bitwarden password tester crack

... A password strength tester gauges how long it might hypothetically take to crack your password by testing the password against a set of known criteria–such as length, randomness, and complexity.

reddit.com › r/bitwarden › bitwarden password strength tester

r/Bitwarden on Reddit: Bitwarden Password Strength Tester

September 18, 2022 -

In light of the recent LastPass breech I looked at different strength test websites to see how long a password would hold up under a offline brute-force attack.

The password I tried was: Aband0nedFairgr0und

This is a a 19 character password with a combination of uppercase/lowercase/numbers. Granted, there is no special characters.

I went to 5 different password strength sites and they all give me wildly different results for how long it would take to crack.

https://www.security.org/how-secure-is-my-password/	9 quadrillion years
https://delinea.com/resources/password-strength-checker	36 quadrillion years
https://password.kaspersky.com/	4 months
https://bitwarden.com/password-strength/	1 day

As you can see the results are all over the place!

Why is the Bitwarden result so low and if the attacker had zero knowledge of the password, is it feasible to take an average of the diufferent results and assume that password is sronger that 1 day?

PS: Dont worry, Aband0nedFairgr0und is not a password I use and was made up as a test.

Top answer

1 of 5

The other explanations here are true but maybe this will clarify why. Bad password checkers assume a cracking program will guess, in order: a, b, c, … aa, ab, ac, ad, … and so on forever. Good password strength checkers calculate entropy (~randomness) with the assumption of common reasonable wordlists and standard variations on those words, in addition to gibberish character strings. Password cracking tools don’t tend to guess every single random string of characters from shortest to longest, since many people are more likely to choose real words or variations of words. So, for example, “eggplan” is actually a stronger password than “eggplant” despite having fewer characters. They’re both awful, but any decent password cracking tool will guess a word a human is more likely to choose first (vs egg + plan, two unusual words to combine). “eggplan” will even take longer to crack than “eggpl@nt” because a→@ is such a common substitution for humans trying to strengthen their passwords that password cracking tools will likely try it first. Extending to longer sequences, 3-6 memorable unmodified words chosen randomly from very long lists will usually be both more memorable and harder to crack than 2-3 words with symbols inserted. Edit to add: the best way to get a sense of how this works in practice is here: https://lowe.github.io/tryzxcvbn/

2 of 5

Bitwarden.com uses zxcvbn to calculate the time-to-crack. You can try it online at https://lowe.github.io/tryzxcvbn/ and it'll tell how it arrived at a time of 1 day.

Bitwarden

bitwarden.com › password-security-checker

Password Security Checker: Everything You Need to Know | Bitwarden

In these setups, passwords combine with other user-unique information—a biometric fingerprint, for example, or a one-time code sent to a user's smartphone number or email address. Some setups add CAPTCHA challenges, requiring the user to perform a task that an automated password-cracking bot can’t do, such as clicking on specific items in an image.

reddit.com › r/bitwarden › password strength testing tool strangeness

r/Bitwarden on Reddit: Password Strength Testing Tool Strangeness

June 10, 2024 -

I was playing with Bitwarden's Password Strength Testing Tool and discovered unexpected behavior.

I have a password that I use to login to my personal laptop (thirteen characters with letters, digits and symbols). I use the same password with 2 additional digits appended as my Bitwarden Master password.

When I test the laptop password, the testing tool says "Strong" and "31 years" to crack. Seems good so far. Next, I append an additional digit and the Estimated Time to Crack increases to "centuries" which seems even better.

Then I append one more digit and the Estimated Time to Crack goes DOWN to 57 years. Huh?

Why would the Estimated Time to Crack go down when appending a digit to a password that would take "centuries" to crack? I thought appending more characters to a password would always increase the estimated time to crack.

Am I misunderstanding something?

