🌐
Bitwarden
bitwarden.com › password-strength
Password Tester | Test Your Password Strength | Bitwarden
Millions of users trust Bitwarden to manage login credentials across unlimited devices and platforms. ... Choose the plan that best fits your personal or business needs. Create a new account and store your master password in a safe place. View download options to access your Bitwarden vault across all preferred browsers and devices.
🌐
Bitwarden
bitwarden.com › password-security-checker
Password Security Checker: Everything You Need to Know | Bitwarden
Ready to test the strength of your passwords? Try the free and secure · Bitwarden Strength Tester.
🌐
Reddit
reddit.com › r/bitwarden › bitwarden password strength tester
r/Bitwarden on Reddit: Bitwarden Password Strength Tester
September 18, 2022 -

In light of the recent LastPass breech I looked at different strength test websites to see how long a password would hold up under a offline brute-force attack.

The password I tried was: Aband0nedFairgr0und

This is a a 19 character password with a combination of uppercase/lowercase/numbers. Granted, there is no special characters.

I went to 5 different password strength sites and they all give me wildly different results for how long it would take to crack.

https://www.security.org/how-secure-is-my-password/ 9 quadrillion years
https://delinea.com/resources/password-strength-checker 36 quadrillion years
https://password.kaspersky.com/ 4 months
https://bitwarden.com/password-strength/ 1 day

As you can see the results are all over the place!

Why is the Bitwarden result so low and if the attacker had zero knowledge of the password, is it feasible to take an average of the diufferent results and assume that password is sronger that 1 day?

PS: Dont worry, Aband0nedFairgr0und is not a password I use and was made up as a test.

Top answer
1 of 5
63
The other explanations here are true but maybe this will clarify why. Bad password checkers assume a cracking program will guess, in order: a, b, c, … aa, ab, ac, ad, … and so on forever. Good password strength checkers calculate entropy (~randomness) with the assumption of common reasonable wordlists and standard variations on those words, in addition to gibberish character strings. Password cracking tools don’t tend to guess every single random string of characters from shortest to longest, since many people are more likely to choose real words or variations of words. So, for example, “eggplan” is actually a stronger password than “eggplant” despite having fewer characters. They’re both awful, but any decent password cracking tool will guess a word a human is more likely to choose first (vs egg + plan, two unusual words to combine). “eggplan” will even take longer to crack than “eggpl@nt” because a→@ is such a common substitution for humans trying to strengthen their passwords that password cracking tools will likely try it first. Extending to longer sequences, 3-6 memorable unmodified words chosen randomly from very long lists will usually be both more memorable and harder to crack than 2-3 words with symbols inserted. Edit to add: the best way to get a sense of how this works in practice is here: https://lowe.github.io/tryzxcvbn/
2 of 5
33
Bitwarden.com uses zxcvbn to calculate the time-to-crack. You can try it online at https://lowe.github.io/tryzxcvbn/ and it'll tell how it arrived at a time of 1 day.
🌐
Bitwarden
bitwarden.com › password-generator
Free Password Generator | Create Strong Passwords and Passphrases | Bitwarden
Easy and secure password generator that's completely free and safe to use. Generate strong passwords and passphrases for every online account with the strong Bitwarden password generator, and get the latest best practices on how to maintain ...
🌐
Bitwarden
bitwarden.com › download
Download the Bitwarden Password Manager App for iPhone, Android, Chrome, Safari, and More | Bitwarden
Take your password manager on the go with mobile apps for your phone or tablet. ... Install the F-Droid client app. Scan the QR code from above or manually copy/paste the Bitwarden repository information into the F-Droid client app under Settings.

