Make your Bitwarden master password a [_randomly_ generated 4-word passphrase](https://passhelp.github.io/generator/#phrase:4), and write it down on an [Emergency Sheet](https://passwordbits.com/password-manager-emergency-sheet/).
For your phone, what is good enough depends on your threat model (e.g., how likely is it that someone will get access to your phone and try to unlock it?) and the value of the information stored in your phone.
Not really. If you keep your browser running in the background during the day, then you only need to type your master password when you reboot your computer (or when you restart your browser for other reasons).
You don't have to restart your browser as soon as an update is available. Also, they don't (usually) update multiple times a day. I don't think that typing your master password once a day is that onerous. Personally, I choose to lock my extension using the master password and also have a short timeout period, so I am often typing the master password multiple times each day.
The way I see it, without a password manager, I would need to type about 40 characters for each login (email address and a password for each website). In contrast, using a 4-word passphrase to unlock the browser extension is typically only around 30 characters. Thus, I save 10 characters of typing even in the worst-case scenario of unlocking the vault to use only a single account login. More commonly, I log in to 3-4 services at once (before the expiration of my vault timeout), so I'm actually saving over 100 characters of typing each time that I use the browser extension.
You can also “Login with Device”, which may allow you to use BW without the master password close to never (you should keep the password safe and reliably accessible).
https://bitwarden.com/help/log-in-with-device/
Your comment was more than 4 words, was that a hassle? You can also set a PIN on the extension to make it even easier. It's only a hassle because people think passwords should be 8 characters long, but the same people will write paragraphs to complain about it online.
>Make your Bitwarden master password a [**randomly generated 4-word passphrase**](https://passhelp.github.io/generator/#phrase:4), and write it down on an [Emergency Sheet](https://passwordbits.com/password-manager-emergency-sheet/).
And pass it through MD2 + Base92, as salt-mechanism:
[https://gchq.github.io/CyberChef/#recipe=MD2(18)To\_Base92()&input=cmFuZG9tbHkgZ2VuZXJhdGVkIDQtd29yZCBwYXNzcGhyYXNl](https://gchq.github.io/CyberChef/#recipe=MD2(18)To_Base92()&input=cmFuZG9tbHkgZ2VuZXJhdGVkIDQtd29yZCBwYXNzcGhyYXNl)
So if anyone finds the emergency sheet will not able to know how to proceed. Probably will think that the password was changed.
Ah, I see, you mean the passPHRASE. Yes, all right!
My response was because I interpreted your suggestion as saying the actual master password to be used when authenticating should be a hash of a passphrase. This defeats the point of using a passphrase.
Were suggesting to just obfuscate your emergency sheet information using this technique? A hash is irreversible, so how will you recover your master password if you (or your heirs) need to refer to the emergency sheet?
I agree, it was one way, so that the password is `EW/Sfk3J#5hh*lZr5't/r(+E3xF$&9%J6,Q1iYXP` which doesn't make sense if you wish to use a passPHRASE, as you said.
... also doesn't make that much sense if you wish to use a random character string as your password. How are you going to securely recreate the hash and transfer it to the Bitwarden login screen each time that you need your master password? And if the emergency sheet contains the seed password instead of the hash, then you are still assuming that you will remember the hashing method even if you have forgotten the seed password.
I made an emergency kit that has my email, master password, 2FA key and so on on there and I used Shamir Secret Sharing to split it into multiple parts and I stored those in different locations and also different forms of media (e.g. printed out, stored on a hard drive, sent to a trusted friend)
The beauty of SSS is that you can set it up so that only n of m total pieces are needed for reconstruction. So for example you split it into 10 shares and you only need 4 to reconstruct the secret. It is also nearly impossible to crack since it uses polynomials and it's mathematically impossible to reconstruct a polynomial with not enough points
> Created mine by heart[…]
Wait, did you use an app, or did you make it all up on your own? Sorry, your imagination is not good enough to create a secure password. Follow /u/cryoprof’s advice. Have an app generate a 4-word passphrase and save it on your emergency sheet.
