Hi
It’ll be great if the password generator can generate passphrases that have randomly capitalized characters for each word and added possibility to contain symbols.
Thanks
@Moamethic Welcome to the forum!
Can I ask why you would like such a feature? The whole purpose of using passphrases is that they should be easy to remember and easy to type. Adding randomized capitalization and random symbols will completely defeat that purpose.
Please describe your use-case.
1 Like
If its needed to remember it, then what is the reason to use Bitwarden?
I think complex passphrase is a really good way to be secure but still a little more easy to remember than passwords.
Your response is a little bit self-contradictory. If you are generating passwords that you don’t need to remember or manually type (because they are stored in Bitwarden and will be autofilled or pasted into the login form), then you should not use a passphrase at all — just generate a random character string containing letters, numbers, and special characters.
If you do need to memorize the login credential, then you should use a passphrase without embellishments such as the ones that you have requested. If the passphrase needs to be more secure, just add one more word.
1 Like
Sorry to revive an old request. I’m wondering if, instead of a random capitalization, there could be a setting in the generator to capitalize the Xth digit of each word, rather than always the first.
I do use passphrases for memorized passwords, with BitWarden as my fallback. I think this would be a good compromise between ease of memorization, susceptibility to dictionary attack, and meeting the requirement of having capital letters included in the password.
@Jon_Truland Welcome to the forum!
It is a common misconception that passphrases are susceptible to dictionary attacks. The passphrases generated by Bitwarden are not susceptible to dictionary attacks (provided that they contain a sufficient number of words — typically, about 6–7 words, for 78–90 bits of entropy; if the authentication process uses OWASP-compliant KDFs for hashing, 4 words are sufficient).
Your proposed scheme would only add about 2–3 bits of entropy the the passphrase (assuming the value of X is chosen at random), so it does not strengthen the passphrase by any meaningful amount. You will get a greater entropy boost (around 6 bits) by including a randomly generated number in the passphrase.
As @grb suggested last year, “If the passphrase needs to be more secure, just add one more word”.
One can make a password stronger either by increasing complexity or adding length. Either is equally effective. It is not necessary to do both. With passphrases, the preference is to add length so it remains easy to remember and type.
Dictionary attacks have nothing to do with dictionary words; They are about finding your password/phrase in a large list of known passwords. This list is called a password dictionary. Such attacks succeed either due to disclosures or because humans have predictable habits. The mitigation is random-generation coupled with either more complexity or more length.
An interesting proposition.
It turns out that increasing complexity (C) is more effective than increasing length (L), if and only if the following condition holds:
L > log C / log (1 + C–1)
Thus, if one starts with a password consisting of decimal numbers only (C=10), increasing length is more efficient than increasing complexity unless the original password consists of more than 24 digits (because 1124 < 1025, but 1125 > 1026).
Similarly, for diceware-style passphrases (C=7776), increasing the length is always going to be more effective than increasing the complexity, unless the original passphrase contains more than 69,668 words!
So in practice, increasing password/passphrase length is almost always going to be more effective than increasing the complexity.
1 Like
The missing bit is that C tends to increase by more than one – 26 vs 52, 62 or 95.
I tend to focus more on the following passwords having approximately equal strength (~64 bits of entropy), presuming random generation:
- 2cr$u*Y#qBc (11 “full-complexity” characters)
- DitJpBoedHjK (12 upper/lower letters)
- ugonfbmhxqufjn (14 lower case letters)
- Showbiz Sporting Flattery Reggae Vintage (5 diceware words)
Which plays right into the observation that one can trade-off complexity for length.
The complexity would have to increase by a factor greater than C1/L in order to exceed the effect of increasing the length by +1.
So, for lowercase letters (C=26), if L=10, then the complexity would have to increase to C’ = 26×261/10 = 36 (e.g., lowercase alphanumeric strings) in order to get an effect similar to simply increasing the length to L=11.
More germane to the current discussion (in this thread) of passphrase strength, if one starts with a 4-word passphrase generated from a word list that has C=7776, then the complexity would have to increase to C’ = 7776×77761/4 = 73,021 in order to get an effect similar to simply increasing number of words to L=5.
Just to be clear, I don’t disagree with this general statement, only with the prior assertion that the effect of increasing complexity and increasing length are “equally effective” at increasing password/passphrase strength. Unless one starts with low complexity and long length (conditions that are definitely not satisfied for passphrases), increasing length is going to be more effective than increasing complexity.
Ah, I see it now. Equally was a poor word-choice because it evokes the concept of mathematical equality, which was not my intent. I have edited the earlier post to strike the word.
The original poster was positing the need to add complexity. We both were attempting to point out that adding length is a viable/better substitute. Me by focusing on usability, you by focusing on the math.
The bigger-picture problem is that “we” spent years harping on complexity, but have not effectively explained the lessons spelled out 7 years ago in Appendix A, leading people to continue believing that complexity is a must.
1 Like