Bitwarden

free and open-source password manager

bitwarden.com
Bitwarden is a freemium open-source password management service that is used to store sensitive information, such as website credentials, in an encrypted vault. It is owned and developed by Bitwarden, Inc. Bitwarden … Wikipedia
Factsheet
Original author Kyle Spearrin
Developer Bitwarden Inc.
Initial release 10 August 2016 (2016-08-10)
Factsheet
Original author Kyle Spearrin
Developer Bitwarden Inc.
Initial release 10 August 2016 (2016-08-10)
🌐 🌐 🌐 🌐 🌐 🌐 🌐 🌐 🌐 🌐
🌐
Bitwarden
bitwarden.com
Best Password Manager for Business, Enterprise & Personal | Bitwarden
Bitwarden is the most trusted password manager for passwords and passkeys at home or at work, on any browser or device. Start with a free trial.
🌐
GitHub
github.com › PacketParker › bitwarden-password-checker
GitHub - PacketParker/bitwarden-password-checker: Checks your Bitwarden vault for breached passwords on the HaveIBeenPwned API.
https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ Regarding the dependency of a UNIX system, this is because of the dependency of the pexpect module, which is used to login to your Bitwarden account with your API credentials. The functions which are used are only available for use on UNIX based systems. Feel free you fork this project or download the code and use it for your own needs.
Forked by 2 users
Languages   Python 93.7% | Shell 6.3%
🌐
Bitwarden
bitwarden.com › blog › how to test the strength of your passwords in 2022
How to Test the Strength of Your Passwords in 2022 | Bitwarden
For those interested in testing the strength of current passwords, you can do this safely and automatically using the free Bitwarden Password Strength Tester.
🌐
Bitwarden
bitwarden.com › passphrase-generator
Secure Passphrase Generator | Generate Secure Passwords | Bitwarden
The Bitwarden Passphrase Generator makes it easy to create strong, memorable passphrases that keep your accounts secure. Free Password GeneratorUse the Free Passphrase Generator
Find elsewhere
🌐
Bitwarden
bitwarden.com › blog › how strong is my password?
How strong is my password? | Bitwarden
Before leaning too heavily on a third-party site’s built-in tools, consider first reviewing the Bitwarden Password Security Checker explainer, then utilizing the Bitwarden Password Strength Testing Tool. This tool gauges how long it might take to crack your password by testing it against known criteria such as length, randomness, and complexity. Using the password strength tester will give you a quick answer to the question “how strong is my password?” and allow you to build up a repertoire of strong passwords.
🌐
Bitwarden
bitwarden.com › how-secure-is-my-password
How Secure is my Password | Bitwarden
Getting started with a password manager is easy. If you do not have one in place, you can download Bitwarden for free, or begin a trial for your business.If you are using another password manager, you can import that data into Bitwarden.
🌐
Bitwarden
community.bitwarden.com › feature requests › password manager
Password Strength Testing Tool, add password iterations - Password Manager - Bitwarden Community Forums
December 19, 2022 - Feature name Add password iteration (PBKDF2) count input text box (accept like “310000”), and output adjustment to “time to crack”. Feature function Augment this page: Take this superficially seemingly OK password, 9W&…
🌐
Bitwarden
community.bitwarden.com › ask the community › password manager
Testing my master password - Questions - Password Manager - Bitwarden Community Forums
March 30, 2024 - I am mildly curious as to whether my master password is secure, so I did some reading on the Data Breach report. I say “mildly concerned” because my master PW is well over 16 characters, in addition to having some other …
🌐
Bitwarden
community.bitwarden.com › feature requests › password manager
A live password strength tester - Password Manager - Bitwarden Community Forums
May 3, 2025 - Bitwarden introduce a built-in password strength meter that dynamically shows the strength of any password when viewed, edited, or created in the vault. The password strength meter will provide real-time feedback, rating…
🌐
Bitwarden
bitwarden.com › help › reports
Vault Health Reports | Bitwarden
Log in to the Bitwarden web app. Open the Admin Console using the product switcher: ... Choose a report to run. ... The Exposed Passwords report will identify passwords that have been uncovered in known data breaches that were released publicly ...
🌐
Reddit
reddit.com › r/bitwarden › password strength testing tool - password from list listed as secure
r/Bitwarden on Reddit: Password Strength Testing Tool - password from list listed as secure
September 17, 2024 -

Hi! Tested one of my old cracked password with the bitwarden Password strength testing tool and it was shown as secure. So I tested it with one of the password that I thought look at least kind of good from a rockyou-list: "arisdwiwanto070606" (https://raw.githubusercontent.com/josuamarcelc/common-password-list/refs/heads/main/rockyou.txt/rockyou_2.txt) with the result that it was a strong password.

According to HaveIBeenPwnd the password has been seen one time before.

Is there any reason why Bitwarden does not check for any new password lists as well when telling the user about the password strength (zxcvbn seems to have a 9 years old password list, https://github.com/dropbox/zxcvbn/tree/master/data) or do I miss something?

