Any strategies for guessing a passphrase that I am missing one word of?

Atemu , 10 months ago

How did you generate this password? Which wordlist did you use?

I’d first extract all words with the starting letter from that list and simply take a look at them; whether any of them jog my memory.

Are you still logged into any BW client on any of your devices (or have such a state contained in a backup)?

CatZoomies , 10 months ago (edited 10 months ago)

The fastest method is contacting Bitwarden as another user mentioned. Bitwarden can discuss your options and may be able to help you recover access to your vault if you have emergency access setup for a trusted user or were on an enterprise plan. The second fastest method is starting over and changing the passwords to all the accounts you can remember or have bookmarked.

Because of entropy, a pass phrase is extremely hard to “crack”. It would take a modern computer hundreds of millions of years nonstop to typically crack a pass phrase. Just ask people who hold Bitcoin and lost their 12 or 24 word passphrase (seed) if they were able to recover their BTC. If your passphrase was 24 words like a BTC passphrase, increase the recovery time to several billion years. No, this is not an exaggeration.

Since you believe you know the starting letter of the missing word (and this assumes you’re 100% sure, there’s always risk your memory is wrong), you could start by using every word in the English dictionary that starts with that letter (would take you years). Hopefully all the other words are correct and you haven’t misremembered them or placed them out of order. If any word is out of order, unfortunately increase your recovery time to several million years. The other wrench in this problem is that Bitwarden vaults are not readily able to be brute forced. I won’t go into the specifics, but passphrases are not stored in “plain text”, but rather in “hashes”, which is kind of like a “fingerprint” of a file in that every file has a unique “fingerprint”. Bitwarden won’t let you constantly slam your vault stored on their servers with brute-force password attempts. You’ll have to figure out how to setup your own environment, using your encrypted vault, that would allow you to brute-force that local environment with your passphrase attempts, and set up a system that allows you to iterate until you have a matching hash. Since you’re asking for “a program to assist in guessing passwords”, I’m going to assume you’re probably not equipped to set up a local environment on your own and probably never locally backed up an encrypted archive of your online vault. So again, contacting Bitwarden is best.

Finally, the purpose of a password manager is to have only one password or passphrase to write down (not remember, but write down). Never, ever trust your memory, because human memory is fallible - one fall to the ground and hitting your head could wipe out your memory or cognitive function. You didn’t even fall, and as you can see, you forgot your passphrase. Write your next passphrase on paper in graphite pencil (pencil lead last thousands of years longer than ink) and store it in a fireproof safe. If you want to be extra sure, you can stamp it in stainless steel. Don’t store things in lock boxes at banks - banks have a tendency to lose your stuff, or if they shut down they have no obligation to provide you the contents of your lock box. Don’t take pictures of it, don’t store it in an encrypted note on your phone, don’t cleverly try to split it into parts or store it in a book by underlining one letter of a certain a page, etc. Keep it simple, keep it safe for your future self - write it down and store it.

Best of luck to you.

bitwarden.com/help/forgot-master-password/

Atemu , 10 months ago

you could start by using every word in the English dictionary that starts with that letter (would take you years)

On a mainframe from the 80s maybe.

The number of words is quite finite and the number of words in commonly used wordlists even more so. On the order of thousands maybe.

Given that they claim to know the starting letter, that should narrow it down to hundreds.

Even at multiple seconds per check that’d only be a few minutes.

The other wrench in this problem is that Bitwarden vaults are not readily able to be brute forced. I won’t go into the specifics, but passphrases are not stored in “plain text”, but rather in “hashes”, which is kind of like a “fingerprint” of a file in that every file has a unique “fingerprint”.

A simple hash does nothing to slow brute force. It’s the underlying mechanism to do any password verification at all and usually rather quick.

State of the art for master-passwords are PBKDFs such is argon2i which are basically a hash hashed again and that hashed again and so on such that you must do a high number of hash calculations in order to verify a password; each depending on the previous.
You choose the number of iterations in a way that is still relatively quick to do in human terms but rather lengthy in computer terms (hundreds of ms to a few seconds). Every time you enter the master pw your computer runs through this PBKDF and you probably don’t even notice.

