Return default Passphrase length to 3 words or allow users to select fewer than 6

The newly introduced passphrase length of 6 words means that the passphrase generator is useless for about 50% of the sites I use which have a maximum password character limit.

For some sites I use passwords with random characters but where I am prevented from installing the browser extension, being able to type a Passphrase means I am less likely to make a mistake.

Please revert the decision to default to 6 words and/or remove the restriction on users changing the number of words to fewer than 6. By all means caveat the change with warnings but you have worsened the user experience by requiring the user to delete extraneous words to meet legacy character limits.

Vote here: Avoid arbitrary length restrictions in generator

Do vote for the feature request, but FYI, the change in question is already being reverted. The feature request is still relevant, because there is still some arbitrariness in the default limits and in the recommended values.

Appears to be broken indeed. I use passphrases for passwords, and it is stuck at six phrases.

It used to have a minimum of three. Desktop app and mobile are okay. I emailed Bitwarden support for them to be advised.

@HAYWIRE2466 Welcome to the forum!

I moved your comment into a different thread, as it was not relevant to the thread where you had posted it.

As you can see from the comments above, this new behavior was an intentional change made by Bitwarden (not a bug), but it will be removed in the next release.

When trying to create a new passphrase using the generator in a Browser add-on or the Windows Bitwarden apps, it seems I can’t generate a phrase with less than 6 words. However, on the mobile I can generate with 3 words.

This seems like an odd choice:

• Is 3, 4 or 5 words somehow more secure if it is done on a mobile?
• Should the user not be able to choose any number they like?

My use case here is generating passphrases to share with other people when resetting passwords. It is hard enough to get them to accept passphrases as it is. When I tell them they need to type in 6 words they look at me like I am crazy - then they will reset them to something short and less secure the first opportunity they get.

It seems, this is going to be reverted with the next release: [PM-14964] revert passphrase minimum by audreyality · Pull Request #12019 · bitwarden/clients · GitHub

There are some further discussions about that in this feature request: Avoid Arbitrary Length Restrictions in Generator

Blimey - it seems everything I noticed recently is getting fixed in the next release.

What’s going on with QA at Bitwarden?

Is there a strong security motivation on force passphrase to be at least 6 words length? The change is a bit confusing and making me questioning if I should actually review all my passwords

@javrd Welcome to the forum!

This is actually a very good question, and a big mystery at the moment!

To answer your question directly, the appropriate length of a passphrase depends on the security application. For example, the Bitwarden vault master password itself does not need to have more than 4 words (50 bits of entropy) to provide sufficient protection against plausible brute-force attack scenarios (and a passphrase used as a PIN for unlocking should have even shorter length — perhaps as low as 2 words). Another example is PINs used for user verification on Yubikeys — as illustrated here, even a single passphrase word would provide reasonable protection against a brute-force attack. Nonetheless, for a generic online account (where you know nothing about how passwords have been hashed before they are stored on the server), if you must use a passphrase, then 6 words should probably be your lower limit (but you should only use passphrases rather than random-character passwords if it is for a login that you expect to have to type manually, or communicate verbally).

However, it is evident that Bitwarden has recently become highly motivated to bump up the entropy (strength) of passphrases produced by their password generator (while there seems to be no corresponding urgency to increase the entropy of generated “passwords” — i.e., random character strings).

This was the impetus for the passphrase word limit increase as a “hot-fix” in version 2024.11.0, allowing Bitwarden to buy time while they work on extending the size of the passphrase wordlist, to increase the entropy per word. The “hot-fix” has now been reverted, with version 2024.11.2, but the underlying effort to increase passphrase entropy presumably continues behind the scenes.

Despite repeatedly being asked by users, Bitwarden has not given up any information about the motivation for their sudden interest in passphrase minimum entropy. While speaking for themselves (not for Bitwarden), one of the developers involved made cryptic comments hinting at the possibility of an as-of-yet unpublished disclosure of a security vulnerability — that would presumably be mitigated by an increase in minimum passphrase entropy. If there is a vulnerability that has not yet been made public (until all necessary fixes are in place), then it would make sense why Bitwarden is being coy about their motivations for these changes.

