Random length for generated passwords

The password generator on my app/browser is typically set for always generating strings that are X characters long.

The problem I’m trying to solve in my head is if someone finds out that my passwords are all X characters long, that would significantly reduce the number of attempts to guess the password.

I was thinking that it’d be a nice feature if you could specify a range instead of an exact number for password length.

So for example, you specify that you want the password to be between 32 and 64 characters long. The app would then randomly pick a length between 32 and 64 and generate a password of that length.

A fair request, but a couple of items to keep in mind:

  • if they know the length, they didn’t get it from Bitwarden, since the hashed item is way longer.
  • if they DID get the length from Bitwarden, then they would have seen the whole password :disappointed:
  • whatever system they’re trying to get into will usually tell them the max number of characters, and thus shorten the potential combinations anyhow

Again, not saying some randomness wouldn’t be good, but you’ll get more entropy out of overall length than a variable amount.


:slight_smile: valid points. Thanks for the reply. I agree with your statements. I try and keep my passwords so long that knowing it’s length is effectively useless since it’d take so long to guess.

You underestimate the strength of a random generated password. A length of 15 is currently uncrackable, even with the most powerful computer on earth.

In fact, I use 20 character random passwords for 2 reasons:

  1. It’s a nice, round number
  2. It’s within the character limit of most websites, which is what I want to ask you. Do you often have to lower the length of the pass because there is a limit? Isn’t this a pain in the a**?

Even more of a pain is when some programmer “helpfully” gets the software to cut-off the password, without telling the user.

1 Like

I pick around 20 as my setting also. I DO have issues where old thinking large websites have capped the password length at 12-13 characters. Funny, these are major providers with millions and millions of users so you would think they would step into the current technology with passwords. I could see capping at maybe 25 or so, but 10-13 is too short for today’s standards.

In addition, as another observation, these old time major websites are almost always the ones that have not touched meaningful U2F or any 2FA yet.

1 Like

When using all of the random characters Bitwarden allows, each additional character, rounded to nearest magnitude to make the math easier, increases the entropy by 100x. Knowing that a password is 33 chars long vs 32 chars would only save you the time of going through all 32 char passwords, which is only 1/100th the number of 33 char passwords, which is only a 1% difference. But then you say, but wait, it also saves them from having to go through all of the 31 char passwords as well. Well, that only saves 1/100^2, or 0.01% extra time for a total of 1.01% And 30 char passwords… 1.0101%. Or something along these lines…

In the end, knowing a password is longer adds no significant benefit. Though knowing it’s shorter does mean the attacker has more options.

That said, no one is breaking a single 20 char password without destroying the earth. They will side channel attack, which doesn’t matter how long the password is. In fact, with a side channel attack, a longer password could leak more data about the password as it must exist unencrypted longer as it takes longer to process, but probably not by any significant amount.