@dh024 - Thank you for your response to my OP. I have a few follow-up questions/comments:
If it is not too much trouble, I would still like an answer to my question about whether there is any benefit to using an obscure email, or an email that is long/complex? I’ve read elsewhere on the forum, that some BW users prefer to keep their login email address obscured, and I would like to understand why (in the context of the email being used as a salt for computing the Master Key).
Since I have the ability to create a dedicated email address just for by Bitwarden login, I would like some information to help me decide what form of an email address to use.
Edited to Add:
In response to my second question, you wrote:
The chart that you posted is for MD5 hashing. The source article at HiveSystems also contains the following version that is more relevant to PBKDF2-hashed passwords (although it’s unclear from the footnotes whether they have assumed 103 or 105 iterations, nor is it stated whether the values are upper bounds or means):
One point I was trying to make is that in real life (e.g., see the Ars Technica article I linked in OP), I doubt that any password cracker is going to spend years to try to brute-force my vault password – when their resources would be better spent going after lower-hanging fruit, or targets with higher value. Thus, in my opinion (which I am open to changing if presented with a well-reasoned counter-argument), a mean cracking time larger than around 10 years would be overkill. Thus, per the HiveSystems table for PBKDF2 hashing, using your recommended password format of mixing numbers/symbols with upper/lowercase letters, I should be safe with only 8 characters. The HiveSystems predictions seem significantly more conservative than the predictions made in the 1password blog linked previously, but I’m not sure what the methodological differences are that would account for this.
To achieve an optimal balance between password usability and strength, I’m trying to estimate the minimum required entropy that is likely to protect me sufficiently from real-life hacking scenarios.