[nabakin]

You're assuming the average user understands security when that is definitely not the case. The job of Bitwarden is to help all users (even ones ignorant of security) to secure their data. If Bitwarden has no warning explaining that pins are unsecure, then the fault 100% lies with Bitwarden.

[beachy]

Some things fall into the "obvious" category, users should just know them, and it's not 100% on Bitwarden to make the world a safe place.

Is it a good idea to leave your password on a piece of paper under your keyboard? No, and you shouldn't need Bitwarden to tell you that.

Is it a good idea to use your name and date of birth as a password? No, and this should be obvious, not something Bitwarden needs to educate you about.

Is it safe to rely on a 4 digit PIN? Obviously not, when there are only 10000 possible combinations. You shouldn't need Bitwarden to tell you that though.

Are there people out there who do need this education? Of course. But that's a job for someone with infinite patience and understanding. Not some words on a web page from a supplier.

Case in point, my step dad belonged to a "computers for elders" group and one day he learned about antivirus software. Next time I watched him, he was googling for anti virus software and downloading any he could find, from anywhere on the internet. He ended up with 6 different AV packages, some very dubious looking indeed. I tried to explain the dangers but he couldn't understand how antivirus could actually harm his computer. And he was a practicing doctor of medicine before retirement. It really highlighted the challenges of protecting some people in the brave new digital world.

[twblalock]

> Is it safe to rely on a 4 digit PIN? Obviously not, when there are only 10000 possible combinations. You shouldn't need Bitwarden to tell you that though.

Most people really don’t know that. It is not obvious to a normal user.

[brewdad]

I realize math education in the US sucks but are really suggesting most people can’t figure out that 0 to 9999 is all the possibilities you get from 4 digits?

[pyrelight]

You're thinking like an engineer.

I'm confident your average person would understand that a PIN is insecure if it was explained to them.

But think about other things in life that use a PIN -- debit cards, customer support shortcuts, etc. These are things that can't or typically won't be brute forced and are deemed as "secure enough" in our world.

Your average person has no idea how a 2FA token is generated, but they know it's just a few numbers that they have to enter on various websites and apps, and those numbers resemble a PIN. Yet another reinforcement that just a few numbers keeps things secure.

If you walk a user through software setup, and at some point they need to provide a complex master password, they would never automatically assume that being presented with an option to use a PIN would remove the security provided by a complex master password.

Only if they were to think it through, or have someone who thinks analytically, would they understand that in this scenario, given that it's Internet-accessible software, a PIN could be brute forced in no time unlike their debit card or any other PIN they may need to use in the course of their day to day life.

[twblalock]

Yes, most people cannot figure that out, but also it would not occur to most people to consider that when opting for a PIN over a password.

[GeorgeDewar]

One could get into a long debate about whether "most" is literally true or not, but I think most of us should be able to agree that at least a significant proportion of people - enough to matter - either won't or can't think of this without some prompting.

[_flux]

Well, a person once asked me why they need to use a bank card in the ATM, when it already asks for the PIN.

[fomine3]

Average user: Bank card requires 4 digits PIN, so it must be safe

[userbinator]

Is it a good idea to leave your password on a piece of paper under your keyboard? No, and you shouldn't need Bitwarden to tell you that.

Yes it is, if your threat model excludes physical access; and in that case, it's probably more secure than anything software can do.

[lxgr]

> Some things fall into the "obvious" category, users should just know them, and it's not 100% on Bitwarden to make the world a safe place.

It‘s 100% their job to make passwords a safer system.

As an advanced user, I can look up whether the PIN is tangled to a server-side limit or a TPM (or equivalent) for maximum attempts enforcement.

Most users don‘t even know these things exist or how to look for them. That‘s arguably nothing they should have to worry about, though.

[Thorrez]

>Is it safe to rely on a 4 digit PIN? Obviously not, when there are only 10000 possible combinations. You shouldn't need Bitwarden to tell you that though.

Normal users see that Bitwarden blocks you after 5 guesses, therefore an attacker will never get past all 10000 guesses. They won't realize that this block is easily evadable.

[halayli]

It's a bit of a stretch to label Bitwarden users as average user. Average users don't know about password managers beyond whatever their browser supports.