use a master passphrase. For accessing individual sites though, I’ve seen some people online who think having BW generate a password is better than having it generate a passphrase, and vice versa. I don’t understand why one would be better than the other, in terms of being harder to crack. To a hacker, isn’t trying to crack a passphrase the same as a password? E.g., to them, just trying to solve a set of unknown characters?

  2. I asked the following question before, but I think I didn’t phrase it right… Let’s say I have an account with company ABC, with a user name, password, 2FA, and email in place. Now I want to use BW to access that account, give a new name and password/phrase. (I also want to start using a different email, and as an alias, but perhaps that’s a different issue to come back to?). What are the steps for which the BW generated info replaces what I’ve set up in the past?

  3. Well, I’ve forgotten question 3. Gotta start writing this stuff down, ha! So instead will ask, when setting up an account, will the browser on which I do that matter in the future? For example, if I set it up on Firefox, can I still login on Chrome and use my account? And along the same lines, I use both Apple and Android devices. Are there any initial things I need to consider when setting up an account? I’ll want to use BW on both.

Okay, that’s a lot of question for a guy who said he was going to forge ahead with a simple plan, ha!

Thanks! And as soon as I hit reply, I just know I will remember my original question 3…

It has to do with length, as in the number of characters in a password. If you make a random passphrase and a random character-string equally strong (in terms of the likelihood of being cracked), then the number of characters in the passphrase will be about 4× greater than the number of characters in a random character-string. Put another way, using a gibberish character-string, each character packs a quadruple password “strength” compared to the characters in a passphrase consisting of random words. For example, the random character-string @xpPY7DP4ciC (12 characters) is just as hard to crack as the random passphrase litmus-tackle-affection-ranking-aflutter-lavender (49 characters).

The real issue is that many websites impose a length limitation on the password used. Thus, if the the maximum password length allowed on a website is 20 characters, then you might be able to fit a 3-word passphrase (dose-stricken-decay) at best, which is not even as strong as a 7-letter random string (jt64Id*) — in contrast, a 20-character random string (OZesp5r^C2yJGm$oDD9^) would take over 1025 times as long to crack as a 3-word passphrase.

Therefore, it is best to use passphrases only when there is a legitimate need to manually type out the password (or to memorize it), and when there are no unreasonable constraints on password length (e.g., password sizes up to at least 60 characters should be allowed).

No, if you create a Bitwarden record for an Amazon account while using the Bitwarden browser extension on Firefox, then you will also be able to access and use that record to log in to Amazon while using Bitwarden on Chrome or Safari, or an Android device.

This question requires that I answer it in two parts. The first part has to do with how to change an account password, username, and email address associated with your account on the website for Company ABC. Regardless of whether you wish to store such information in Bitwarden or not, each website will have its own procedure for making modifications to such account data — thus, there is no standard method.

Sometimes, but not always, after logging in to Company ABC’s website (let’s call it, you can enter the following in your browser address bar to take you directly to the password change form for that website:

(of course, you would have to change the website domain to the actual domain of the website that you are logged in to).

If the above method doesn’t work, then you will have to scour the available menus, including hamburger menu icons () or avatar icons (:blonde_man:), and look for something like “Security Settings”, “Account Settings”, etc. If necessary, reach out the to company’s customer support.

The second part to answering your question is to discuss how to use Bitwarden to best effect when changing your login information on a website. There are a few different ways, but the following is what I recommend. Assuming that you have found a webpage where the password can be changed on Company ABC’s website, then open and unlock the Bitwarden browser extension. Next, perform the following steps within the browser extension pop-up:

  1. Click :heavy_plus_sign: (or the “Add a Login” link).
  2. Type the desired username in the Username field.
  3. Click the :arrows_counterclockwise: icon the in Password field (generate password).
  4. Click Select in the upper right corner.
  5. Click Save in the upper right corner.
  6. You will now see the new vault item listed at the top of the browser extension’s “Tab” page click on the website name (which will transfer your password — and username, if applicable — to the website’s password change form).

Before submitting the web form, check whether there are any fields that require input of the old password. In Step #6 above will just auto-fill the newly saved account information everywhere, so if there is an “old password” field, you will need to manually clear its auto-filled contents and type in the old password.

Variations of the above may be necessary if you are also changing your username or email address. The basic principle is to first change the data stored in Bitwarden’s record for your account (remembering to always click Save after making any change), and to subsequently use one of several available auto-filling techniques to transfer the updated information into the required profile update form on Company ABC’s website.

Thanks again. I’ll see if I can put all that into use. No doubt, me getting hands-on experience will immensely help me understand more of what I’m trying to do.

Best wishes.

The normal working assumption is that a hacker will know how you went about generating your pass-thing (string or phrase) and from what source(s). Therefore, if you used words then assume the hacker will check words, not characters. Pass-thing length always matters.

It makes sense to use random strings for everything you do not absolutely need to remember (like your vault pass-thing).

1 Like


:laughing: love it!

