Return default Passphrase length to 3 words or allow users to select fewer than 6

@javrd Welcome to the forum!

This is actually a very good question, and a big mystery at the moment!

To answer your question directly, the appropriate length of a passphrase depends on the security application. For example, the Bitwarden vault master password itself does not need to have more than 4 words (50 bits of entropy) to provide sufficient protection against plausible brute-force attack scenarios (and a passphrase used as a PIN for unlocking should have even shorter length — perhaps as low as 2 words). Another example is PINs used for user verification on Yubikeys — as illustrated here, even a single passphrase word would provide reasonable protection against a brute-force attack. Nonetheless, for a generic online account (where you know nothing about how passwords have been hashed before they are stored on the server), if you must use a passphrase, then 6 words should probably be your lower limit (but you should only use passphrases rather than random-character passwords if it is for a login that you expect to have to type manually, or communicate verbally).

However, it is evident that Bitwarden has recently become highly motivated to bump up the entropy (strength) of passphrases produced by their password generator (while there seems to be no corresponding urgency to increase the entropy of generated “passwords” — i.e., random character strings).

This was the impetus for the passphrase word limit increase as a “hot-fix” in version 2024.11.0, allowing Bitwarden to buy time while they work on extending the size of the passphrase wordlist, to increase the entropy per word. The “hot-fix” has now been reverted, with version 2024.11.2, but the underlying effort to increase passphrase entropy presumably continues behind the scenes.

Despite repeatedly being asked by users, Bitwarden has not given up any information about the motivation for their sudden interest in passphrase minimum entropy. While speaking for themselves (not for Bitwarden), one of the developers involved made cryptic comments hinting at the possibility of an as-of-yet unpublished disclosure of a security vulnerability — that would presumably be mitigated by an increase in minimum passphrase entropy. If there is a vulnerability that has not yet been made public (until all necessary fixes are in place), then it would make sense why Bitwarden is being coy about their motivations for these changes.

The lack of official information from Bitwarden has lead to some speculation among users, my favorite of which is the theory that Bitwarden has received advanced notice of the availability of a passphrase-cracking quantum computing circuit — in that context, it would make perfect sense to exactly double the minimum passphrase length from 3 to 6 (because Grover’s algorithm for quantum searching reduces the effective entropy by one-half), and it would also explain the hyperfocus on passphrases (while not worrying about low-entropy passwords consisting of random character strings), whereas the hardware for a quantum computing circuit would be designed and optimized for a specific task (e.g., passphrase cracking) and not necessarily be generalizable to other tasks (password cracking).

Finally, FWIW, Bitwarden’s current strategy of increasing the size of the word list is probably not going to work that well. To make the entropy of a passphrase double its current value at the same word length, the source word list would have to increase in size from 7776 words to over 60 million words. As there are at most a half-million words in the English language, this will not be possible without introducing non-words, or words from other languages — and even with such additions, it seems like it would be extremely difficult to meet the goal of 60 million words (and if the goal does happen to be met, then each passphrase word will have less than a 1% probability of being a real English word; this would kill the utility of passphrases).

If the extended word list is limited to comprise only real words that have a reasonable chance of being part of a user’s vocabulary (around 30,000 words), then the entropy per word will only increase from 13 bits to 15 bits, so Bitwarden would still need to raise the minimum passphrase length from 3 words to 5 words to ensure that the minimum entropy is no lower than 75 bits or so (which seems to have been the target entropy when the 6-word limit was introduced in version 2024.11.0). They could set the minimum passphrase length to 4 words (while keeping the minimum entropy above 75 bits) by including every English word form in the word list (including words that are archaic or very obscure).

1 Like