Bitwarden
bitwarden.com › password-strength
Password Tester | Test Your Password Strength | Bitwarden
An 8-character password will take anywhere from a few minutes to a couple of hours to crack, while a 16-character password will take a hacker a billion years to crack. ❌ DON’T use passwords with fewer than 14 characters.
Bitwarden
bitwarden.com › password-security-checker
Password Security Checker: Everything You Need to Know | Bitwarden
As depicted in the password strength test chart, the greater the password’s length, complexity, and randomness, the stronger it is. To objectively calculate the strength, security checkers award points to longer passwords and those that use a full combination of symbols, numbers, and uppercase and lowercase letters.
Bitwarden Password Strength Tester
The other explanations here are true but maybe this will clarify why. Bad password checkers assume a cracking program will guess, in order: a, b, c, … aa, ab, ac, ad, … and so on forever. Good password strength checkers calculate entropy (~randomness) with the assumption of common reasonable wordlists and standard variations on those words, in addition to gibberish character strings. Password cracking tools don’t tend to guess every single random string of characters from shortest to longest, since many people are more likely to choose real words or variations of words. So, for example, “eggplan” is actually a stronger password than “eggplant” despite having fewer characters. They’re both awful, but any decent password cracking tool will guess a word a human is more likely to choose first (vs egg + plan, two unusual words to combine). “eggplan” will even take longer to crack than “eggpl@nt” because a→@ is such a common substitution for humans trying to strengthen their passwords that password cracking tools will likely try it first. Extending to longer sequences, 3-6 memorable unmodified words chosen randomly from very long lists will usually be both more memorable and harder to crack than 2-3 words with symbols inserted. Edit to add: the best way to get a sense of how this works in practice is here: https://lowe.github.io/tryzxcvbn/ More on reddit.com
97
83
September 18, 2022Question about the BW password strength tester
The problem with password strength testing tools like Bitwarden's is the fact that the don't know anything about how the password was generated. All they know is the end result. It's kind of like telling the tool "I rolled a 3" without telling it if the die is a d4, d6, d8, d10, d12, or d20. To answer your question directly, password cracking is more art than science. Experienced password crackers will leverage existing cracked password lists to chase after the low hanging fruit first. They'll apply some masks to alter passwords found in the list, such as making the first character uppercase or appending special characters, but by and large, they're doing everything they can do avoid brute forcing. More on reddit.com
62
31
March 17, 2023A live password strength tester - Password Manager - Bitwarden Community Forums
Bitwarden introduce a built-in password strength meter that dynamically shows the strength of any password when viewed, edited, or created in the vault. The password strength meter will provide real-time feedback, rating passwords as weak, fair, strong, or very strong. More on community.bitwarden.com
1
May 3, 2025👂Tell us your thoughts about the Password Strength Testing Tool
Feature Request: Show password strength (zxcvbn) under Password Generator and Password Fields Shouldn’t even have to paste a password into a website to see this info. Just sayin…. More on reddit.com
9
16
June 7, 2022Videos
03:04
How Do I Check My Password Health In Bitwarden? - SearchEngine...
02:32
How Do I Use Bitwarden's Password Generator? - SearchEnginesHub.com ...
02:55
Improving Your Password Strength with Bitwarden - YouTube
01:00
Password strength checking tools #shorts #passwordmonster ...
01:00
Password strength checking tools #shorts #passwordmonster #bitwarden ...
Bitwarden
bitwarden.com › blog › how long should a password be?
How long should a password be? | Bitwarden
Bitwarden Password Manager can auto-generate and securely store complex passwords up to 128 characters. If you need an even longer password or an SSH key, those can be stored in a Custom Field or a Secure Note.
Bitwarden
bitwarden.com › how-secure-is-my-password
How Secure is my Password | Bitwarden
Here’s the simple equation: longer passwords are more secure. NITS describes password length as the most critical element to strengthening your passwords and protecting your private data.
Bitwarden
bitwarden.com › blog › how strong is my password?
How strong is my password? | Bitwarden
June 20, 2023 - This tool gauges how long it might take to crack your password by testing it against known criteria such as length, randomness, and complexity. Using the password strength tester will give you a quick answer to the question “how strong is ...
Bitwarden
bitwarden.com › blog › the most effective strategy for achieving password strength
The most effective strategy for achieving password strength | Bitwarden
December 26, 2023 - Password Strength Testing Tool. Upon entering in an existing password, the user will be given an assessment of that password (very weak, weak, average, strong, very strong, etc) and the estimated time it would take to crack it. A user could feasibly test each and every one of their passwords to ensure they are meeting the requirements for “strong” or “very strong”. Or, they could use the · Bitwarden Strong Password Generator in conjunction with the Bitwarden Password Strength Testing Tool.
Reddit
reddit.com › r/bitwarden › bitwarden password strength tester
r/Bitwarden on Reddit: Bitwarden Password Strength Tester
September 18, 2022 -
In light of the recent LastPass breech I looked at different strength test websites to see how long a password would hold up under a offline brute-force attack.