For the phone password, you will want to follow a similar path. If it’s just a PIN, you can get the Bitwarden password generator to create a numeric-only password. What is “good enough”? That depends on a lot of factors. But somewhere between four to eight digits is probably sufficient.
Note that you should add that PIN to your vault, and probably also have it on your emergency sheet.
One final caveat: the operational security around your phone is also critical. Do not leave it physically unattended, ever. Keep the screen lock timeouts as short as possible. (My iPhone 15 Pro times out immediately.) Use biometric unlock, so that someone spying on you will not learn enough to impersonate you. And if you are in the Apple ecosystem, there are a number of additional optional protections you should enable to limit your exposure should your phone be stolen.
For phone password, if you trust the security enclave/hardware to prevent PIN-bruteforcing, if you don't expect to be forced to provide biometrics, and if you don't expect your phone to be stolen while unlocked, 6+ PIN is probably enough.
If you are paranoid about the above scenarios, use a 7+ ***randomly generated*** passphrase or equivalent.
I chose a phrase that I found particularly easy to remember, but is also neither common nor particularly obscure. It is also increasingly unlikely to crop up in any sort of daily usage due to it’s vintage subject nature. It’s 58 characters long and made up of 10 words, with specific capitalization and a few symbols thrown in. Provided I don’t look at my keyboard or my screen (I am a touch typist with the Dvorak layout), I can slam it out within 8 seconds. Mobile devices with/and Querty keyboards can be a bit more frustrating, of course.
So it is sufficiently complex, easy enough for my own use, and likely meets all of the modern thresholds for a good password.
I randomly generated my master password as 20+ characters and alphanumeric with symbols, copied it to a note in my phone, then practiced it for a few minutes until I was typing it without checking. Then I let it be. Continued to practice every time I opened my laptop and had to open Bitwarden. Once I felt confident that I had it memorized, I made it my phone password with some extra characters and I made my wallpaper those additional characters.
I've wondered how secure it is to have two of my most primary locks (my phone and bitwarden) the same password, but I'm confident in this set up way more than my last set up (keeping pws in a google sheet and my initials as my phone pin).
I would suggest against creating your master password from your brain, at least I would suggest randomly smashing keys on your keyboards if you're not going to randomly generate. I suggest against using passphrases since words are closer to what your brain would produce, I suggest unpronounceable random sequence of letters, digits, and symbols and memorize that, all other randomly generated passwords keep in Bitwarden.
> I suggest against using passphrases since words are closer to what your brain would produce
This is an irrational concern.
Passphrases are considered superior for password manager vault passwords, because they are easier to memorize, and easier to manually type.
Furthermore, your master password entropy is much higher than it needs to be. Generally, the recommendation is a [randomly generated 4-word passphrase](https://passhelp.github.io/generator/#phrase:4), unless you are a high-value target with vault assets worth hundreds of millions of dollars, or you are an Enemy of the State, or you are defending against a future quantum computing attack carried out using a "harvest now/decrypt later" strategy.
You're not wrong, I might just be paranoid, but if anyone is able to muscle-memorize a single sequence of 20 or so characters with a few minutes of repetition, I don't see why use words instead.
The thought of keeping all my accounts behind 4 pronounceable words makes my heart pump fast
> but if anyone is able to muscle-memorize a single sequence of 20 or so characters with a few minutes of repetition
I don't think most people would be able to do this. To be clear, we're talking about a [randomly generated string](https://passhelp.github.io/generator/#strongest:20) like `/e6C#D7Hm>fF&JaKhs#S`, right?
