Password Creation Ideas

Interested to hear suggestions for creating a superior master password for BW. I was contemplating using 30-40 random character string that would be so cryptic I’d have to store it somewhere (Google Notes) and copy/paste when needed.

You’re making this too complicated.

Use a random passphrase generator (e.g., set the password type to Passphrase in Bitwarden’s password generator), set the number of words to 4, 5, or 6, and write down the generated passphrase in an Emergency Sheet.

Disable Unlock with PIN (forcing your to type your master password to unlcok Bitwarden), and keep the written down password close to your computer until you have used it so often that you have it memorized (typically, about a week). Then store your emergency sheet in a secure location.


Length is more important than “randomness” and a long phrase can be remembered. My experience with BitWarden tells me that I have to have memorized my master password because I enter it on my laptop and my phone rather often.

Assuming when you say to disable Unlock with PIN you’re referring to the mobile app? I use that MUCH less frequently than desktop/browser.

My current password uses two random words (no hyphen - they are connected to make a single word, plus 2 digits,plus two alternative characters (ie *&^$#!).

This is what I use for both mobile and desktop access

No, all apps (browser extension, desktop app) also have the ability to set up a PIN for unlocking the vault. Perhaps you never enabled it. How do you currently unlock your vault, and what are your vault time-out settings?

@kwe if you are alluding to human-created phrases, these are much easier to crack than randomly generated phrases, and therefore I would not recommend them. To some extent, you can make up for the low entropy of the human brain by extending the length of the phrase (e.g., instead of a 4-word randomly generated passphrase, you would probably need at least 10 words in a human-created phrase/sentence). Unfortunately, it is impossible to know exactly how long the non-random phrase must be in order to make it uncrackable (so you can never be sure that your vault is secure, unless you use a randomly generated passphrase/password).

Curious to understand…if I select four completely unrelated words (balloon - storm - pickle - speaker) how is that any less secure than four generated by the tool?

  1. Humans, left to their own devices, tend to select words that are common. The words that you picked above (balloon-storm-pickle-speaker) are among the top 2000 or so in a compilation of common password words. Thus, it could be brute-force guessed in around 1013 attempts. The number of guesses required to find 4-word passphrase produced by the generator, on the other hand, would be around 250 times longer (because it uses a word list containing almost 8000 possible words).

  2. Because we don’t know exactly what processes your brain used to generate your four words, nor do we know what approach a hacker would use to crack your passphrase, we have no way of determining a lower bound (a worst-case scenario) for the effort required to crack this passphrase. Thus, we can never be sure of whether it is sufficiently strong for our purposes or not. In contrast, using the passphrase generator tool, we can determine its strength quantitatively, and make rational decisions about the required number of words in the passphrase.

It all depends on how the attacker is attempting to find the password or passphrase. So long as the passphrase is not found in a passphrase dictionary, length is more important than randomness, assuming the passphrase can be memorized and the password cannot. Even if the attacker is using only lower case alphanumeric search on a lower case alphanumeric passphrase, a long passphrase is more secure than a random 8 character password and is better if it can be memorized.

Something that is not random, by definition, has a structure. If an attacker uses knowledge of that structure to re-create candidate passwords (in part or in full), then they will be able to significantly reduce the cracking time. For example, a 24-character, non-random password following the “haystack” scheme (e.g., D0g.....................) can be cracked in minutes (even though a random 24-character password would completely uncrackable, requiring over 1030 years to guess). Therefore, length is not more important than randomness (and it could be argued that the opposite is true).