Generate strong passwords for Bitwarden: length, entropy, Argon2
Bitwarden's own generator is fine, but the choices it asks you to make (length, character classes, exclusions) are the same ones a generic generator asks. The interesting decisions are around the master password and the KDF, which are where most users still lose.
Length is what matters, not character zoo
Modern guidance from NIST 800-63B and OWASP is the same: length contributes more entropy per character than complexity rules do. A 20-character random password from a-zA-Z0-9 has about 119 bits of entropy, more than enough to outlast any conceivable brute-force budget.
Bitwarden's site-password generator defaults to 14 characters with all classes. That is reasonable for individual logins. Bumping to 20 takes one extra second and leaves headroom for whatever GPU clusters look like in 2030.
Symbols (!@#$%) help against dictionary attacks but hurt usability when a service rejects specific characters. Pick the Avoid Ambiguous toggle to drop Il1Oo0, which makes manual transcription survivable without losing meaningful entropy.
The master password is a different problem
Your Bitwarden master password is the one secret you have to type, remember, and not store anywhere. Random 20-char gibberish fails on remembering. Use a passphrase: 5 to 7 words from a long word list (Diceware, EFF) gives you 65 to 90 bits of entropy and you can actually remember it.
correct horse battery staple cookbook deskBitwarden's own generator has a Passphrase mode that does exactly this. Switch it on, set words to 6, and use the result as your master password. Avoid your own catchphrases or quotes from books; entropy comes from the word picker, not the words.
Pair the passphrase with a hardware key (YubiKey) or TOTP for two-factor. The KDF below makes the master password slow to brute force, the second factor makes it useless without the device.
Argon2id is the modern KDF
Bitwarden derives your encryption key from your master password through a key derivation function (KDF). Old vaults use PBKDF2 with 100,000 iterations. New vaults default to Argon2id (RFC 9106), which is memory-hard and resistant to GPU and ASIC attacks in a way PBKDF2 fundamentally is not.
If your vault was created before 2023, check Settings, Security, Keys: the KDF dropdown shows what is in use. Switching from PBKDF2 to Argon2id re-encrypts your vault with the new derived key. It is one click on the web vault, and one of the biggest security upgrades you can make for free.
Argon2id parameters worth knowing: 64 MiB memory, 3 iterations, 4 parallelism. Bitwarden uses these by default, which the RFC 9106 author recommends as the second profile (lower than the high-paranoia first profile, higher than anything PBKDF2 can do).
Generated passwords belong in the vault, not in your head
The whole point of Bitwarden is that you do not memorise per-site passwords. Generate a long random one, save it in the vault, never type it manually. If you find yourself wanting a "memorable" password for some site, that is a signal you are about to create reuse risk; resist.
For services that limit password length (banks, airlines, the long tail of legacy systems) generate at the maximum allowed length with the available character classes. A 16-char password from a-zA-Z0-9 is still 95 bits of entropy.
For machine-to-machine credentials (API tokens, database passwords) generate 32+ chars and store them in the Bitwarden Secrets Manager rather than the personal vault, which keeps audit and rotation policies separate from your individual logins.
Working example
bash# Bitwarden CLI: generate and immediately store
bw generate -ulns --length 20
# Generate a 6-word passphrase suitable as a master password
bw generate --passphrase --words 6 --separator "-"
# Save the generated value into a new login item
PASS=$(bw generate -ulns --length 20)
bw get template item |
jq --arg name "GitHub" --arg user "ada" --arg pass "$PASS" \
'.name = $name | .login.username = $user | .login.password = $pass' |
bw encode |
bw create itemJust need the result?
When you want a password that does not depend on Bitwarden being open in front of you (a temporary share with a colleague, a one-off seed for a CI secret), the browser-based password generator runs locally with the Web Crypto API, gives you the same RNG-grade entropy, and lets you copy or batch-generate without spinning up the Bitwarden client.
Open Strong Password Generator →Frequently asked questions
Should I use Bitwarden's built-in generator or an external one?
Either. Both use cryptographically secure RNGs (Web Crypto in browser, secrets module in mobile). The built-in one is convenient because it saves directly to the vault. An external one is useful for bulk generation or when you want to inspect the parameters more closely.
How do I migrate my vault from PBKDF2 to Argon2id?
Open the web vault, go to Account Settings, Security, Keys. Change the KDF dropdown from PBKDF2 to Argon2id and click Change KDF. The vault re-encrypts under the new derived key. Log out and back in once. Done in under a minute.
How long should my Bitwarden master password be?
If random characters: 16 to 20. If a passphrase: 5 to 7 words from a long list. The KDF turns either into ~80 to 100 bits of effective brute-force resistance, which exceeds the security budget of any real attacker for the foreseeable future.