Top answer

1 of 5

All password "strength" testing tools that work by analyzing a user-entered password example produce invalid results. They are for entertainment purposes only, and should never be relied on to make decisions related to cybersecurity. Bitwarden's tool is no exception. It is based on zxcvbn tool , which is somewhat better than other password testing tools, but can still produce wildly misleading results. In your case, you may have started with something like hge9e3&jg[s19, which the zxcvbn tool cannot match to its inventory of password patterns, so it conservatively estimates that 1013 guesses (a factor of 10× for each character) would be require to crack this password. It also assumes that an attacker would be limited to making 10,000 password guesses per second (which is unrealistic for your laptop password, but could be plausible for your Bitwarden master password). Thus, the cracking time is estimated to be 1 billion seconds, which is 31.7 years. If you now add a digit (e.g., 3) at the end of your password string (hge9e3&jg[s193), then the zxcvbn tool still cannot match the string to any of its password patterns, so it determines the number of required guesses to be 10× higher than before (1014 guesses). Thus, the estimated cracking time is also going to be ten times longer (317 years, a.k.a. "centuries"). If you now add one more digit (e.g., 4) at the end of the previous string (hge9e3&jg[s1934), then something interesting happens. In this case, the zxcvbn tool recognizes the pattern 1934 as a recent calendar year, a pattern commonly found in passwords. The zxcvbn algorithm therefore estimates that it would take at most 90 guesses to come up with the 1934 pattern by working backwards from 2024 (as opposed to its standard estimate of 10,000 guesses for a 4-character sequence with no recognized pattern). Therefore, the password is now parsed as a random 11-character string (hge9e3&jg[s, requiring 1011 guesses) followed by a 4-character year pattern (1934, requiring 90 guesses). The tool then applies a fudge factor of 2×, coming up with 1.8×1013 guesses for cracking this longer password. With an assumed guessing speed of 104 guesses/second, the cracking time ends up being 1.8 billion seconds, corresponding to 57 years. Do all of these assumptions seem arbitrary? They are. Can we trust the results? No.

2 of 5

I don’t know how the BW tool works but there are plenty of ways adding a character could potentially decrease entropy. For example: Adding a character means all or part of your password matches an entry on a known leaked password list Adding a letter means all or part of your password matches a dictionary word, eg to over-simplify you could make a case that ‘dictionar’ is a more secure password than ‘dictionary’ Adding a number means all or part of your password matches a common number combination, eg it forms a date, or worse a famous date or a date that’s traceable to your life. Again to over-simplify you could make a case that 0911200 is more secure than 09112001. But it will all depend what the tool is checking for. And these tools are notoriously unreliable. They are trying to predict what a hacker will prioritise which will never be reliable, and they can only do simple checks that can run in under a second.

Bitwarden

community.bitwarden.com › feature requests › password manager

Password Strength Testing Tool, add password iterations - Password Manager - Bitwarden Community Forums

December 18, 2022 - Feature name Add password iteration (PBKDF2) count input text box (accept like “310000”), and output adjustment to “time to crack”. Feature function Augment this page: Take this superficially seemingly OK password, 9W&…

Bitwarden

bitwarden.com › blog › how strong is my password?

How strong is my password? | Bitwarden

This tool gauges how long it might take to crack your password by testing it against known criteria such as length, randomness, and complexity. Using the password strength tester will give ...

reddit.com › r/bitwarden › question about the bw password strength tester

r/Bitwarden on Reddit: Question about the BW password strength tester

March 17, 2023 -

Basically, it seems to award very short passphrases too much strength.

I've built a spreadsheet to test entropy of each password/passphrase and have believed it's best to stay above 78 bits of entropy, I suppose based upon recommendations of the Diceware web page, from perhaps 1995:

We recommend a minimum of six words for use with GPG, wireless security and file encryption programs. A seven, eight or nine word passphrase is recommended for high value uses such as whole disk encryption, BitCoin, and the like. For more information, see the Diceware FAQ.

From this I inferred six-word passphrases were the basic minimum, with longer phrases up to 10, depending upon need. Six words gives me 77 bits of entropy (based upon a 7700-word dictionary).

Now to the BW Password Strength Testing Tool (PSTT): It shows a two-word passphrase, "blissful-harmony" as good! Then it also says it would take one day to crack! Something's wrong here. FWIW, a two-word passphrase yields 25 bits of entropy. Add one more word to the phrase: "blissful-harmony-update" and the tester gives it a "Strong" rating that will take centuries to crack with 38 bits of entropy. Neither seems overpowering or even adequate.

The PSTT appears to have dissociated "strength" and "entropy," and I don't understand why.

