The Bitwarden Blog
Picking the right password for your password manager
February 9, 2022
If you’re new to password managers, or even if you have been using one for a long time, the most important thing for your protection is to pick a strong and unique password for your password manager.
This means that your main password manager password, sometimes called a master password:
- Is totally unique to your password manager
- Has not been used in other places online
- Something you can remember, or write down to remember and put in a secure place
- Strong with the following characteristics
- Long such as 12-14 characters or more
- Random in that it would be hard for anyone or any computer to guess
- Use of pet names, company names, with combination of years are not random passwords. Company2022 will not keep you safe!
- Complex with use of special characters and symbols
In addition to having a strong and unique main password, you will also want to enable two-factor authentication for your password manager.
Many security experts have their own systems for creating the main password, and all are valid. Follow these general guidelines and you will be in good shape.
Creating a strong master password means choosing something long, generally 14 characters or more, something that is random (no one can easily guess it), and something that is completely unique to Bitwarden.
Many people suggest creating passwords out of common phrases you remember, or a song lyric. Here’s one that should not be used, but gives you a good idea:
We start with the inspiration of a song lyric: On a dark desert highway / Cool wind in my hair
This example of course is a well known song lyric. The more individual the lyric is for you, and not the rest of the world, the more secure you will be.
Now we need to make it unique. Instead of first letters, we’ll choose last letters:
On a dark desert highway / Cool wind in my hair
But this is not long enough for a secure master password. The Eagles were big in the 1970s, so we’ll add that:
If we check the Bitwarden Password Strength Tester, we can see that it would take 53 years to crack this via a brute force attack.
If we want to go even further, we can add a special character somewhere in the middle, which is more unique than adding it to the end.
Now we’ve upped the strength to centuries:
Another common approach that provides outstanding security with a bit more memorability is using a passphrase. Bitwarden also offers a free passphrase (and password) generator as a web application and available within the product.
The important part here is the randomness, meaning this is a computer picking random words instead of a human. Humans are creatures of habit and therefore we often pick things that others might guess or intuit.
Here is a passphrase that came from our passphrase generator:
In this case, the passphrase includes separator characters and a number, which add to the randomness.
When pasted into the strength testing tool, we can see that the time to crack is centuries.
Beyond these ideas, there are unlimited possibilities. Have a little fun but also remember:
- You will want your master password to be something you can remember.
- If you worry about your memory, write down your master password and put it in a secure place like a physical safe.
- You will want a master password you can type. Bitwarden offers biometric login on mobile devices and laptops, but you will need to enter your master password on occasion so it is important that you can type it.
- With the end-to-end encryption model Bitwarden uses, Bitwarden cannot recover or reset your master password. If you lose it, the only option is to delete your account and start over. Take the right precautions to avoid this.
- Note that for business Enterprise accounts, Bitwarden does offer the option for Admin Password Reset
- If you’d like to have a delegate who can gain access to your vault after a specified time when you cannot get in, consider setting up Emergency Access.
Bitwarden recommends a strong and unique master password that users only employ for Bitwarden and nothing else. It is imperative that your master password be something that has never been used elsewhere.
You can test your master password strength with the Bitwarden Password Strength Tester.
As long as your master password is strong and unique, you do not necessarily need to change it, unless you think someone else has gained knowledge of it, or it has been compromised for some other reason. These guidelines match the National Institute of Standards and Technology, which advises:
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Bitwarden also recommends enabling two-factor authentication to protect your Bitwarden Account.
If you are new to password managers, remember that using any password manager is better than not using a password manager. Pick one that works for you. We recommend looking for a password manager that:
- Works across all devices
- Synchronizes unlimited logins
- Has a fully featured free version so you can use it without a financial obligation and can also recommend to friends without implying a financial obligation
- Offers advanced plans for individuals, families, and businesses if you want to expand further
- Provides an easy data liberation process so you can download all of your credentials at any time from any client application
When using a password manager for the first time, try it with a login that is important to you but not a security risk, such as the login to your favorite streaming service or online newspaper. Try to log in to that website using the password manager across different platforms such as your mobile device, a computer, and a different browser. Install the password manager application on your frequently used devices or browsers.
Some password managers support items beyond just passwords such as secure notes, identity info, and credit cards. Secure notes can be a great way to test the functionality of a password manager.
Once you have the hang of your password manager, you can add more logins and passwords over time. You do not have to do everything all at once. Adding one login and password a day will get you there in due time!
Back to Blog