[mackatap]

I never enter or remember any of the passwords bitwarden generates for me, I have an app and an extension for that.

[kadoban]

The password in question here is the master password for your bitwarden account. Bitwarden can't remember that for you.

[NoahKAndrews]

This is about the password you use to log into BitWarden itself.

[wkat4242]

But what if you need to enter it somewhere that doesn't support it? A physical device, a VM that doesn't allow copy and paste, a mobile app without support for copy/paste or password managers...

All those scenarios happen for me every couple of weeks and it's what's keeping me from using really long passwords with high complexity.

[pjot]

Using a passphrase is the way to go. Easy to type, remember, and more secure.

Obligatory xkcd: https://xkcd.com/936/

[jim02672]

You're assuming that a) a passphrase is acceptable to the system/app and b) that people can competently pick words for a passphrase.

That damn XKCD is overly simplified at best. I really wish people would stop linking to it.

[Toutouxc]

Please elaborate, how can you pick bad words for a passphrase? (Except obviously a movie title or an everyday sentence)

Like, if I go "street bologna drawer sunset fang", did I do well?

[artisticnuke]

Popular movie quotes or lines from books with minor iterations are bad choices. They are somewhere out there and not as safe as one might think. Completely random choice of words is good, but it is not feasible to remember random passphrases for all of your accounts.

Other common methods include appending a particular character to each word or alternate words...creating a pattern of sort, but this again makes it difficult to remember, which was the reason why we preferred passphrases instead of passwords in first place.

[aurantia]

> Popular movie quotes or lines from books with minor iterations are bad choices. They are somewhere out there and not as safe as one might think.

In English. Not all books in all languages ever published are "somewhere out there".

[kadoban]

There's some things that are obviously bad: popular movie quotes, slightly less bad (but still bad): any quote from anything ever produced in any medium.

Some things that are obviously good (you can calculate the entropy easily): diceware style schemes, generated with dice or a secure random generator.

Anything in the middle it's quite hard to say. Humans are really bad at being random, so words you pick out of your head I'd be fairly suspicious of. But it's hard to prove it's a bad idea.

[sirsuki]

Considering length is key in computing “strength” I’m curious how using a long dialog from a movie might make it bad? Presuming you account for the full 95 entropy set (numbers, upper/lower letters, special characters) and padding¹ then how would an attacker know that a failed phrase failed because it was the wrong phase or because they forget to add some padding that is still unknown.

From a dictionary/rainbow table perspective I'm curious how they would know to include the following in their lookup tables before going fill number crunching mode:

  TO be or NOT two be - that is the question!!!!!!!!!!7872665398

Bitwarden suggests this is strong as does GRC Haystacks¹ thoughts?

¹ https://www.grc.com/haystacks.htm

² https://bitwarden.com/password-strength/

[mmiyer]

Bitwarden also allows you to generate a random passphrase, which is pretty nice for those situations where you want to be able to manually type in the password.

[lrem]

Bitwarden generates good pass phrases though.

[maxyurk]

it's about the master password