A password that has a 95 character set (upper, lower, numbers, special) and is 20 characters long has 131 bits of entropy. We consider 128 bits more than secure enough.
With the same 95 character set at 39 characters long would give us 256 bits of entropy. This is important because the encryption key protecting your data on Bitwarden servers is 256 bits. So making a password longer than 40 characters is pointless as the thing protecting it is weaker.
If you manage to get all the power of the Bitcoin network (150 Quintillion h/s) to somehow crack passwords it would take 9,303 years to crack a 16 character long password with a 95 character set. Make the password 20 characters long and it would take 757,738,157,701 years to crack.
Not only is there no real need to make passwords overly long but there is diminishing returns after 39 characters. The funny thing is the people who make overly long passwords only end up keeping themselves out if they have to ever enter the password manually.
The time taken to bruteforce a 20 char password is the least of your worries. If you had access to an ideal perfect computer, just toggling a single “transistor” between 0 and 1 that many times would destroy all life on earth. Once you start including that we don’t have access to these perfect computers, that we actually have to do calculations no just flipping a bit, that we have to move around data, that we have to compare data. The earth would be turned into a molten ball of magma or worse.
A password longer than 39 chars being greater than 256bits means it’s stronger than the underlying hash and encryption. Ignoring that it’s still physically impossible, an attacker would sooner find a password that so happens to work even though it’s not the same.
Please re-read my reply, before you make a uneducated guess.
I am requesting a regular request, I understand the above replies.
Bitwarden does give us an option to use 128 characters, even if 39 characters is already exceeding the 256bit encryption that protects it, are you calling them stupid aswell??
I request it because IF I choose to use 200 characters in my web application I’d like to have an option to generate it in Bitwarden. Even for future proofing if/when we will increase encryption levels.
If you do not have anything to say that will be noted as normal criticism, than please do not reply or go on reddit.
There is no reason for that, even IF a website allowed that many characters.
Because if you use a length of 30 with all options enabled, you already have 70^30, which according to google is 2.25393402907e+55. That’s a pretty large number to say the least. It’s cryptographically unbreakable.
As a workaround, you can just create multiple 128-character passwords and copy them into the password field. On Mac the shortcut for the password generator is CMD+G.
LUKS now supports 500-character passwords. I agree that you probably won’t gain much after 40 characters or so, but why not allow it if it’s virtually free.
However, expect to run into problems with certain applications and sites. Too many devs don’t expect that anyone would enter a password longer than 30 characters, and I’ve seen really weird stuff happen (e.g., the app truncating your password without telling you where … that is fun).
Would it be possible to reduce the password field at the same time? It’s a rather banal request, but I’d like to see the ability to generate 4 digit PINs (my feature request here) rather than developing a 5 digit PIN and dropping the last character.
A small and insignificant change in the grand scheme of things, but it’d be nice to see!