I forgot my Bitwarden password and I know most of the words, I am missing one word and I know the starting letter of of the word. Is there like a strategy to guessing passwords? Is there a program to assist in guessing passwords? I feel like guessing manually would take months.

  • CatZoomies@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    edit-2
    1 year ago

    The fastest method is contacting Bitwarden as another user mentioned. Bitwarden can discuss your options and may be able to help you recover access to your vault if you have emergency access setup for a trusted user or were on an enterprise plan. The second fastest method is starting over and changing the passwords to all the accounts you can remember or have bookmarked.

    Because of entropy, a pass phrase is extremely hard to “crack”. It would take a modern computer hundreds of millions of years nonstop to typically crack a pass phrase. Just ask people who hold Bitcoin and lost their 12 or 24 word passphrase (seed) if they were able to recover their BTC. If your passphrase was 24 words like a BTC passphrase, increase the recovery time to several billion years. No, this is not an exaggeration.

    Since you believe you know the starting letter of the missing word (and this assumes you’re 100% sure, there’s always risk your memory is wrong), you could start by using every word in the English dictionary that starts with that letter (would take you years). Hopefully all the other words are correct and you haven’t misremembered them or placed them out of order. If any word is out of order, unfortunately increase your recovery time to several million years. The other wrench in this problem is that Bitwarden vaults are not readily able to be brute forced. I won’t go into the specifics, but passphrases are not stored in “plain text”, but rather in “hashes”, which is kind of like a “fingerprint” of a file in that every file has a unique “fingerprint”. Bitwarden won’t let you constantly slam your vault stored on their servers with brute-force password attempts. You’ll have to figure out how to setup your own environment, using your encrypted vault, that would allow you to brute-force that local environment with your passphrase attempts, and set up a system that allows you to iterate until you have a matching hash. Since you’re asking for “a program to assist in guessing passwords”, I’m going to assume you’re probably not equipped to set up a local environment on your own and probably never locally backed up an encrypted archive of your online vault. So again, contacting Bitwarden is best.

    Finally, the purpose of a password manager is to have only one password or passphrase to write down (not remember, but write down). Never, ever trust your memory, because human memory is fallible - one fall to the ground and hitting your head could wipe out your memory or cognitive function. You didn’t even fall, and as you can see, you forgot your passphrase. Write your next passphrase on paper in graphite pencil (pencil lead last thousands of years longer than ink) and store it in a fireproof safe. If you want to be extra sure, you can stamp it in stainless steel. Don’t store things in lock boxes at banks - banks have a tendency to lose your stuff, or if they shut down they have no obligation to provide you the contents of your lock box. Don’t take pictures of it, don’t store it in an encrypted note on your phone, don’t cleverly try to split it into parts or store it in a book by underlining one letter of a certain a page, etc. Keep it simple, keep it safe for your future self - write it down and store it.

    Best of luck to you.

    https://bitwarden.com/help/forgot-master-password/

    • Atemu@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      you could start by using every word in the English dictionary that starts with that letter (would take you years)

      On a mainframe from the 80s maybe.

      The number of words is quite finite and the number of words in commonly used wordlists even more so. On the order of thousands maybe.

      Given that they claim to know the starting letter, that should narrow it down to hundreds.

      Even at multiple seconds per check that’d only be a few minutes.

      The other wrench in this problem is that Bitwarden vaults are not readily able to be brute forced. I won’t go into the specifics, but passphrases are not stored in “plain text”, but rather in “hashes”, which is kind of like a “fingerprint” of a file in that every file has a unique “fingerprint”.

      A simple hash does nothing to slow brute force. It’s the underlying mechanism to do any password verification at all and usually rather quick.

      State of the art for master-passwords are PBKDFs such is argon2i which are basically a hash hashed again and that hashed again and so on such that you must do a high number of hash calculations in order to verify a password; each depending on the previous.
      You choose the number of iterations in a way that is still relatively quick to do in human terms but rather lengthy in computer terms (hundreds of ms to a few seconds). Every time you enter the master pw your computer runs through this PBKDF and you probably don’t even notice.

      This does indeed “slow down” brute force attacks a good bit in relative terms but in this case the difference is inconsequential in absolute terms.