I did read through the zxcvbn link on the PSTT page, and the following may bear upon the issue:

By disregarding the "configuration entropy" — the entropy from the number and arrangement of the pieces — zxcvbn is purposely underestimating, by giving a password's structure away for free: It assumes attackers already know the structure (for example, surname-bruteforce-keypad), and from there, it calculates how many guesses they'd need to iterate through.

There's also the encryption methods, including the Key Derivation Function that will slow down the number of guesses a hacker can make in any unit of time; that can help, as can Multi-Factor Authentication (MFA).

Still, worst case, as LastPass users discovered, MFA doesn't help the Vault owner if a hacker has it in front of him and doesn't have to go through online protection schemes.

So, is a short passphrase strength betting on a hacker not knowing the structure of password/passphrase or am I missing something?

Top answer

1 of 5

The problem with password strength testing tools like Bitwarden's is the fact that the don't know anything about how the password was generated. All they know is the end result. It's kind of like telling the tool "I rolled a 3" without telling it if the die is a d4, d6, d8, d10, d12, or d20. To answer your question directly, password cracking is more art than science. Experienced password crackers will leverage existing cracked password lists to chase after the low hanging fruit first. They'll apply some masks to alter passwords found in the list, such as making the first character uppercase or appending special characters, but by and large, they're doing everything they can do avoid brute forcing.

2 of 5

It shows a two-word passphrase, "blissful-harmony" as good! Then it also says it would take one day to crack! Something's wrong here. Yes, Bitwarden's password strength tester (zxcvbn), while better than many alternatives, often produces misleading results. In the example above, it overestimates the entropy (it estimates 30 bits of entropy, because it does not know about the EFF Word List used by Bitwarden, and one of the words is very uncommon — blissful is ranked 11,413 in the "US TV and Film" dictionary used by zxcvbn for this word). On the other hand, zxcvbn estimates time to crack using hash rates that are outdated (it has four different speed options, but Bitwarden's strength tool uses the third option, which assumes 10,000 guesses per second). Thus: (230 guesses)/(10,000 guesses/second)/(86,400 seconds/day) = 1.2 days. You can learn more about how the zxcvbn tool works using this demo page: https://lowe.github.io/tryzxcvbn/

Bitwarden

bitwarden.com › blog › how to test the strength of your passwords in 2022

How to Test the Strength of Your Passwords in 2022 | Bitwarden

Strong passwords can be randomly generated for free and automatically using the Bitwarden Strong Password Generator, now available for public use on our website. With this free tool, you can generate random passwords based on the guidelines you define for each of your online accounts. As pictured below, you can customize the password generator settings, then evaluate your password strength score and the estimated time it would take for a hacker to crack it.

reddit.com › r/bitwarden › password strength testing tool - password from list listed as secure

r/Bitwarden on Reddit: Password Strength Testing Tool - password from list listed as secure

September 17, 2024 -

Hi! Tested one of my old cracked password with the bitwarden Password strength testing tool and it was shown as secure. So I tested it with one of the password that I thought look at least kind of good from a rockyou-list: "arisdwiwanto070606" (https://raw.githubusercontent.com/josuamarcelc/common-password-list/refs/heads/main/rockyou.txt/rockyou_2.txt) with the result that it was a strong password.

According to HaveIBeenPwnd the password has been seen one time before.

Is there any reason why Bitwarden does not check for any new password lists as well when telling the user about the password strength (zxcvbn seems to have a 9 years old password list, https://github.com/dropbox/zxcvbn/tree/master/data) or do I miss something?

Top answer

1 of 5

Don’t use password strength testers… that’s what you missed. They just look for characteristics like length and characters used and aren’t really a good measure of how secure a password is.

2 of 5

A password “strength tester” attempts to verify the complexity of a password based on its form. They are all garbage, including the one Bitwarden offers. The only way to properly assess the strength of a password is by analyzing the app that generated it. No single password by itself can give you a good measure. You are wondering about whether a password has been breached. This is independent of its strength. The Bitwarden premium subscription offers such an assessment based on https://haveibeenpwned.com . I have seen this report on the web portal. There is also a validation button in the new mobile app, but I am not 100% certain that is yet wired into HIBP.