The password I tried was: Aband0nedFairgr0und
This is a a 19 character password with a combination of uppercase/lowercase/numbers. Granted, there is no special characters.
I went to 5 different password strength sites and they all give me wildly different results for how long it would take to crack.
| https://www.security.org/how-secure-is-my-password/ | 9 quadrillion years |
|---|---|
| https://delinea.com/resources/password-strength-checker | 36 quadrillion years |
| https://password.kaspersky.com/ | 4 months |
| https://bitwarden.com/password-strength/ | 1 day |
As you can see the results are all over the place!
Why is the Bitwarden result so low and if the attacker had zero knowledge of the password, is it feasible to take an average of the diufferent results and assume that password is sronger that 1 day?
PS: Dont worry, Aband0nedFairgr0und is not a password I use and was made up as a test.
Top answer 1 of 5
63
The other explanations here are true but maybe this will clarify why. Bad password checkers assume a cracking program will guess, in order: a, b, c, … aa, ab, ac, ad, … and so on forever. Good password strength checkers calculate entropy (~randomness) with the assumption of common reasonable wordlists and standard variations on those words, in addition to gibberish character strings. Password cracking tools don’t tend to guess every single random string of characters from shortest to longest, since many people are more likely to choose real words or variations of words. So, for example, “eggplan” is actually a stronger password than “eggplant” despite having fewer characters. They’re both awful, but any decent password cracking tool will guess a word a human is more likely to choose first (vs egg + plan, two unusual words to combine). “eggplan” will even take longer to crack than “eggpl@nt” because a→@ is such a common substitution for humans trying to strengthen their passwords that password cracking tools will likely try it first. Extending to longer sequences, 3-6 memorable unmodified words chosen randomly from very long lists will usually be both more memorable and harder to crack than 2-3 words with symbols inserted. Edit to add: the best way to get a sense of how this works in practice is here: https://lowe.github.io/tryzxcvbn/
2 of 5
33
Bitwarden.com uses zxcvbn to calculate the time-to-crack. You can try it online at https://lowe.github.io/tryzxcvbn/ and it'll tell how it arrived at a time of 1 day.
Bitwarden
bitwarden.com › password-generator
Free Password Generator | Create Strong Passwords and Passphrases | Bitwarden
Easy and secure password generator that's completely free and safe to use. Generate strong passwords and passphrases for every online account with the strong Bitwarden password generator, and get the latest best practices on how to maintain password security and privacy online.
Bitwarden
bitwarden.com
Best Password Manager for Business, Enterprise & Personal | Bitwarden
Generate, save, and autofill strong passwords for all your accounts with ease. Organize credentials in a centralized business vault with robust administrative tools. Open source transparency, third party audited, and community-reviewed. ... International compliance standards Bitwarden meets or exceeds privacy and security standards.
UIC
uic.edu › apps › strong-password
Password Meter - A visual assessment of password strengths and weaknesses
Consider using UIC's password manager BitWarden ·
Reddit
reddit.com › r/bitwarden › question about the bw password strength tester
r/Bitwarden on Reddit: Question about the BW password strength tester
March 17, 2023 -
Basically, it seems to award very short passphrases too much strength.
I've built a spreadsheet to test entropy of each password/passphrase and have believed it's best to stay above 78 bits of entropy, I suppose based upon recommendations of the Diceware web page, from perhaps 1995:
We recommend a minimum of six words for use with GPG, wireless security and file encryption programs. A seven, eight or nine word passphrase is recommended for high value uses such as whole disk encryption, BitCoin, and the like. For more information, see the Diceware FAQ.
From this I inferred six-word passphrases were the basic minimum, with longer phrases up to 10, depending upon need. Six words gives me 77 bits of entropy (based upon a 7700-word dictionary).
Now to the BW Password Strength Testing Tool (PSTT): It shows a two-word passphrase, "blissful-harmony" as good! Then it also says it would take one day to crack! Something's wrong here. FWIW, a two-word passphrase yields 25 bits of entropy. Add one more word to the phrase: "blissful-harmony-update" and the tester gives it a "Strong" rating that will take centuries to crack with 38 bits of entropy. Neither seems overpowering or even adequate.
The PSTT appears to have dissociated "strength" and "entropy," and I don't understand why.
I did read through the zxcvbn link on the PSTT page, and the following may bear upon the issue:
By disregarding the "configuration entropy" — the entropy from the number and arrangement of the pieces — zxcvbn is purposely underestimating, by giving a password's structure away for free: It assumes attackers already know the structure (for example, surname-bruteforce-keypad), and from there, it calculates how many guesses they'd need to iterate through.
There's also the encryption methods, including the Key Derivation Function that will slow down the number of guesses a hacker can make in any unit of time; that can help, as can Multi-Factor Authentication (MFA).
Still, worst case, as LastPass users discovered, MFA doesn't help the Vault owner if a hacker has it in front of him and doesn't have to go through online protection schemes.