The lack of official information from Bitwarden has lead to some speculation among users, my favorite of which is the theory that Bitwarden has received advanced notice of the availability of a passphrase-cracking quantum computing circuit — in that context, it would make perfect sense to exactly double the minimum passphrase length from 3 to 6 (because Grover’s algorithm for quantum searching reduces the effective entropy by one-half), and it would also explain the hyperfocus on passphrases (while not worrying about low-entropy passwords consisting of random character strings), whereas the hardware for a quantum computing circuit would be designed and optimized for a specific task (e.g., passphrase cracking) and not necessarily be generalizable to other tasks (password cracking).

Finally, FWIW, Bitwarden’s current strategy of increasing the size of the word list is probably not going to work that well. To make the entropy of a passphrase double its current value at the same word length, the source word list would have to increase in size from 7776 words to over 60 million words. As there are at most a half-million words in the English language, this will not be possible without introducing non-words, or words from other languages — and even with such additions, it seems like it would be extremely difficult to meet the goal of 60 million words (and if the goal does happen to be met, then each passphrase word will have less than a 1% probability of being a real English word; this would kill the utility of passphrases).

If the extended word list is limited to comprise only real words that have a reasonable chance of being part of a user’s vocabulary (around 30,000 words), then the entropy per word will only increase from 13 bits to 15 bits, so Bitwarden would still need to raise the minimum passphrase length from 3 words to 5 words to ensure that the minimum entropy is no lower than 75 bits or so (which seems to have been the target entropy when the 6-word limit was introduced in version 2024.11.0). They could set the minimum passphrase length to 4 words (while keeping the minimum entropy above 75 bits) by including every English word form in the word list (including words that are archaic or very obscure).

Comment from @gtran on the GH issue created by @DrBazUK

@djsmith85 Thank you for linking @gtran’s comment, which I had not seen.

However, I have to say that I’m still confused/disappointed by the explanation provided, which is most definitely not some new vulnerability:

In the Hacker1 report, a 3-word passphrase generated can seem secure due to overall password length but has low entropy

The fact that passphrase entropy is not to be determined from character count is an obvious and well-known fact, and it surprises me that this was treated as some novel revelation that requires urgent countermeasures. Passphrases will trade reduced entropy density (around 1.7 bits/character for an EFF passphrase instead of 3.0–6.1 bits/character for a random-string password) for the benefits of increased ease of memorization and typing.

I wish I knew that I could have collected some HackerOne bounty by reporting this obvious fact! Not sure why the above report wasn’t just dismissed as out-of-scope (“Missing security best practices that do not directly lead to a vulnerability”).

EFF’s recommendation of a 6-word minimum is a red herring as well, because this recommendation is only applicable to certain assumed circumstances. EFF is not some authority on cryptography, either, so I don’t know why Bitwarden is taking security advice from unsourced claims made in some EFF blog article.

As I’ve noted above, any efforts to increase word list size are not going to solve the stated problem. It is mathematically impossible to create a word list that makes the passphrase entropy equivalent to a random character string of equal length (equal number of characters). Therefore, the “vulnerability” that was reported to HackerOne will not be solved by increasing the word list size.

The only viable strategy is user education. One option would be to include a hint text that says. “This passphrase is only as strong as a 6-character random password” (for a 3-word passphrase, for example), where the equivalent character count is always double the specified number of passphrase words.

Perhaps I was not so far off the mark in my initial reaction to the generator modifications, after all… *Sigh*

Thank you for your detailed explanation. Without being a security expert I found it really well explained and informative.

Not sure how hard would be to implement multi language word lists chosen by user, but I think its really common to understand words in 2 languages (at least for any non English native as me) and even more common to be able to correctly spell words in languages that you cant use. As Spaniard, I could use without problem combinations of English, Spanish, Portuguese, Italian or even German words, even I only can speak Spanish and English.

Having an idea about the entropy as a hint would be also nice so you can directly compare different options when choosing a password/passphrase.

It seems I misunderstand or at least underestimate in some point, probably because a famous meme about passwords vs passphrase, the difference between entropy that them provide. So I’ve probably been abusing about passphrase in some scenarios I don’t even need to see at all my password. I’ll be fixing that behaviour in future and keep in mind what and where the password is for.