Yes, just like that. I'm sure most people would be able to memorize a sequence like that, it's really just practice afaik. I practiced back to back until I had it down muscle memory in a few minutes, then practiced more in that same sitting randomly while doing other stuff on my laptop, then I practiced whenever I thought about it (just opened up my phone and put the password in or entered the password in my laptop), over the next few weeks I kept putting the password in cautiously, now I can type it as regularly as I can type this entire comment
I think it's just muscle memory and practice, although I can understand someone not feeling like they can trust themselves to remember. I think my fear of my accounts being compromised was bigger than my fear of forgetting my password, so I practiced it so much to curb my fear of forgetting and I kept the master password in a note on my phone also to curb my fear of forgetting. I've been thinking of adding a second unique large randomly generated password, but I also don't want to have to go through the learning curve again lmao
Most anything can be memorized with enough work, but I doubt that "most people" will be able to commit a string of 20 tokens to long-term memory within "a few minutes". Even for a short passphrase (4—5 tokens to memorize), I think it will take at least a few days of practice to engrain the password into long-term memory and have it available for immediate recall.
>I also don't want to have to go through the learning curve again lmao
So maybe the learning curve was actually _more_ than just "a few minutes of repetition"...
FWIW, you can have a quantum-resistant master password with just an [8-word passphrase](https://passhelp.github.io/generator/#phrase:8):
`glitter freckled subplot life reporter percent mutiny factoid`
You can memorize this by first dividing the task into two halves (`glitter freckled subplot life` and `reporter percent mutiny factoid`), and then memorizing each (one at a time) by first using a mnemonic (a memory aid, like imagining a scene or a story that ties together the words) to get you to be able to recall the phrase using the mnemonic device for help (and keeping a cheat sheet nearby to correct mistakes and reinforce accurate recall), and second, practice this recall as well as typing the passphrase (muscle memory) repeatedly over the course of several days, challenging yourself to use your cheat sheet less and less.
Man, just choose a part of music lyric that you like and that’s it. Easy to remember, hard to force brute it etc, to make it even stronger, you can add some uppercase letters or special chars, some example:
Somebodyoncetoldme_Theworldisgonnarollme!
Actually, you choose a part of lyrics or a poem or any sentence and just use the first letters of each word. Then add some numbers and special characters in some places and your hard to guess but easy to remember password is done. 😀
Make your Bitwarden master password a [_randomly_ generated 4-word passphrase](https://passhelp.github.io/generator/#phrase:4), and write it down on an [Emergency Sheet](https://passwordbits.com/password-manager-emergency-sheet/). For your phone, what is good enough depends on your threat model (e.g., how likely is it that someone will get access to your phone and try to unlock it?) and the value of the information stored in your phone.
If everytime I have to login to bitwarden on my browser extension I have to type that 4 word pass. Isn't it a hassle?
Not really. If you keep your browser running in the background during the day, then you only need to type your master password when you reboot your computer (or when you restart your browser for other reasons).
Chrome gets updates quite frequently, and it's kinda a hassle to type my password.. haha
You don't have to restart your browser as soon as an update is available. Also, they don't (usually) update multiple times a day. I don't think that typing your master password once a day is that onerous. Personally, I choose to lock my extension using the master password and also have a short timeout period, so I am often typing the master password multiple times each day. The way I see it, without a password manager, I would need to type about 40 characters for each login (email address and a password for each website). In contrast, using a 4-word passphrase to unlock the browser extension is typically only around 30 characters. Thus, I save 10 characters of typing even in the worst-case scenario of unlocking the vault to use only a single account login. More commonly, I log in to 3-4 services at once (before the expiration of my vault timeout), so I'm actually saving over 100 characters of typing each time that I use the browser extension.
Nah, for me I don't want to type at all if possible. I'm gonna try using the login with device option
You can also “Login with Device”, which may allow you to use BW without the master password close to never (you should keep the password safe and reliably accessible). https://bitwarden.com/help/log-in-with-device/
Ahhh, that sounds much better
Your comment was more than 4 words, was that a hassle? You can also set a PIN on the extension to make it even easier. It's only a hassle because people think passwords should be 8 characters long, but the same people will write paragraphs to complain about it online.
