Please up the Password character limit to 256

Thank you for your post!

Feature name

  • Higher Character limit for password generator

Feature function

Allow higher limit of characters in the generator

Do you actually have websites you visit that would allow for a 256 character password? Never heard of such a thing.

The security of a password longer than about 14 characters, so long as the password is randomly generated, is beyond strong

It would take trillions of years for a trillion computers to break a 128 chr password
(and when I say trillions of years, I mean close to 10^150 years)

Why have more

To flex on random strangers on the internet, duh!

What @el613 said.

A random generated password with 20 characters is literally unbreakable and nearly all websites will allow a password with this length. You can do 30 if you want…

If anyone is wondering the math…

A password that has a 95 character set (upper, lower, numbers, special) and is 20 characters long has 131 bits of entropy. We consider 128 bits more than secure enough.

With the same 95 character set at 39 characters long would give us 256 bits of entropy. This is important because the encryption key protecting your data on Bitwarden servers is 256 bits. So making a password longer than 40 characters is pointless as the thing protecting it is weaker.

If you manage to get all the power of the Bitcoin network (150 Quintillion h/s) to somehow crack passwords it would take 9,303 years to crack a 16 character long password with a 95 character set. Make the password 20 characters long and it would take 757,738,157,701 years to crack.

Not only is there no real need to make passwords overly long but there is diminishing returns after 39 characters. The funny thing is the people who make overly long passwords only end up keeping themselves out if they have to ever enter the password manually.

3 Likes

The time taken to bruteforce a 20 char password is the least of your worries. If you had access to an ideal perfect computer, just toggling a single “transistor” between 0 and 1 that many times would destroy all life on earth. Once you start including that we don’t have access to these perfect computers, that we actually have to do calculations no just flipping a bit, that we have to move around data, that we have to compare data. The earth would be turned into a molten ball of magma or worse.

A password longer than 39 chars being greater than 256bits means it’s stronger than the underlying hash and encryption. Ignoring that it’s still physically impossible, an attacker would sooner find a password that so happens to work even though it’s not the same.

Understand all your replies, but I do have 4 website and 3 Tools that accept 256 characters.
No matter the math or reason, it is supported by other programs/webtools. That is why I request it.

1 Like

Do you really understand? Because I’m not so sure you do.

However, I’m pretty sure you can make a Bitwarden account with a 1000 character password. And you want only 256…pathetic (sarcasm)

Please re-read my reply, before you make a uneducated guess.
I am requesting a regular request, I understand the above replies.
Bitwarden does give us an option to use 128 characters, even if 39 characters is already exceeding the 256bit encryption that protects it, are you calling them stupid aswell??

I request it because IF I choose to use 200 characters in my web application I’d like to have an option to generate it in Bitwarden. Even for future proofing if/when we will increase encryption levels.

If you do not have anything to say that will be noted as normal criticism, than please do not reply or go on reddit.

1 Like

There is no reason for that, even IF a website allowed that many characters.

Because if you use a length of 30 with all options enabled, you already have 70^30, which according to google is 2.25393402907e+55. That’s a pretty large number to say the least. It’s cryptographically unbreakable.

As a workaround, you can just create multiple 128-character passwords and copy them into the password field. On Mac the shortcut for the password generator is CMD+G.

LUKS now supports 500-character passwords. I agree that you probably won’t gain much after 40 characters or so, but why not allow it if it’s virtually free.

However, expect to run into problems with certain applications and sites. Too many devs don’t expect that anyone would enter a password longer than 30 characters, and I’ve seen really weird stuff happen (e.g., the app truncating your password without telling you where … that is fun).

We’re actually expanding the password field to 5000 characters to match custom fields :+1:

5 Likes

Would it be possible to reduce the password field at the same time? It’s a rather banal request, but I’d like to see the ability to generate 4 digit PINs (my feature request here) rather than developing a 5 digit PIN and dropping the last character.

A small and insignificant change in the grand scheme of things, but it’d be nice to see!

2 Likes