Password Managers? 🗝️ - page 3 - ☞ ∙ Life on the Web

Quote from: Sumstuff on March 03, 2026 @664.47

I also think the automatic password generators are a big benefit to these kinds of password managers(of course someone who's paranoid about they're passwords getting found out is not gonna use something like that(i don't know if Bitwarden's passwords are generated with pseudo randomness or not))

tl;dr version:

1. The randomness is fine. Don't worry about it.
2. Bitwarden is fine. Don't worry about it.
3. Need "proper random" offline passphrases? Try Diceware!

Whether the randomiser is good is the least of your worries with a cloud-based manager (but cloud-based managers are still fine!)

By the time somebody's using a cloud-based password manager like Bitwarden (which are fine, by the way, but necessarily require a greater degree of trust in a third-party than an offline one), whether or not they trust the randomisation of the password generator is a bit of a moot point! After all; why would an attacker who has the power to make Bitwarden make slightly-more-predictable passwords not instead make Bitwarden leak actual-real-passwords instead?

(I'll stress that this is unlikely. Cloud-based password systems like Bitwarden, 1Password, LastPass etc. are usually zero-knowledge/encrypted-at-rest-and-in-transit solutions, so nobody without your credentials - not even the company - can access the contents of your vault, assuming their systems are properly implemented. Personally, I'm more comfortable with one that's also zero-trust, which in my case means it's open-source and not-cloud-based, but that's probably not necessary for most people!)

Do they use pseudo-randomness? Who cares!

Anyway, your question was: are Bitwarden's passwords generated with pseudo randomness? As opposed to what? True randomness? We can answer that with a little logical deduction. Bitwarden's random password generator works offline (unplug your network cable and you'll see that it still works!); therefore it can only be using the capabilities within your device. Most people's computers are only capable of pseudo-random (PRNG) generation. Therefore, Bitwarden almost certainly uses pseudo-random generation, yes. This isn't a problem: modern (by which I mean: up to about 40 years old!) PRNGs can be made to be sufficiently unpredictable that this should not be your primary concern in a properly-made software system.

A few of us have hardware random number generators (I keep one in my NAS: the attached picture shows it, attached to an internal motherboard USB header - it's the white thing in the centre of the picture). Whether or not these devices count as pseudo-random or true-random is a somewhat philosophical question, which depends on your preferred interpretation of quantum physics, superdeterminism, and the like! But the real test for a machine RNG is whether or not it's externally predictable. Mine's powered by electron avalanche breakdown effects, which is not great (it's theoretically sensitive to electromagnetic noise), but still a better source of entropy than a software PRNG. Anyway, all of this is to say: I don't use it to generate passwords. A software PRNG already carries more than enough entropy to potentially generate, for example, every conceivable password of up to 64 characters and still have more random left in it. A hardware PRNG is mostly a useful source of entropy for split-key cryptography, which depends upon much more entropy and much larger keys than a typical password!

Want cheap, memorable, hardware-randomised passwords? Diceware is your friend!

Aaaanyway... all of which is to say: if you really want "true hardware" random passwords, get yourself five six-sided dice and roll yourself up a 5+ word passphrase using the diceware table!