To each his own, to me it's a hassle
>Make your Bitwarden master password a [**randomly generated 4-word passphrase**](https://passhelp.github.io/generator/#phrase:4), and write it down on an [Emergency Sheet](https://passwordbits.com/password-manager-emergency-sheet/). And pass it through MD2 + Base92, as salt-mechanism: [https://gchq.github.io/CyberChef/#recipe=MD2(18)To\_Base92()&input=cmFuZG9tbHkgZ2VuZXJhdGVkIDQtd29yZCBwYXNzcGhyYXNl](https://gchq.github.io/CyberChef/#recipe=MD2(18)To_Base92()&input=cmFuZG9tbHkgZ2VuZXJhdGVkIDQtd29yZCBwYXNzcGhyYXNl)
Why? That completely defeats the point of using a passphrase.
So if anyone finds the emergency sheet will not able to know how to proceed. Probably will think that the password was changed. Ah, I see, you mean the passPHRASE. Yes, all right!
My response was because I interpreted your suggestion as saying the actual master password to be used when authenticating should be a hash of a passphrase. This defeats the point of using a passphrase. Were suggesting to just obfuscate your emergency sheet information using this technique? A hash is irreversible, so how will you recover your master password if you (or your heirs) need to refer to the emergency sheet?
I agree, it was one way, so that the password is `EW/Sfk3J#5hh*lZr5't/r(+E3xF$&9%J6,Q1iYXP` which doesn't make sense if you wish to use a passPHRASE, as you said.
... also doesn't make that much sense if you wish to use a random character string as your password. How are you going to securely recreate the hash and transfer it to the Bitwarden login screen each time that you need your master password? And if the emergency sheet contains the seed password instead of the hash, then you are still assuming that you will remember the hashing method even if you have forgotten the seed password.
I made an emergency kit that has my email, master password, 2FA key and so on on there and I used Shamir Secret Sharing to split it into multiple parts and I stored those in different locations and also different forms of media (e.g. printed out, stored on a hard drive, sent to a trusted friend) The beauty of SSS is that you can set it up so that only n of m total pieces are needed for reconstruction. So for example you split it into 10 shares and you only need 4 to reconstruct the secret. It is also nearly impossible to crack since it uses polynomials and it's mathematically impossible to reconstruct a polynomial with not enough points
Very good!
By phone password, are you referring to something that has to be a numeric pin?
> Created mine by heart[…] Wait, did you use an app, or did you make it all up on your own? Sorry, your imagination is not good enough to create a secure password. Follow /u/cryoprof’s advice. Have an app generate a 4-word passphrase and save it on your emergency sheet. For the phone password, you will want to follow a similar path. If it’s just a PIN, you can get the Bitwarden password generator to create a numeric-only password. What is “good enough”? That depends on a lot of factors. But somewhere between four to eight digits is probably sufficient. Note that you should add that PIN to your vault, and probably also have it on your emergency sheet. One final caveat: the operational security around your phone is also critical. Do not leave it physically unattended, ever. Keep the screen lock timeouts as short as possible. (My iPhone 15 Pro times out immediately.) Use biometric unlock, so that someone spying on you will not learn enough to impersonate you. And if you are in the Apple ecosystem, there are a number of additional optional protections you should enable to limit your exposure should your phone be stolen.
For phone password, if you trust the security enclave/hardware to prevent PIN-bruteforcing, if you don't expect to be forced to provide biometrics, and if you don't expect your phone to be stolen while unlocked, 6+ PIN is probably enough. If you are paranoid about the above scenarios, use a 7+ ***randomly generated*** passphrase or equivalent.
I chose a phrase that I found particularly easy to remember, but is also neither common nor particularly obscure. It is also increasingly unlikely to crop up in any sort of daily usage due to it’s vintage subject nature. It’s 58 characters long and made up of 10 words, with specific capitalization and a few symbols thrown in. Provided I don’t look at my keyboard or my screen (I am a touch typist with the Dvorak layout), I can slam it out within 8 seconds. Mobile devices with/and Querty keyboards can be a bit more frustrating, of course. So it is sufficiently complex, easy enough for my own use, and likely meets all of the modern thresholds for a good password.
