Does it make sense to use a second Bitwarden account for extra security?
To explain a bit further, does it make sense to store the master password of the main account in a second Bitwarden account and make the main account’s master password even longer and more complex?
No. And it is also prohibited by Bitwarden’s Terms of Service.
One person or legal entity may maintain no more than one free account.
Ahh, thank you for the information, you’re the best 
Seems like that would just double your attack surface.
Do be aware that Bitwarden’s terms of service limit each person to maintining only a single free account, so if you do decide to do this, you will need to pay for at least one of the accounts.
Though you can have as many BW accounts as you want to - as long as it’s only one free account. (e.g. using several Premium accounts is perfectly legal)
Consider the extreme case, in which the master password for your main account has the maximum meaningful value of entropy (256 bits), such as 98^@^*655$28%8&3!%726@%**!%^&&62&78*!7*6@6#%27!8#937#62*@!$5^39& (64 characters randomly chosen from a pool of 16 characters). No attacker is going to crack that password by brute-force guessing.
Thus, in that case, you would at best have created a situation in which the strength of the secondary account’s master password is the factor that limits the protection of your primary account. And in practice, other attack surfaces that do not require brute force password cracking (phishing, social engineering, session token theft) are now doubled because you now have two vaults that could be targeted instead of just one.
Therefore, in most cases, you are better off with just a single Bitwarden account, for which you should set a master password that has an appropriate balance between strength and ease-of-use (a 4-word random passphrase is recommended).
Thanks for explaining. I’m having some security issues, so unless absolutely necessary I don’t create recovery codes for my accounts—an attacker could potentially discover recovery codes by trial and error and take over the account. My master password is about 100 characters long with a mix of letters and numbers, so a 4‑word random passphrase is completely unacceptable for me.
I don’t know what this is a reference to — I have not said anything about recovery codes.
Bitwarden accounts do not have recovery codes for the master password. There is a Two-Step Login recovery code that can be used to disable 2FA on your account, but it is sufficiently long to make it impossible to guess by trial and error.
If you are concerned about your Bitwarden account security, then I would advise you to learn some basic facts about password strength (entropy).
If your 100-character master password was randomly generated (e.g., XKRDRTKJ9SZ4PN8UCOD2DEI3SQTRYYMCH0JNY1LJD3J2FF4EZ2UKIYEPYE5ZNDR7S9X0P4OZGEET7YL7FQ2DMWQ101QA7HCS10I9), then congratulations, your password cannot be guessed by trial-and-error (a.k.a. brute force attack).
However, if your master password was actually not generated by selecting each character using a cryptographically secure pseudo-random number generator (CSPRNG) or a true entropy source (e.g., dice rolls), then I have bad news for you: your master password is likely to be much less resistant to a brute-force attack than you believe, and it is mathematically impossible to estimate how weak or strong your master password is. Therefore, you are basing your entire vault security on an act of faith (hoping that your password is uncrackable), instead of a rigorous risk analysis.
Conversely, your aversion to 4-word passphrases is irrational. It can be mathematically proven that guessing such a password by trial-and-error is not possible unless an attacker invests millions of dollars to finance the costs of the brute force attack (e.g., electricity costs to run the computers). Therefore, unless you are being targeted by a nation-state actor, or are a multimillionaire, a 4-word passphrase is perfectly adequate to protect your Bitwarden account. If you increase the number of words to 5, then the attacker’s cost will rise to many billions of dollars — while the number of characters that you’d need to type to log in would be less than half of what it is now.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.