Bitwarden

bitwarden.com › password-generator

Free Password Generator | Create Strong Passwords and Passphrases | Bitwarden

The good news is that a strong password generator does the work for you by automatically creating strong, unique, and difficult-to-crack passwords or passphrases. Pro Tip: Wondering how you’re going to keep track of all your passwords? The easiest and safest way to manage strong and unique passwords for every account is to use a secure password manager, like Bitwarden.

Find elsewhere

Google Bing Mojeek

Bitwarden

bitwarden.com › blog › the most effective strategy for achieving password strength

The most effective strategy for achieving password strength | Bitwarden

One of the tools available in the Bitwarden arsenal is the Bitwarden · Password Strength Testing Tool. Upon entering in an existing password, the user will be given an assessment of that password (very weak, weak, average, strong, very strong, etc) and the estimated time it would take to crack it.

Bitwarden

community.bitwarden.com › ask the community › password manager

Testing my master password - Questions - Password Manager - Bitwarden Community Forums

March 30, 2024 - I am mildly curious as to whether my master password is secure, so I did some reading on the Data Breach report. I say “mildly concerned” because my master PW is well over 16 characters, in addition to having some other characteristics that I believe makes it unique and uncompromised (or ...

Bitwarden

bitwarden.com › blog › picking the right password for your password manager

Picking the right password for your password manager | Bitwarden

When pasted into the strength testing tool, we can see that the time to crack is centuries. Bitwarden Password Strength Testing Tool and Time to Crack Password

RedTeam Pentesting

blog.redteam-pentesting.de › 2024 › bitwarden-heist

RedTeam Pentesting - Blog - Bitwarden Heist - How to Break Into Password Vaults Without Using Passwords

We first tried to crack the vault using simple credential stuffing attacks, however this remained unsuccessful, leading us to ultimately attempt a more creative approach. To further analyze the vault, we decided to download the main storage file of Bitwarden, in the hopes of finding anything of note.

Bitwarden

bitwarden.com › passphrase-generator

Secure Passphrase Generator | Generate Secure Passwords | Bitwarden

Enter passphrases: a series of random words that are not only easier to remember but also extremely hard for hackers to crack. In this section, we’ll break down how passphrases work, why they’re so effective, and how long yours should be to keep your accounts truly secure. Generate passwords, store them securely, and access them instantly from any device. ... 81% of data breaches happen because of reused or weak passwords. Stay protected with random, unique passphrases for every account. Test the secure passphrase generator from Bitwarden today or easily generate strong and secure passphrases in your Bitwarden app.

Bitwarden

bitwarden.com › how-secure-is-my-password

How Secure is my Password | Bitwarden

To address evolving security threats online, service providers are introducing new login requirements in an effort to increase password complexity and make them more difficult for hackers to crack.

Bitwarden

bitwarden.com › help › reports

Vault Health Reports | Bitwarden

The Weak Passwords report identifies weak passwords that can easily be guessed by hackers and automated tools that are used to crack passwords, sorted by severity of the weakness.

Bitwarden

bitwarden.com › blog › how to determine your password health

How to determine your password health | Bitwarden

They can simply type in or copy their password (which is never transmitted to the Bitwarden servers and is processed locally in a device’s web browser window) and be given an evaluation. For example, typing in the password ‘Passwo$d1” reveals it is ‘weak’ and would take 41 minutes to creak, whereas typing in ‘hunky-dates-56-cats’ reveals a password that is ‘strong’ and would take centuries to crack.

reddit.com › r › Bitwarden › comments › 18rc0gl › the_most_effective_strategy_for_achieving

The most effective strategy for achieving password strength

May 28, 2023 - Go to Bitwarden · r/Bitwarden • · dwaxe · bitwarden.com Open · New to Reddit? Create your account and connect with a world of communities. Continue with Email · Continue With Phone Number · By continuing, you agree to our User Agreement and acknowledge that you understand the Privacy Policy.

University of Wisconsin

it.wisc.edu › home › it news › a secure password is as easy as one_two_three

A secure password is as easy as one_two_three

June 19, 2025 - According to Bitwarden’s password strength testing tool (Source: bitwarden.com), the above passwords can be hacked within seconds. But before you come up with an ultra-complicated password, try a passphrase instead.