Password Managers? 🗝️

[Dan Q]

I also think the automatic password generators are a big benefit to these kinds of password managers(of course someone who's paranoid about they're passwords getting found out is not gonna use something like that(i don't know if Bitwarden's passwords are generated with pseudo randomness or not))

tl;dr version:

1. The randomness is fine. Don't worry about it.
2. Bitwarden is fine. Don't worry about it.
3. Need "proper random" offline passphrases? Try Diceware!

Whether the randomiser is good is the least of your worries with a cloud-based manager (but cloud-based managers are still fine!)

By the time somebody's using a cloud-based password manager like Bitwarden (which are fine, by the way, but necessarily require a greater degree of trust in a third-party than an offline one), whether or not they trust the randomisation of the password generator is a bit of a moot point! After all; why would an attacker who has the power to make Bitwarden make slightly-more-predictable passwords not instead make Bitwarden leak actual-real-passwords instead?

(I'll stress that this is unlikely. Cloud-based password systems like Bitwarden, 1Password, LastPass etc. are usually zero-knowledge/encrypted-at-rest-and-in-transit solutions, so nobody without your credentials - not even the company - can access the contents of your vault, assuming their systems are properly implemented. Personally, I'm more comfortable with one that's also zero-trust, which in my case means it's open-source and not-cloud-based, but that's probably not necessary for most people!)

Do they use pseudo-randomness? Who cares!

Anyway, your question was: are Bitwarden's passwords generated with pseudo randomness? As opposed to what? True randomness? We can answer that with a little logical deduction. Bitwarden's random password generator works offline (unplug your network cable and you'll see that it still works!); therefore it can only be using the capabilities within your device. Most people's computers are only capable of pseudo-random (PRNG) generation. Therefore, Bitwarden almost certainly uses pseudo-random generation, yes. This isn't a problem: modern (by which I mean: up to about 40 years old!) PRNGs can be made to be sufficiently unpredictable that this should not be your primary concern in a properly-made software system.

A few of us have hardware random number generators (I keep one in my NAS: the attached picture shows it, attached to an internal motherboard USB header - it's the white thing in the centre of the picture). Whether or not these devices count as pseudo-random or true-random is a somewhat philosophical question, which depends on your preferred interpretation of quantum physics, superdeterminism, and the like! But the real test for a machine RNG is whether or not it's externally predictable. Mine's powered by electron avalanche breakdown effects, which is not great (it's theoretically sensitive to electromagnetic noise), but still a better source of entropy than a software PRNG. Anyway, all of this is to say: I don't use it to generate passwords. A software PRNG already carries more than enough entropy to potentially generate, for example, every conceivable password of up to 64 characters and still have more random left in it. A hardware PRNG is mostly a useful source of entropy for split-key cryptography, which depends upon much more entropy and much larger keys than a typical password!

Want cheap, memorable, hardware-randomised passwords? Diceware is your friend!

Aaaanyway... all of which is to say: if you really want "true hardware" random passwords, get yourself five six-sided dice and roll yourself up a 5+ word passphrase using the diceware table!

[sunnyp4rk]

I use Keepass. I don't trust online password managers tbh. Keepass is nice and simple to use, and it's easy to organize as well. I use Android so there's an app that syncs with my database for phone use.

[lakes]

i personally switch between bitwarden and keepassxc depending on what the password is for
if it's something online that i want synced, then i use bitwarden
if it is offline or that i don't need password syncing for, i use keepassxc

[Mytten]

I use LastPass, though after reading a few of the posts I might switch to something else. It would be difficult though as there is just so much info there that I would likely need to manually paste over, which would have to be done overtime.
I do like it though as it auto fills the correct boxes most of the time. And as far as I know (which is not much tbh) LastPass seems pretty secure.