So, is a short passphrase strength betting on a hacker not knowing the structure of password/passphrase or am I missing something?
Top answer 1 of 5
28
The problem with password strength testing tools like Bitwarden's is the fact that the don't know anything about how the password was generated. All they know is the end result. It's kind of like telling the tool "I rolled a 3" without telling it if the die is a d4, d6, d8, d10, d12, or d20. To answer your question directly, password cracking is more art than science. Experienced password crackers will leverage existing cracked password lists to chase after the low hanging fruit first. They'll apply some masks to alter passwords found in the list, such as making the first character uppercase or appending special characters, but by and large, they're doing everything they can do avoid brute forcing.
2 of 5
6
It shows a two-word passphrase, "blissful-harmony" as good! Then it also says it would take one day to crack! Something's wrong here. Yes, Bitwarden's password strength tester (zxcvbn), while better than many alternatives, often produces misleading results. In the example above, it overestimates the entropy (it estimates 30 bits of entropy, because it does not know about the EFF Word List used by Bitwarden, and one of the words is very uncommon — blissful is ranked 11,413 in the "US TV and Film" dictionary used by zxcvbn for this word). On the other hand, zxcvbn estimates time to crack using hash rates that are outdated (it has four different speed options, but Bitwarden's strength tool uses the third option, which assumes 10,000 guesses per second). Thus: (230 guesses)/(10,000 guesses/second)/(86,400 seconds/day) = 1.2 days. You can learn more about how the zxcvbn tool works using this demo page: https://lowe.github.io/tryzxcvbn/
Bitwarden
community.bitwarden.com › user research › user studies
Do you use password strength indicators? Complete this survey! - #4 by grb - User Studies - Bitwarden Community Forums
January 27, 2024 - @dflinn Thank you for taking the time to respond. I hope that you (and anybody else involved in the development of this feature) will read the discussion that I linked above, and take it to heart. The zxcvbn tool currently used by Bitwarden is slightly more sophisticated than some other calculators out there, but all such tools (tools based on analysis of user-supplied passwords) are fundamentally invalid, and will more frequently than not produce misleading results.
X
x.com › Bitwarden › status › 1757103278062555267
Bitwarden - X
Think you have strong #passwords? Put it to the test with the password strength tool: https://btwrdn.com/42ArcKw
Bitwarden
bitwarden.com › blog › how to determine your password health
How to determine your password health | Bitwarden
July 5, 2023 - And since we’re focusing on the importance of generating strong passwords, here’s another tip: with the Bitwarden password generator, users can create complex passwords or passphrases that keep information safe, such as “overfill-syndrome-stew-whoopee-cancel” or “7uQJHeWjaxiUHf”. These passwords or passphrases can then get copied directly into the Bitwarden vault. ... Users who feel relatively confident about the strength of the passwords - and those that do not - can also leverage the Bitwarden password strength testing tool.
Bitwarden
community.bitwarden.com › feature requests › password manager
A live password strength tester - Password Manager - Bitwarden Community Forums
May 3, 2025 - Bitwarden introduce a built-in password strength meter that dynamically shows the strength of any password when viewed, edited, or created in the vault. The password strength meter will provide real-time feedback, rating passwords as weak, fair, ...
University of Wisconsin
it.wisc.edu › home › it news › a secure password is as easy as one_two_three
A secure password is as easy as one_two_three
June 19, 2025 - They’re long and simple, making them easy to remember but harder to crack than typical passwords. A good passphrase could be a random thought or a favorite saying. For example: According to Bitwarden, the passphrase sometimes_i_think_about_the_stars could take centuries to crack.
Bitwarden
bitwarden.com › blog › how to test the strength of your passwords in 2022
How to Test the Strength of Your Passwords in 2022 | Bitwarden
Strong passwords can be randomly generated for free and automatically using the Bitwarden Strong Password Generator, now available for public use on our website. With this free tool, you can generate random passwords based on the guidelines you define for each of your online accounts. As pictured below, you can customize the password generator settings, then evaluate your password strength score and the estimated time it would take for a hacker to crack it.
Bitwarden
bitwarden.com › blog › picking the right password for your password manager
Picking the right password for your password manager | Bitwarden
February 9, 2022 - Bitwarden recommends a strong and unique master password that users only employ for Bitwarden and nothing else. It is imperative that your master password be something that has never been used elsewhere. You can test your master password strength with the Bitwarden Password Strength Tester.
Tech.co
tech.co › home › cybersecurity
How To Test Your Password Strength for Free - Tech.co
January 3, 2024 - Find out precisely how long it'll take a hacker to crack a password as long - and as complex - as yours.
Wikipedia
en.wikipedia.org › wiki › Password_strength
Password strength - Wikipedia
3 weeks ago - Password strength is specified by the amount of information entropy, which is measured in shannon (Sh) and is a concept from information theory. It can be regarded as the minimum number of bits necessary to hold the information in a password of a given type...