      Bitwarden won’t let you constantly slam your vault stored on their servers with brute-force password attempts.

      I don’t know about BW limitations in this regard but depending on whether @[email protected] is still logged in on any of their devices, they might be irrelevant because you don’t need to interact with any of BW’s servers even once to crack your own password. BW works offline if you have logged in once which implies that the pubkey, salt and whatever else is required to verify the password and unlock the vault are available locally.

  • Kit@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    7
    ·
    1 year ago

    Did you pay for Bitwarden? If so, contact their customer support. They’re helped me out of a jam before in an Enterprise environment.

      • Hildegarde@lemmy.world
        link
        fedilink
        arrow-up
        11
        ·
        1 year ago

        Paid enterprise customers can configure bitwarden to have an emergency account recovery option. This lets them recover access to bitwarden using the orginization’s private key.

        Its not an option normal users have. Good luck remembering your password.

        • HeyThisIsntTheYMCA@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          You’ve just given me a good reason to pay for bitwarden (if my password wasn’t “photo photo photo gift map” and I was somehowgoing to forget that)

        • Asthmatic_Goose@lemm.ee
          link
          fedilink
          English
          arrow-up
          17
          ·
          1 year ago

          “Hello, Bitwarden? I’d like to hack one of your customer’s accounts that I do not know the password to, allowing me to access all of the passwords you are storing for them. I mean me. Because it’s my account, I promise. Pretty please?”

            • SolOrion@sh.itjust.works
              link
              fedilink
              arrow-up
              6
              ·
              edit-2
              1 year ago

              Doesn’t matter. Passwords aren’t stored as plain text in any scenario where it is even remotely important to security. It’s entirely too easy to access otherwise.

              They have absolutely no way to confirm your password is accurate unless it’s accurate.

              • xigoi@lemmy.sdf.org
                link
                fedilink
                arrow-up
                1
                arrow-down
                2
                ·
                1 year ago

                They do: since it’s only one word missing, they can easily brute-force it themselves.

        • WtfEvenIsExistence1️@lemmy.caOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I doubt they’d do that. That’d just allow anyone to claim to be the rightful owner and get an easy way to brute force.

          Might as well send me the hash of the password and let me locally brute force it.

          Hmm… maybe I should ask. I doubt they do it tho.

  • Elephant0991@lemmy.bleh.au
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    When I forgot part of my my old password, I came up with a list of words that I possibly could have come up with and tried those. I eventually found it even if I was panicky the whole time. If I were you, I would list the words and try them in the order of probabilities.

    Un/Fortunately, BW is implemented to rate-limit password brute-forcing. I feel you about your CAPTCHA hell, and I hate their surreal sunflower CAPTCHA (maybe to make it as repulsive as possible to the hackers?).

  • barrage4u@lemmy.world
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    1 year ago

    Might be better off spending your time resetting all the passwords that were saved in your bw acct

    • WtfEvenIsExistence1️@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Way to much effort. And some cannot be reset like Lemmy accounts without an email attached to them (I kinda don’t wanna bother the admins for password reset). Protonmail password would also be really difficult to reset, because you have to remember the precise date you created the account and a lot of different stuff. Which is more difficult than finding a words in a dictionary.

  • Atemu@lemmy.ml
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    How did you generate this password? Which wordlist did you use?

    I’d first extract all words with the starting letter from that list and simply take a look at them; whether any of them jog my memory.

    Are you still logged into any BW client on any of your devices (or have such a state contained in a backup)?

  • Lando_@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    I don’t know what the best system would be but is the phrase something that makes sense? Like, if the phrase was “there is no god here” and you had “t__ is no god here” there aren’t that many words that fit.

    Also do you have an unlimited number of guesses or will it lock you out at some point?

    • WtfEvenIsExistence1️@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      I have unlimited guesses, but have to solve a captcha for each attempt. This is literally captcha hell. By the time I find the password, I’d probably a pro at solving captchas. 🥲

  • Dharma Curious@startrek.website
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    Did you use a system of some kind when coming up with it? Like some I’ve seen suggested in the past are things like “3rd word of favorite song+seconds pets name+last 4 digits of serial number on your fridge”

    Anything like that?