[lakes]

I use LastPass, though after reading a few of the posts I might switch to something else. It would be difficult though as there is just so much info there that I would likely need to manually paste over, which would have to be done overtime.
I do like it though as it auto fills the correct boxes most of the time. And as far as I know (which is not much tbh) LastPass seems pretty secure.

yeah i heard lastpass is not reliable nor open source & they had at least 2 data breaches already (2022, 2024)
if you want autofill, bitwarden's browser extension & mobile app have autofill enabled
there's also proton pass but i never tried it
granted offline password managers are less likely to get hacked
so if you want secure, you could always go with keepass

[Dan Q]

As far as the big cloud password managers are concerned (the likes of LastPass, BitWarden, 1Password, Dashlane, Proton Pass etc.)... LastPass is the one I'd be least-likely to recommend to a friend who needed a cloud-based password manager!

Aeons ago, I used to use them, and recommend them. But (long after I stopped using them, mind) they've had multiple breaches, and that suggests they're doing something wrong.

So yeah: perhaps consider a different provider! Exporting and importing is reasonably easy, though, with most of them. Just be sure to have your "old" provider delete everything after you've finished migrating elsewhere (or, better yet, change all your passwords!).

[XxCat]

I've started writing down important passwords in a notebook, but yeah most of them are in my browser

[pepper]

Like others here, I use Bitwarden. I also pay for their upgraded personal plan and use it alongside a yubikey. Almost all my passwords are stored on Bitwarden, and I have my Bitwarden, Proton, Google, and Discord recovery codes written down in a safe place along with the other documents I would grab if evacuating my home. So, if my Bitwarden were somehow lost, corrupt, or otherwise unrecoverable, I can still access my email using recovery codes, and with that I can still access everything else by using password resets everywhere.

The Yubikey is nice because I can use it as OTP for 2FA whenever a new device is signing into my Bitwarden account. It's a little annoying when I'm setting up a new Linux install for instance (ran into this a lot lately) and I need to get up and grab my car keys where I keep my Yubikey, but it's a nice peace of mind knowing that to access literally my entire collection of digital access to my accounts, one needs physical things that I control. Someone needs to really want to steal my logins to get access, and I don't think I'm a target of enough interest by any organization or government to steal my physical login key to get access to my accounts LOL.

Anyways, moral of the post here is: look into a Yubikey or other OTP physical key! They are pretty nifty 

[ocean]

I've been using Apple's built in Password manager for ages now, since it just works and autofills everything. While this is nice, I feel like passwords are still kind of less than ideal. I really like the idea of Passkeys; while the concept probably does need a bit of work, I think this is the kind of thing we should be moving to.

Passwords are a huge attack vector, and making it harder for the common folks/casual computer users to be hacked is always a good thing.

[zekromaster]

Pass user here. I use GNU+Linux on all my machines so I always have a decent terminal available, and everything is encrypted with PGP so I could hypothetically host them online with no real risk (anyone who can steal my PGP keys from me has access to an unencrypted drive with my encryption key on it, which means they are in my house, which means they can beat me up until I give them the password they want anyways).

Not that I would host the passwords somewhere else, I keep a git repo on my main PC and just pull and push from/to it when I'm home.

[haumeaGeth]

At the moment, I just write down all of my passwords. However, I've been slowly learning Ruby in bits and pieces, and while learning about hashes, I immediately had an idea for a little terminal program I could write to save time looking through my huge list of passwords, so I'll swap over to that method once I've finished it!

I don't really trust third party password programs. I don't know how they work, so I don't know how secure they are. My current method works fine, so I haven't had motivation to even look into them either. ¯\_(ツ)_/¯

[noahie]

These days I use the keepassxc-cli package to grab passwords and just use the keepassxc GUI to make new entries. To clip passwords to my keyboard, I made a function and several aliases in my zshconfig file so that it's easy grab-and-go. The function and alias for Melonland looks like this:

Code

kp() {
    keepassxc-cli clip ~/Keepass/Safe.kdbx "Accounts/$1"
}

alias kpm="kp melonland"

So whenever I want to login to Melonland, I just type 'kpm' in my terminal, put in my master password, and the password gets clipped. The workflow is super fast, efficient, and secure.

A while back, I also made my own password manager and put it on Github. Obviously, it's not a very sophisticated one, but it's also mine and totally free, so that's a plus.