This does indeed “slow down” brute force attacks a good bit in relative terms but in this case the difference is inconsequential in absolute terms.

Bitwarden won’t let you constantly slam your vault stored on their servers with brute-force password attempts.

I don’t know about BW limitations in this regard but depending on whether @WtfEvenIsExistence is still logged in on any of their devices, they might be irrelevant because you don’t need to interact with any of BW’s servers even once to crack your own password. BW works offline if you have logged in once which implies that the pubkey, salt and whatever else is required to verify the password and unlock the vault are available locally.

barrage4u , 10 months ago

Might be better off spending your time resetting all the passwords that were saved in your bw acct

WtfEvenIsExistence OP , 10 months ago

Way to much effort. And some cannot be reset like Lemmy accounts without an email attached to them (I kinda don’t wanna bother the admins for password reset). Protonmail password would also be really difficult to reset, because you have to remember the precise date you created the account and a lot of different stuff. Which is more difficult than finding a words in a dictionary.

Elephant0991 , 10 months ago

When I forgot part of my my old password, I came up with a list of words that I possibly could have come up with and tried those. I eventually found it even if I was panicky the whole time. If I were you, I would list the words and try them in the order of probabilities.

Un/Fortunately, BW is implemented to rate-limit password brute-forcing. I feel you about your CAPTCHA hell, and I hate their surreal sunflower CAPTCHA (maybe to make it as repulsive as possible to the hackers?).

DharmaCurious , 10 months ago

Did you use a system of some kind when coming up with it? Like some I’ve seen suggested in the past are things like “3rd word of favorite song+seconds pets name+last 4 digits of serial number on your fridge”

Anything like that?

Kit , 10 months ago

Did you pay for Bitwarden? If so, contact their customer support. They’re helped me out of a jam before in an Enterprise environment.

WtfEvenIsExistence OP , 10 months ago

I don’t have paid plans, but even if you did, how does support even help? Isn’t it supposed to be end to end encrypted?

Hildegarde , 10 months ago

Paid enterprise customers can configure bitwarden to have an emergency account recovery option. This lets them recover access to bitwarden using the orginization’s private key.

Its not an option normal users have. Good luck remembering your password.

HeyThisIsntTheYMCA , 10 months ago

You’ve just given me a good reason to pay for bitwarden (if my password wasn’t “photo photo photo gift map” and I was somehowgoing to forget that)

xigoi , 10 months ago

Maybe they could allow you to brute-force your password without CAPTCHAs?

WtfEvenIsExistence OP , 10 months ago

I doubt they’d do that. That’d just allow anyone to claim to be the rightful owner and get an easy way to brute force.

Might as well send me the hash of the password and let me locally brute force it.

Hmm… maybe I should ask. I doubt they do it tho.

Asthmatic_Goose , 10 months ago

“Hello, Bitwarden? I’d like to hack one of your customer’s accounts that I do not know the password to, allowing me to access all of the passwords you are storing for them. I mean me. Because it’s my account, I promise. Pretty please?”

xigoi , 10 months ago

But they do know most of the password…

odium , 10 months ago

They can’t see the password to know that you know most of it.

SolOrion , 10 months ago

Doesn’t matter. Passwords aren’t stored as plain text in any scenario where it is even remotely important to security. It’s entirely too easy to access otherwise.

They have absolutely no way to confirm your password is accurate unless it’s accurate.

xigoi , 10 months ago

They do: since it’s only one word missing, they can easily brute-force it themselves.

Lando_ , 10 months ago

I don’t know what the best system would be but is the phrase something that makes sense? Like, if the phrase was “there is no god here” and you had “t__ is no god here” there aren’t that many words that fit.

Also do you have an unlimited number of guesses or will it lock you out at some point?

WtfEvenIsExistence OP , 10 months ago

I have unlimited guesses, but have to solve a captcha for each attempt. This is literally captcha hell. By the time I find the password, I’d probably a pro at solving captchas. 🥲

PrettyBlackDress , 10 months ago

Have I been powned

Aussiemandeus , 10 months ago

That’s a great suggestion, use the hackers to your advantage