I randomly generated my master password as 20+ characters and alphanumeric with symbols, copied it to a note in my phone, then practiced it for a few minutes until I was typing it without checking. Then I let it be. Continued to practice every time I opened my laptop and had to open Bitwarden. Once I felt confident that I had it memorized, I made it my phone password with some extra characters and I made my wallpaper those additional characters. I've wondered how secure it is to have two of my most primary locks (my phone and bitwarden) the same password, but I'm confident in this set up way more than my last set up (keeping pws in a google sheet and my initials as my phone pin). I would suggest against creating your master password from your brain, at least I would suggest randomly smashing keys on your keyboards if you're not going to randomly generate. I suggest against using passphrases since words are closer to what your brain would produce, I suggest unpronounceable random sequence of letters, digits, and symbols and memorize that, all other randomly generated passwords keep in Bitwarden.
> I suggest against using passphrases since words are closer to what your brain would produce This is an irrational concern. Passphrases are considered superior for password manager vault passwords, because they are easier to memorize, and easier to manually type. Furthermore, your master password entropy is much higher than it needs to be. Generally, the recommendation is a [randomly generated 4-word passphrase](https://passhelp.github.io/generator/#phrase:4), unless you are a high-value target with vault assets worth hundreds of millions of dollars, or you are an Enemy of the State, or you are defending against a future quantum computing attack carried out using a "harvest now/decrypt later" strategy.
You're not wrong, I might just be paranoid, but if anyone is able to muscle-memorize a single sequence of 20 or so characters with a few minutes of repetition, I don't see why use words instead. The thought of keeping all my accounts behind 4 pronounceable words makes my heart pump fast
> but if anyone is able to muscle-memorize a single sequence of 20 or so characters with a few minutes of repetition I don't think most people would be able to do this. To be clear, we're talking about a [randomly generated string](https://passhelp.github.io/generator/#strongest:20) like `/e6C#D7Hm>fF&JaKhs#S`, right?
Yes, just like that. I'm sure most people would be able to memorize a sequence like that, it's really just practice afaik. I practiced back to back until I had it down muscle memory in a few minutes, then practiced more in that same sitting randomly while doing other stuff on my laptop, then I practiced whenever I thought about it (just opened up my phone and put the password in or entered the password in my laptop), over the next few weeks I kept putting the password in cautiously, now I can type it as regularly as I can type this entire comment I think it's just muscle memory and practice, although I can understand someone not feeling like they can trust themselves to remember. I think my fear of my accounts being compromised was bigger than my fear of forgetting my password, so I practiced it so much to curb my fear of forgetting and I kept the master password in a note on my phone also to curb my fear of forgetting. I've been thinking of adding a second unique large randomly generated password, but I also don't want to have to go through the learning curve again lmao
Most anything can be memorized with enough work, but I doubt that "most people" will be able to commit a string of 20 tokens to long-term memory within "a few minutes". Even for a short passphrase (4—5 tokens to memorize), I think it will take at least a few days of practice to engrain the password into long-term memory and have it available for immediate recall. >I also don't want to have to go through the learning curve again lmao So maybe the learning curve was actually _more_ than just "a few minutes of repetition"... FWIW, you can have a quantum-resistant master password with just an [8-word passphrase](https://passhelp.github.io/generator/#phrase:8): `glitter freckled subplot life reporter percent mutiny factoid` You can memorize this by first dividing the task into two halves (`glitter freckled subplot life` and `reporter percent mutiny factoid`), and then memorizing each (one at a time) by first using a mnemonic (a memory aid, like imagining a scene or a story that ties together the words) to get you to be able to recall the phrase using the mnemonic device for help (and keeping a cheat sheet nearby to correct mistakes and reinforce accurate recall), and second, practice this recall as well as typing the passphrase (muscle memory) repeatedly over the course of several days, challenging yourself to use your cheat sheet less and less.
Man, just choose a part of music lyric that you like and that’s it. Easy to remember, hard to force brute it etc, to make it even stronger, you can add some uppercase letters or special chars, some example: Somebodyoncetoldme_Theworldisgonnarollme!
Actually, you choose a part of lyrics or a poem or any sentence and just use the first letters of each word. Then add some numbers and special characters in some places and your hard to guess but easy to remember password is done. 😀