Wladimir PalantJan 30, 2023

Password strength is a very confusing concept, which has shown very clearly in the discussion around the #LastPass breach and #Bitwarden flaws. I tried to make it as easy to understand as possible, not sure whether I succeeded.

https://palant.info/2023/01/30/password-strength-explained/

TL;DR:
· Password managers are a single point of failure, so their master password has to be strong.
· What looks strong to you isn’t necessarily a strong password.
· Long passwords aren’t necessarily strong. Case in question: “choose a phrase from a song.”
· I suspect that almost all real-world passwords have less than 35 bits of entropy. Especially with zxcvbn considering 33 bits as “strong” and even password manager vendors not questioning that.
· AFAIK the only realistic way to get a strong password is generating it randomly.
· Diceware is a good way to generate passwords that are both secure and rememberable.
· “Regular” people don’t need more than four words (using a word list for five dice). Valuable targets need five words for better protection, someone who could become a target of a state-level actor should be safe with six words.

Password strength explained

I try to explain how attackers would guess your password, should they get their hands on your encrypted data. There are some thoughts on the strength of real-world passwords and suggestions for your new password.

Almost Secure
Show threadPierreJan 30, 2023
@WPalant what happened with Bitwarden?
Show threadWladimir Palant
@breadandwater Nothing yet. And hopefully they will fix the issues, so that it will stay this way. https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/
Bitwarden design flaw: Server side iterations

Bitwarden is a hot candidate for a LastPass replacement. Looking into how they encrypt data, it doesn’t do things that much better however.

Almost Secure
Jan 30, 2023 at 4:41pmWeb