That’s my reasoning as well. The only drawback I currently see for bitwarden is that it’s US based and I have zero trust in their current government not going to cut off the rest of the world at some point. I’m still using it, but I make sure to make regular encrypted backups of my vaults.
Randomly generate your master password too. It takes a bit to memorize, but becomes muscle memory pretty quickly. And since random passwords have the highest possible entropy per character you can use a shortish one, which allows for fast typing while still being impossible to brute force (I use 16 chars).
There’s a xkcd for that of course! Linking directly to the explain as it has more info but the important thing is: password guidelines tricked humans into thinking in a machine way about safe passwords but long pass phrases are more secure from an entropy point of view and way easier to remember!
The xkcd-suggested passwords have 44 bits of entropy. Assuming a weak hash like SHA1, a single 4090 could crack such a password in under 10 minutes (source).
My 16 character password, with 70 symbols per character, has log₂70 * 16 ≈ 98 bits of entropy. That corresponds to a cracking time of over 200 billion years with the same parameters.
xkcd’s password system is quite terrible for security. Its only advantage is that it’s relatively secure for how easy it is to remember. If you’re someone who really struggles to remember passwords and would otherwise use something even weaker, go for it, but if you want security then random characters are the way to go.
And your opinion is exactly that and doesnt match security research:
For the following you’re not the target group but others reading this who might want to make their lifes easier. Just from your way of writing I at least don’t expect that minor sources like okta or the NCSC will change your mind.
( article links with high level descriptions and links to their primary sources)
I’m not arguing that random passwords are better for everyone, just that they’re most secure for their length. A 9 word passphrase is just as secure as a 16 character random password, but is far longer.
A 4 word xkcd passphrase is more or less equivalent to a 7 character random password, and is secure with xkcd’s threat model (online brute force attack) but not with other threat models, like a brute force of a weak hash, which is many orders of magnitude faster.
If you’d like to verify the math:
4 word xkcd passphrase: 2048 (possible words) ^ 4 (number of words) = 44 bits of entropy ≈ 17.6 trillion possibilities.
7 word password: 70 (possible characters) ^ 7 (number of characters) ≈ 42.9 bits of entropy ≈ 8.2 trillion possibilities.
(Adding an eighth character raises the number to 576 trillion).
Both Bitwarden and 1Password can also generate passphrases with high entropy that are much easier to memorize and enter. I use that for my master password.
I’m not prone to forgetting things, but if you are, it’s easy enough to write down and store somewhere secure like a safe deposit box. If you have people you trust, you should have a backup copy anyways so they can access your password manager if you die suddenly.
Get a password manager. It’s a lot more secure and easier to only have to remember one strong main password and have the rest randomly generated
^ I love Bitwarden
I enjoy self hosting it
(Rather vaultwarden)
If it’s something of vital importance, my mantra is to pay for someone else to host it.
They can have the responsibility of security / updates / etc. because a company full of people can do that better than I ever can.
That’s my reasoning as well. The only drawback I currently see for bitwarden is that it’s US based and I have zero trust in their current government not going to cut off the rest of the world at some point. I’m still using it, but I make sure to make regular encrypted backups of my vaults.
In case you didn’t know, you can opt to have your passwords stored in EU by making an account on bit warden.eu
KeePassXC, donor, and I sync it with my (self-hosted) SyncThing server.
FWIW, LastPass is bullshit. DYOR, and stay safe, citizens!
Also, it could be taken as a positive that BitWarden is the example Wikipedia uses to define password strength. 🤌🏼
Randomly generate your master password too. It takes a bit to memorize, but becomes muscle memory pretty quickly. And since random passwords have the highest possible entropy per character you can use a shortish one, which allows for fast typing while still being impossible to brute force (I use 16 chars).
There’s a xkcd for that of course! Linking directly to the explain as it has more info but the important thing is: password guidelines tricked humans into thinking in a machine way about safe passwords but long pass phrases are more secure from an entropy point of view and way easier to remember!
https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
The xkcd-suggested passwords have 44 bits of entropy. Assuming a weak hash like SHA1, a single 4090 could crack such a password in under 10 minutes (source).
My 16 character password, with 70 symbols per character, has log₂70 * 16 ≈ 98 bits of entropy. That corresponds to a cracking time of over 200 billion years with the same parameters.
xkcd’s password system is quite terrible for security. Its only advantage is that it’s relatively secure for how easy it is to remember. If you’re someone who really struggles to remember passwords and would otherwise use something even weaker, go for it, but if you want security then random characters are the way to go.
Take a sentence with 200 characters then.
And your opinion is exactly that and doesnt match security research:
For the following you’re not the target group but others reading this who might want to make their lifes easier. Just from your way of writing I at least don’t expect that minor sources like okta or the NCSC will change your mind.
( article links with high level descriptions and links to their primary sources)
https://www.okta.com/identity-101/password-vs-passphrase/
https://www.4bis.com/passphrase-vs-complicated-passwords-passphrases-are-best/
https://specopssoft.com/blog/passphrase-best-practice-guide/
I’m not arguing that random passwords are better for everyone, just that they’re most secure for their length. A 9 word passphrase is just as secure as a 16 character random password, but is far longer.
A 4 word xkcd passphrase is more or less equivalent to a 7 character random password, and is secure with xkcd’s threat model (online brute force attack) but not with other threat models, like a brute force of a weak hash, which is many orders of magnitude faster.
If you’d like to verify the math:
4 word xkcd passphrase: 2048 (possible words) ^ 4 (number of words) = 44 bits of entropy ≈ 17.6 trillion possibilities.
7 word password: 70 (possible characters) ^ 7 (number of characters) ≈ 42.9 bits of entropy ≈ 8.2 trillion possibilities.
(Adding an eighth character raises the number to 576 trillion).
Both Bitwarden and 1Password can also generate passphrases with high entropy that are much easier to memorize and enter. I use that for my master password.
Once you forget it, you lose everything
I’m not prone to forgetting things, but if you are, it’s easy enough to write down and store somewhere secure like a safe deposit box. If you have people you trust, you should have a backup copy anyways so they can access your password manager if you die suddenly.