Reject all "Weak" Master Passwords on Account Creation

Issue: a user can create a new Bitwarden account with a minimum 8 character string of any combination of letters, numbers, and symbols. This can lead to very weak passwords such as abcdefgh or 12345678.

What occurs on account creation:
When a user creates a weak password, they are shown a password strength meter that the password is “weak.” If they choose to proceed, a warning box then appears. Both good practices.
However, they can then choose to ignore these warnings and create a very weak password.

Recommendation:
Reject all “weak” passwords when creating an account, requiring the user to increase complexity to protect themselves.

Current Risk:
We can see from the LastPass debacle that weak master passwords create reputational damage for the company. This user choice comes back to bite the company as a weak security practice, even though it rests on a principle of “informed user choice.” Secondly, in the face of a hack of vaults in the cloud, it leaves the user who employs a weak password very vulnerable to brute force. This is a vicious circle that feeds on itself.

Benefit:
Stronger master passwords will enhance general confidence in Bitwarden’s security model.

NB. Respectfully, this feature request is not an invitation to discuss keyfiles, a different security model, which already has threads dedicated to them. It is intended to strengthen Bitwarden’s existing security model.

I understand what you are saying, but I hope that you are not proposing an increased lower bound on the password length. If so, users who know what they’re doing should have the option to bypass any such restriction. For example, it is possible to create an 8-character master password that would take almost 50 years to crack using a massive ($2 million USD) cracking rig containing 1000 high-end GPUs. With the new Argon2id KDF, it may be possible to create even shorter master passwords that are perfectly secure.

In any case, using password length as a proxy for strength is misleading. For example, an experiment with Bitcoin “brain wallets” showed that it took hackers only 1 second to crack the 116-character passphrase It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife (the opening sentence of Pride and Prejudice).

I am not. You are correct. I intentionally worded it to avoid increasing minimum characters, requiring symbols, upper case, or numerals. Simply, if Bitwarden’s password strength notes it as “Weak” it is rejected until it no longer says weak. That’s it. It is designed to allow the user to maintain maximum flexibility without creating undue risk. Hope this clarifies.

Bitwarden’s strength test algorithm (zxcvbn) is not perfect:

 
                             vs.
 

 
My point is that it is tricky to automatically estimate password strength based on the password itself (with no knowledge of how the password was generated).

In my opinion, the only robust solution to this would be to have Bitwarden assign each new user a master password consisting of a randomly generated 5-word passphrase, and to only allow changes of the master password if the user clicks through an acknowledgement of the fact that user-generated passwords may put the vault security at risk.