Time-Based Character Input for Master Password Entry (for Added Security)

Hello Bitwarden team,

I would like to suggest a new password security concept that could add an extra protection layer against password theft and keyloggers.

The idea is a time-based password input system.

Instead of entering the password normally, each character would need to be entered during a specific time window or pattern.

Example:
If the password is ABCD

The user would type:
A at second 2
B at second 5
C at second 8
D at second 11

If the timing is incorrect, the authentication fails.

Benefits:

• Protects against keyloggers
• Protects against shoulder surfing
• Makes stolen passwords useless without the timing pattern
• Adds an additional authentication layer without requiring extra hardware

This could be implemented as an optional security feature for users who want stronger protection.

Thank you for considering the idea.

@jabir Welcome to the forum!

To clarify, you are proposing this as a feature for the vault master password, right?

Yes, that’s correct. I’m proposing it as an optional security feature for the vault master password. The idea is that when unlocking the vault, the system would check not only the correct password but also a timing pattern for each character.

Thank you for clarifying. I have modified your feature request title to be more specific (old title was: “Time-Based Character Password Input for Extra Security”; new title: “Time-Based Character Input for Master Password Entry (for Added Security)”). In addition, I changed the “app:” tag to app:all, since the request does not seem to be specific to the Web Vault app.

okay thank you so much what do you think about this idea

My unqualified first thoughts: sounds a bit complicated (how does someone measure the time in such a situation?) and I’m not sure if that would add much security to it. (e.g. how long does a login have to be to add enough variance/“randomness” to it?)

Personally, I’m looking forward to login with passkeys hopefully also coming to the desktop app and mobile apps.

The thing is I can share the first version a make

Is a sing up and a login page with a timer above that you can start and restart so first in the sign up you type your email and when it comes to password you can star the timer and when you enter the characters it saves at the exact second when you finish it show you a quick pop up on each character and when you enter it and when you go to login you should enter those characters at the same time when you sing up ( there is also a timer on the login page as well )

I think it is an interesting proposition, but I think that most users will not find it practical, because their priority will be to enter the password quickly. For a random character string (mixed-case alphanumeric with special characters), average typing speed is a little less than 0.5 seconds/character, and it would take approximately 3.5 sec to type an 8-character password (providing for approximately 50 bits of entropy, which is sufficiently strong for a Bitwarden vault password).

With your idea, to allow for variability in reaction time, your predefined time intervals would have to be specified to the nearest second. I also believe that a delay of more than 4 seconds prior to a character would be too long, since this would result in a password entry time of more than 20 seconds, on average (if there are 8 characters). Thus, if the possible time delays before each character input time is either 1, 2, 3, or 4 seconds, then you are adding only 2 bits of entropy per character. Therefore, you could shorten the master password to 6 characters and still have around 50 bits of entropy (the minimum strength required for a Bitwarden vault password). On average, such a password would take 15 sec to enter, which is over four times the password entry time for a standard 8-character password without delays (or 2–3 times slower than entry of a 4-word passphrase without delays). For most users, this would likely be unacceptable.

Another pain point for users is that the proposed method would double the amount of information that a user must memorize about their master password.

The benefits that you have proposed are likely overstated. If this type of password entry is used by Bitwarden (or other major online services), then it is reasonable to assume that key-loggers will be designed to store the time of each character entered, along with the character value. With regards to shoulder-surfing, if this happens using video surveillance, then the timing information is readily available to the attacker.

Consider also that the user may write down the time intervals along with the password characters (in fact, it would be recommended practice to keep a written record of such information). Thus, if the master password is stolen, the time intervals may also be available to the thief.

All in all, since you requested my opinion, I would say that the proposed method creates significant inconveniences for the user, while providing very few advantages, if any.

I personally might set it up for a one-second delay between characters 7 and 8 and zero delay between all others. Not so much because it would introduce any measurable increase in security (“longer” does a better job at that), but because using a novel (as in “never seen before”) technology buys me time before bad actors add it to their TTPs (Tactics, Techniques and Procedures).

Overall, though I do feel that the better approach for securing credentials lies with Passkeys, cert auth, and other approaches that do not involve memorizing static content.

I would like to share with you my idea on discord if you like to see the full result to understand more the prototype will let you get my idea here is my discord user : redacted if you like me to stream you the whole thing and thank you again for your time and effort

About memorising the characters typed will be shown as a pop up before you go to log in is one time pop up so you have to screen shot it to remember my main idea is even if the hacker get the pass he won’t be able to enter it at the same rhythm

@jabir I would be interested in how you think this could technically be implemented, especially for the input field? It couldn’t be the current master password input field, as that doesn’t count in the time. So, a new input field… – and every typed character has to be confirmed with enter, which leads to the next input field for the next character etc.?

I think I understand quite well what you are proposing. I have no plans to join Discord. If you want to show your prototype, I would suggest creating a screen recording and posting it here as a GIF.

I would share with u my idea if you like so the prototype is more clear about my idea here my discord : redacted come and I will stream to u all

@jabir Just to clarify this: @grb, @DenBesten and me (@Nail1684) are just volunteer moderators here on the forum. We are not Bitwarden employees. So, even if we would join you on Discord, that wouldn’t have any direct consequences for your feature request here.

And it would make the most sense, to further discuss your feature request here on the Community forum. So, I second @grb’s suggestion to make a screen recording and share it as a GIF here. (or to share it here in whatever other way you’d like)

You might also check out this paper and the wikipedia article on the topic.

The use of keystroke dynamics for authentication is related to, but not the same as the method described in the OP’s feature request. The existing research (reviewed in the two links you provided) is based on quantifying each user’s natural typing rhythm, and using that data as a biometric identifier. In contrast, the feature request here proposes the use of a pre-defined sequence of delays before each keystroke, which must then be executed by the user on password entry.

okay here i tried to make a gif sorry for low fps but i think you will get the idea even though if you entred the pass but is not on the right timing you wont be able to entre to you acc the hard things is to memorize all the exact seconds but i think is helpfull cause my idea that the rythem wont be saved in a data base you will just screenshot it at the moment when you sign up you got it now

so what do you think ?

I have already expressed my misgivings here.