Top answer
1 of 5
54
Don’t use password strength testers… that’s what you missed. They just look for characteristics like length and characters used and aren’t really a good measure of how secure a password is.
2 of 5
28
A password “strength tester” attempts to verify the complexity of a password based on its form. They are all garbage, including the one Bitwarden offers. The only way to properly assess the strength of a password is by analyzing the app that generated it. No single password by itself can give you a good measure. You are wondering about whether a password has been breached. This is independent of its strength. The Bitwarden premium subscription offers such an assessment based on https://haveibeenpwned.com . I have seen this report on the web portal. There is also a validation button in the new mobile app, but I am not 100% certain that is yet wired into HIBP.
🌐
Bitwarden
bitwarden.com › blog › picking the right password for your password manager
Picking the right password for your password manager | Bitwarden
You can test your master password strength with the Bitwarden Password Strength Tester.
🌐
Bitwarden
bitwarden.com › blog › the most effective strategy for achieving password strength
The most effective strategy for achieving password strength | Bitwarden
A user could feasibly test each and every one of their passwords to ensure they are meeting the requirements for “strong” or “very strong”. Or, they could use the · Bitwarden Strong Password Generator in conjunction with the Bitwarden Password Strength Testing Tool.
🌐
Reddit
reddit.com › r/bitwarden › question about the bw password strength tester
r/Bitwarden on Reddit: Question about the BW password strength tester
March 17, 2023 -

Basically, it seems to award very short passphrases too much strength.

I've built a spreadsheet to test entropy of each password/passphrase and have believed it's best to stay above 78 bits of entropy, I suppose based upon recommendations of the Diceware web page, from perhaps 1995:

We recommend a minimum of six words for use with GPG, wireless security and file encryption programs. A seven, eight or nine word passphrase is recommended for high value uses such as whole disk encryption, BitCoin, and the like. For more information, see the Diceware FAQ.

From this I inferred six-word passphrases were the basic minimum, with longer phrases up to 10, depending upon need. Six words gives me 77 bits of entropy (based upon a 7700-word dictionary).

Now to the BW Password Strength Testing Tool (PSTT): It shows a two-word passphrase, "blissful-harmony" as good! Then it also says it would take one day to crack! Something's wrong here. FWIW, a two-word passphrase yields 25 bits of entropy. Add one more word to the phrase: "blissful-harmony-update" and the tester gives it a "Strong" rating that will take centuries to crack with 38 bits of entropy. Neither seems overpowering or even adequate.

The PSTT appears to have dissociated "strength" and "entropy," and I don't understand why.

I did read through the zxcvbn link on the PSTT page, and the following may bear upon the issue:

By disregarding the "configuration entropy" — the entropy from the number and arrangement of the pieces — zxcvbn is purposely underestimating, by giving a password's structure away for free: It assumes attackers already know the structure (for example, surname-bruteforce-keypad), and from there, it calculates how many guesses they'd need to iterate through.

There's also the encryption methods, including the Key Derivation Function that will slow down the number of guesses a hacker can make in any unit of time; that can help, as can Multi-Factor Authentication (MFA).

Still, worst case, as LastPass users discovered, MFA doesn't help the Vault owner if a hacker has it in front of him and doesn't have to go through online protection schemes.

So, is a short passphrase strength betting on a hacker not knowing the structure of password/passphrase or am I missing something?

Top answer
1 of 5
28
The problem with password strength testing tools like Bitwarden's is the fact that the don't know anything about how the password was generated. All they know is the end result. It's kind of like telling the tool "I rolled a 3" without telling it if the die is a d4, d6, d8, d10, d12, or d20. To answer your question directly, password cracking is more art than science. Experienced password crackers will leverage existing cracked password lists to chase after the low hanging fruit first. They'll apply some masks to alter passwords found in the list, such as making the first character uppercase or appending special characters, but by and large, they're doing everything they can do avoid brute forcing.
2 of 5
6
It shows a two-word passphrase, "blissful-harmony" as good! Then it also says it would take one day to crack! Something's wrong here. Yes, Bitwarden's password strength tester (zxcvbn), while better than many alternatives, often produces misleading results. In the example above, it overestimates the entropy (it estimates 30 bits of entropy, because it does not know about the EFF Word List used by Bitwarden, and one of the words is very uncommon — blissful is ranked 11,413 in the "US TV and Film" dictionary used by zxcvbn for this word). On the other hand, zxcvbn estimates time to crack using hash rates that are outdated (it has four different speed options, but Bitwarden's strength tool uses the third option, which assumes 10,000 guesses per second). Thus: (230 guesses)/(10,000 guesses/second)/(86,400 seconds/day) = 1.2 days. You can learn more about how the zxcvbn tool works using this demo page: https://lowe.github.io/tryzxcvbn/
🌐
X
x.com › Bitwarden › status › 1850948162321604728
Bitwarden on X: "Think you have strong #passwords? Put it to the test with the password strength tool: https://t.co/BBKXiv8wMY #cybersecurityawarenessmonth https://t.co/Cb4pPFOKEM" / X
Put it to the test with the password strength tool: https://btwrdn.com/3YDrO1E #cybersecurityawarenessmonth · 1:10 PM · Oct 28, 2024 · · · 12.5K Views · 12 · 29 · 163 · 25 · Read 12 replies · Sign up now to get your own personalized ...