User question about password vs. passphrase entropy

@KenMuir I thought I would respond to your comment in a new thread, so as not to pollute the other thread with off-topic discussion (and to not be subject to the “Slow Mode” constraint).

The math is actually very straightforward. If your 16-character master password was not randomly generated, then its strength is unknowable, and likely insufficient to adequately protect your Bitwarden vault. On the other hand, if you used Bitwarden’s password generator to create your master password (i.e., something like nNW1nN5nQ7#V@A7&), then its entropy would be at most 98 bits (depending on the exact settings used in the generator), corresponding to over 1029 guesses required (on average) before the password can be cracked.

The thing is that because Bitwarden uses a Key Derivation Function (KDF) to increase the time/cost of testing master password guesses, an attacker would have to spend at least a dollar (in hardware and electricity costs) for every billion guesses made. Therefore, they would have to make a multimillion dollar investment to crack even a master password that requires “only” quadrillions (1015) of guesses to find. As a result, unless the contents of your vault is known by the attacker to be worth hundreds of millions of dollars, they are not going to bother trying to crack any master password that contains more than eight random characters (e.g. a$n9Z*0Wm) — a 9-character random password would require about 20 quadrillion attempts to guess correctly (on average), at a cost of 20 million dollars. So, your 16-character master password (if randomly generated) is actually overkill — you could use a password about half that length and still be safe.

Now, considering passphrases, a randomly generated 4-word passphrase (e.g., giggling-dealt-starless-fog) would, on average, require almost two quadrillion attempts to guess, at a cost of at least 2 million dollars. If your Bitwarden vault is protecting assets worth much more than that, then you could use a five-word passphrase, which increases the attacker’s average cost to over 10 billion dollars.

If you really insist of having an overkill master password with entropy on the order of 100 bits (like a 16-character randomly generated password), then you could/should use an 8-word passphrase (like tibia-plot-poser-patchy-vaguely-backwash-train-heavily) — with a little bit of practice, this can be committed to memory as two separate 4-word phrases joined together (i.e., first memorize tibia-plot-poser-patchy, and then memorize vaguely-backwash-train-heavily after you are able to easily recall the first phrase).

1 Like

Hi - thanks for the very prompt and detailed response.

In the related thread (the source of this discussion) I had indicated I already had a 16-character randomly generated password.

I’ll accept your view that this may be overkill, but I’ve not yet convinced myself about the idea of reducing it to a more manageable length while still retaining adequate security. I’ve read the numbers and done the arithmetic, but it hasn’t quite sunk in with me at a conceptual level yet.

Another weakness I have is that I also find it difficult to comprehend fully the passphrase idea. All these words are dictionary words and every hacker will have that list. I still feel that performing a run-through of known words, four times in succession, to assemble potential passphrases seems such an easy task .

How is the original topic - biometric login - of the previous thread limited? I’ve realised that I don’t actually know. The generally accepted view is that everyone’s fingerprints are unique. However, once your finger (only one, not a combination of 10) has been read and stored somewhere, how is that identity recorded? Is it encoded as a number or string, and subsequent readings of your finger simply need to match enough portions of the string for access to be permitted?
(If this discussion is extending too far away from Bitwarden and its support, then please don’t waste time or effort. Your replies have been excellent so far, and I don’t want to turn this in to a general purpose discussion with no product focus.)

Thanks again.

This is a common fallacy. By the same logic, we could say (when it comes to a random-character password string):

All these characters are ASCII characters, and every hacker will have access to an ASCII table (or can just look at their computer keyboard to see the full list of characters).

First, hackers don’t get “partial credit” for correctly guessing one of the four words. It’s all or nothing — they must correctly guess all four words in the correct sequence, because when they make an incorrect guess, they will get no information that tells them they are getting warmer.

Second, even if it was possible for the hacker to know when the one of the words matched (it is categorically not possible for a hacker to know this, as clarified above) performing a run-through of 7776 known words (4 times) would take longer than performing a run-through of 95 known ASCII characters (or 70 character, for Bitwarden’s generator) 16 times.