1 Like

Too technical for me. :upside_down_face:

Well, I’ve finally got my family plan account activated. I ran into to several problems along the way, some related to Bitwarden, some not. And some of the “nots” were pilot error, ha.

I have my doubts as to what degree BW will be practical to me. After having to enter my complicated password multiple times during my setup experience, I’m realizing that the people involved with the multiple shared accounts are not going to want to have to enter it every time they use BW on their various devices. Nor deal with 2FA’s. Unfortunate, because in many cases, those are the specific accounts I had in mind for BW.

So we shall see…

You might want to keep experimenting before making a final assessment. Most Bitwarden users keep their Bitwarden apps and browser extensions logged in permanently, which can greatly reduce the frequency of entering the master password and 2FA; the vault contents are secured by locking the app rather than logging out (and there are many options for how to unlock the vault — you can experiment until you find something that you think will work). In addition, it is possible to waive the 2FA requirement for 30 days on specific trusted devices, by checking the “Remember me” option on the 2FA screen when you first log in. Finally, there is a feature called “Login with Device”, which is exactly that — you can use one logged in instance of Bitwarden to approve logins into Bitwarden on other devices.

Ah, thank you for the enlightenment. You addressed my specific concern (and beyond) as to how to keep the account secure when staying logged in. Thanks for having pushed my knowledge a few steps further.

Go to the Settings and change the “Vault Timeout Action” form "Log out " to “Lock”, and set a suitable vault timeout period (as short as possible without becoming onerous). Then you can experiment with the options “Unlock with PIN” or “Unlock with biometrics” to see what you prefer. Note that on non-mobile devices, the “PIN” does not have to be numeric — it can be a regular password/passphrase (just shorter or less compled than your master password).

Please note that you will have to independently configure each Bitwraden app or browser extension that you use, on every device. The timeout and unlock settings do not carry over from one Bitwarden instance to another.

1 Like

Wait until you get hacked. Then you will be grateful for the little bit of effort required to type your master password and authenticate via 2FA.

Oh, I’m not the one who minds that. Convincing others in my family are the problem. But at least I’ve been given a work around. :slight_smile:

1 Like

Greetings all. I’m happy to report that I set up my BW account, added one vendor as a test subject. I successfully changed some BW security settings, and also used BW to login to the site. One small step for the new guy, ha! So thanks to all who provided me with help. I did run into a problem when I tried to add a 2FA to my BW login. I use Duo, and when I tried to set it up in BW, I was asked for Integration key, Secret Key, and API hostname. I looked at my Duo App’s accounts and settings areas, but didn’t see anything along those lines. So if one of you kind people can steer me in the right direction so I can make that my next step I set, I’d greatly appreciate it!

Do you have Duo admin credentials, to log in to the Duo Admin portal? If not, you will not be able to enable Duo for Bitwarden. If you do have Duo admin credentials, then you will have decide whether to just enable Duo for your own individual account, or for the entire organization (Family Plan), as there are different instructions for each case.

No, I don’t have Duo admin credentials. Is there a particular authenticator app you’d recommend? At some point I’ll looking into getting a Yubikey, but I’m trying to keep things a little simpler, as I’m hoping to get my whole family onboard with using a password manager. I’m not sure they’ll even submit to having to re-enter a long master password every time. I made my 40 characters long, and would want them to go with at least 30.

Also, I’m seeing online both that passkeys are restricted to one device usage at the moment, and that they are available for multi-device use. Which it true?


I have no personal experience with such apps, and it depends on what devices you need to use the app on. On the Bitwarden subreddit, they typically recommend Aegis, 2FAS, and/or Ente Auth.

You can also use passkey stored on the device where you are logging in to Bitwarden.

As mentioned previously, entering your master password “every time” that you want to access your Bitwarden vault is not necessary. You can get excellent security by using a PIN or biometrics for routine unlocking of your vault, and entering your master password only when restarting your browser (which can be once a day, or even less frequently, if you get in the habit of keeping your browser open). For a slight security trade-off, you can even disable the requirement to enter the master password when the browser is restarted.

Master password strength/length should not be measured in characters. Your Bitwarden master password should be a randomly generated passphrase, so its strength/length is measured in terms of the number of words in the passphrase. For your purposes, four words are sufficient for safeguarding your Bitwarden vault (and your family members’ vaults). On average, this would result in a passphrase that has about 30 characters, but this is irrelevant (and a function only of the distribution of word lengths in the dictionary used for passphrase generation).

This does not sound accurate or relevant to the use of passkeys with Bitwarden. The way you’ve described this, I can’t even make sense of what it is saying, so it is probably best if you cite a source for these claims.

My apologizes. In checking my notes, I see that you did address the PIN/biometric option for vault access. I’m having trouble digesting all this data, especially when trying to apply it. Re passphrases, all I meant was, that I’d seen online that if you have a passkey with a business, you can only set it up/use it on a single device. I.e., from your desktop, but then not from your laptop or phone. But I’m seeing now that cross device syncing is now available with passkeys, so my original question is moot. But I now understand your explanation about random word strength vs. character length strength.