As secure as they are, unfortunately most websites won’t allow the number of characters that come from 6 words, so I can’t use passphrases from Bitwarden anymore.

The default should be 6 words as a nudge to use secure passwords, but allow the user to lower it to 3 words.

At this point, you then just have to update your Bitwarden apps, because the 6-word-minimum is already fixed (or rather: reverted) everywhere - except for the Firefox extension, as the 2024.11.2 extension release is not “approved” by Firefox/Mozilla yet.

@dunxd I merged your thread into this one, in an effort to consolidate discussion on the same topic into a single thread.

Welp, I primarily use it on Firefox so I guess I’m out of luck for the moment.

I read something different in gtran’s comment than it being about character count delusions. I noted these words (my emphases added):

the passphrase generator is sourced from EFF’s Long Wordlist and is on the shorter side of 7776 words

“Sourced from” is not “equal to”, which is then cofirmed. The problem appears to be Bitwarden using a shorter, less effective word list, which itself implies that increasing the list length will have more impact than otherwise.

@Mulled7768 The EFF “long” word list is in fact equal to the word list that is hardcoded in Bitwarden’s passphrase generator, and it contains exactly 6⁵ = 7776 words. This was always so. With this word list (or any other diceware list for 5 dice), the entropy per word is fixed at log₂7776 = 12.9 bits, and with an average word length of 7.0 characters, the typical entropy density for the EFF “long” list was always 1.8 bits/character (or 1.6 bits/character if one includes the word separator character that is commonly included in passphrases).

Of course a 7776-word list is shorter (“on the shorter side”) compared to any word list containing 7777 words or more, and therefore will have less entropy per word than a passphrase generated using a longer word list. But that doesn’t explain why Bitwarden suddenly feels that it is imperative to increase the entropy of generated passphrases.

The relevant parts of @gtran’s statement are:

EFF’s guidance is to use a six-word passphrase with this source list, adding that ideal use-cases for passphrases are when directly used to encrypt information.

The above justifications are taken directly from an anonymous blog post published by EFF, which makes these two unsupported claims (“For most applications, we suggest making a six-word passphrase”; and “Your passphrase is especially suitable when directly used to encrypt information, like for full-disk encryption”) with no presented evidence or cited sources.

Further, @gtran revealed that the original impetus for these efforts to increase entropy of generated passphrases (but not of generated passwords) was a recent HackerOne vulnerability report:

In the Hacker1 report, a 3-word passphrase generated can seem secure due to overall password length but has low entropy

A 3-word diceware passphrase has always had 38.8 bits of entropy, so nothing has changed there that would warrant mitigations to the code; whether 38.8 bits should be considered a “low entropy” or not depends entirely on the specific application — it is actually a relatively high entropy if the 3-word passphrase is used as a Bitwarden unlock PIN, or as a Yubikey User Verification PIN.

So the most relevant part of Bitwarden’s published justification for modifying the passphrase generator behavior is the claim (attributed to the HackerOne report) that “a 3-word passphrase generated can seem secure due to overall password length” (emphasis added). The only reasonable interpretation of this statement is that Bitwarden is now concerned that users who generate passphrases erroneously believe that the passphrase strength depends on character count, and incorrectly assume that the passphrase strength is equivalent to the strength of a random character string password of equal length (e.g., believing that a 3-word passphrase, having an average length of 23 characters, would be equivalent in strength to a random character string of the same length).

That is what I was reacting to in my comment above.

@grb My summary of your previous post: So the worry may be, that the difference between passwords and passphrases regarding “strength” or “entropy” leads to “bad” habits on the user side, right?

And that difference regarding strength / entropy derives from a different logic of how entropy is calculated for both - and that, unexplained (or at least “unaware” for the user), possibly leads to the false judgement on user side, that equal lengths result in equal “strengths”…

I become a bit sarcastic now, since it is a basic difference of passwords and passphrases … and entropy was often discussed in this forum… I guess more than one person wrote about “education about entropy” or something like that… I just did an experiment on the Help Sites / with the search function - try it out for yourself:

image1457×569 16.6 KB

PS: And maybe a generator tool without any explanation / education is not a good idea after all… (of course, that topic is more complex and there are more sides and aspects to that, but I leave that aside for now)