In reality, because all components (words or characters) of the password must be correctly guessed all at once (with no clues gained from prior unsuccessful guesses), a hacker would have to try all possible permutations of words (or characters) in each position of the passphrase (or password). Therefore, the number of guesses to do an exhaustive search of all possible 4-word permutations would be 7776×7776×7776×7776; on average, the attacker would find the correct set of words (in the correct order) after testing half of the total set possibilities, so the number of required guesses would be ½×7776×7776×7776×7776, which is almost two quadrillion (1.8×1015) guesses.

Oh, I’ve done these calculations - even if I didn’t express myself unambiguously. Apologies. When I said, “run-through of known words, four times in succession, to assemble potential passphrases” I meant that a potential passphrase could only be assembled once having selected four words in succession. I didn’t mean to suggest that it was like Wordle, with hints for near or correct guesses!!

Perhaps I just need to take a leap of faith and switch to using a random passphrase to test that way. After using it for some time then I can ask myself, do I find it easier, and do I find it just as comforting and secure? Staring at statistical probabilities in the quadrillions hasn’t made me change so far, but maybe practical experience will overcome my reluctance.

Thanks, as ever, for all your help.

The key thing to understand is that a word in a word list is just a convenient representation of one of the possible random numbers that form the basis for the actual master password strength. As a consequence, a word in a word list is functionally equivalent to a character in a character set.

For example, if you make a word list containing only 10 words (e.g., January, February, March, April, May, June, July, August, September, and October), then a passphrase generated from that word list would be just as easy or difficult to guess as a numerical PIN of equivalent length — because a 5-digit PIN like 69582 can be encoded using the words in the word list, to form a 5-word passphrase (69582June-September-May-August-February); in both cases, an average of 50,000 attempts will be necessary before correctly guessing the PIN or passphrase.

Similarly, if you create a password character string by randomly selecting characters from the set of 11,172 Korean characters representing Hangul syllables, or if you take a 11,500-word word list and trim it to 11,172 words before generating passphrases, then the security of a random passphrase containing 4 words will be identical to the security of a random character string containing exactly 4 Hangul-syllable characters (because you can map the Hangul character set to the trimmed word list with a one-to-one correspondence). In both cases, an average of about 8 quadrillion attempts will have to be made before the password or passphrase is guessed.

There can be no arguing that an 8-word passphrase generated from the 11,500-word wordlist is actually somewhat more secure than your 16-character password (while an 8-word passphrase generated from Bitwarden’s 7,776-word wordlist is only slightly less secure).

The big question is whether you will feel comfortable reducing your password/passphrase strength (to allow for the fact that your current password — or its 8-word passphrase replacement — has an unnecessarily high level of entropy).

Aarrgh!! Now I have to learn Korean!

On the basis of Malcolm Gladwell’s 10,000 hours of practice to master a skill, I’m already too old. I don’t have 10,000 free hours to devote to this.

Much better if I just accept the facts and truth of something and don’t try to master it. Now then, where’s that random word passphrase generator … ?

I’m assuming that the above comment was in jest, but I’m confused about what it is that you feel you need to “master”.

If you’re unhappy with your 16-character random master password, then I can certainly guide you to find a suitable replacement. However, to do so, you need to start by deciding what level of master password strength you would feel comfortable with. Personally, I like to think of the password strength requirement in terms of what it would cost an attacker to brute-force guess the master password (especially in comparison to what an attacker likely stands to gain by accessing your vault contents). I usually land at a cracking cost around a million dollars as a yardstick (especially because there is nothing about me that would give an attacker the idea that my net worth is in excess of a million dollars).

There are certain other considerations for the hyper-paranoid. Are there valuable secrets contained in your vault that (unlike account passwords) cannot be replaced if compromised — for example, a trade secret? Are you concerned that the government or cybercriminals are currently in the process of siphoning encrypted data from the internet (e.g., by eavesdropping on internet traffic as you download your vault) for the purpose of warehousing such data in massive data silos until some future date at which quantum computers could possibly be used to speed up password cracking? If such concerns apply to you, then you will need to further bolster your master password entropy.

Yes, I’m sorry - the entire post was intended as a light-hearted closing comment on the topic. There’s a difference to me in seeing something expressed as numbers, weights, volumes, distances etc and actually having the mental image of the concept that supports them. That’s up to me to work on that. The remark about learning Korean was entirely in jest. I couldn’t find the markdown tags that would have explained that. (Yes, that sentence was in jest too.)

1 Like

No problem. Feel free to reach out if you need any guidance or assistance in the future.