When is a password weak?


#1

bitwarrent considers the following password weak:
*yyL4XU#

i don’t understand, all kind of types are used,
is 8 characters then considered as weak??


#2

Yes, 8 characters is weak. I would go with at least 10 for a relevant account.

You can play around here:
https://howsecureismypassword.net/

There are many websites like this, that can give you an idea of the security a password has to offer.

Also classic xkcd on the topic:


#3

funny xkcd, thanks!


#4

The best password is unique to the account, long, and random. If you need something easy and memorable (12-16 chars with letters, numbers, and symbols) make sure your enable 2 factor authorization (2fa) as well. Long passwords with mixed words (like the xkcd one) are not as great as you’d think, as many password guessing programs use dictionaries which can and will beat them quickly.

When 2fa is not an option, it’s recommended you use a unique, random generated password with the maximum length and character-set allowed. That’s the whole point to use something like Bitwarden. Just make sure you have your password manager set with a good password (again 12 or more chars letters, numbers, and symbols), and have 2fa enabled (using something like Authy).


#5

Is it really necessary to use such a high security standard, even if the concerned application is protected against brute force attacks ?

After all, even if the number of guesses to find the password is smaller with a password that is easy to remember, it is still huge if the password is long. And such a big number of possibilities can’t be tested if there is a brute force protection, if I’m right ?

Applied to the master password of Bitwarden, knowing that Bitwarden has a brute force attack protection implemented (I would like to know how it works, by the way), wouldn’t it be enough to choose a long password, but that is easy to remember, without 2fa ? I’m reluctant to use 2fa in combination with Bitwarden, as I prefer the simplicity. Of course 2fa would be safer, but is there really a big risk without it ?

Of course, if we speak of the passwords that are registered in Bitwarden (and not of the master password), then in makes fully sense to prefer long passwords that don’t use words and to choose one different password for every application. These passwords are more difficult to guess and we don’t need to remember them as Bitwarden does for us.


#6

It’s interesting how XKCD and https://howsecureismypassword.net calculate very different estimates on the duration of time that it would take to brute force a password.


#7

logging in usually consists of two elements: login id and password; most of the time the log in id is the same as the e-mail address, very easy to guess for the bandit, he (or she) only has to go for the password; would it not be handier if we stopped using the e-mail address as the log in id? logging in to bitwarden would then go as follow (for instance):
login: pierrotwarden1960
password: X4rrt5
what i am trying to say is: why not use login id as an extra element of our ‘secret’, would not it be more difficult for the bandit to trace 2 seperate elements instead of 1?


#8

Well, I guess it depends on what technic you imagine to use and what hardware you set as given. there are many password check websites, pretty much all of them give different numbers. it’s just to get an idea. We don’t have to talk about 500 years or 500.000 years, I guess in that range we can just assume it would be pretty ok.
I guess there are some numbers, that professionals would use to make such guesses. But I’d expect most of the websites not made by security experts. Probably more like general IT experts with a rough idea of the subject.


#9

@cezi
You’re certainly right; the e-mail address is part of the game.
I think, everything depends on the context. If the user is part of an organisation, the e-mail address is often very easy to guess. But if the user is a private user, then it’s more difficult. And it depends also wether the attack targets a particular person or every user in general.
And there is one more parameter I think : a black hat could know an e-mail address, but he should also guess which password manager is used.