My reading of gtran’s English expression is accurate. If what she said is not the case then it needed to be expressed otherwise.
The rest was obvious.
1 Like
This discussion came about because Bitwarden changed the minimium on passphrases so it was not aligned with the password minimum. The following are similarly strong, at ~13 bits of entropy:
- 1 word “diceware” passphrase (dictionary size 7776)
- 2 character password (95 “printable ascii characters”)
- 3 letter password (26 letters)
- 4 digit PIN.
So, it really seems odd that they would raise the passphrase minimum to 6 words, but continue to allow 5 character passwords.
Why the change to the minimum? I’m guessing it is because there is not an industry-standard for how strong a password must be so the answer will vary based on who one listens to at the moment. Here are a few assorted (and sorted 
) opinions, presuming “characters” as defined above:
- 53 bits – NIST 2017 “SHALL be at least 8 characters in length”
- 53 bits – UK Govt. “minimum length of at least 8 characters”
- 53 bits – Apple “strong password … eight or more characters”
- 53 bits – Microsoft “we recommend keeping a reasonable eight-character minimum”
- 53 or 99 bits – NIST 2024 draft “SHALL … minimum of eight … SHOULD minimum of 15 characters”
- 78 bits – EFF “minimum of six [diceware] words”
- 79 bits – Bitwarden “Master passwords … must be at least 12 characters”
- 92 bits – Microsoft “Maintain an fourteen-character minimum” (same doc as above).
On top of that, there is the question of why a generator would have mandatory minimums, given that less-than-recommended is generally accepted when other mitigations are present. Weak passwords can be OK when more “expensive” encryption is being used, and when additional authentication factors are used. The prototypical example being 4-digit PINs used in conjunction with physical debit/credit cards.
No need to guess, as Bitwarden has now provided an explanation for the changes, which I have critiqued above.
2 Likes
Gina’s explanation is the proximal cause. I am hypothesizing as to the underlying cause – conflicting advise amongst the “experts”.
I would say that the underlying cause is lack of education, critical thinking, and/or reading comprehension among a segment of users who:
- Don’t understand the trade-offs in advantages and disadvantages of using passphrases vs. passwords;
- Don’t know how to determine whether a passphrase is a better option than a password or vice versa.
- Use passphrases for the wrong use-cases, for the wrong reasons.
Bitwarden making a longer word list for passphrase generation will not save these users from themselves, unfortunately.
2 Likes
50% ?
Be closer to 100% methinks!
Please let us (manually) decrease passphrase word count to 3 Bitwarden.
This is a ridiculous situation.
And PS: thanks for the vote link - I’ve voted!
Duncan.
Also primarily on FF - and have no intention of changing.
So also waiting for the FF extension to be updated / approved.
Do read this.