Hot Take Bitwarden Design Flaw : Server side iterations

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,437
In the aftermath of the LastPass breach it became increasingly clear that LastPass didn’t protect their users as well as they should have. When people started looking for alternatives, two favorites emerged: 1Password and Bitwarden. But do these do a better job at protecting sensitive data?

For 1Password, this question could be answered fairly easily. The secret key functionality decreases usability, requiring the secret key to be moved to each new device used with the account. But the fact that this random value is required to decrypt the data means that the encrypted data on 1Password servers is almost useless to potential attackers. It cannot be decrypted even for weak master passwords.

As to Bitwarden, the media mostly repeated their claim that the data is protected with 200,001 PBKDF2 iterations: 100,001 iterations on the client side and another 100,000 on the server. This being twice the default protection offered by LastPass, it doesn’t sound too bad. Except: as it turns out, the server-side iterations are designed in such a way that they don’t offer any security benefit. What remains are 100,000 iterations performed on the client side, essentially the same protection level as for LastPass.

Mind you, LastPass isn’t only being criticized for using a default iterations count that is three time lower than the current OWASP recommendation. LastPass also failed to encrypt all data, a flaw that Bitwarden doesn’t seem to share. LastPass also kept the iterations count for older accounts dangerously low, something that Bitwarden hopefully didn’t do either. LastPass also chose to downplay the breach instead of suggesting meaningful mitigation steps, something that Bitwarden hopefully wouldn’t do in this situation. Still, the protection offered by Bitwarden isn’t exactly optimal either.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,710
Confirms what Tavis Ormandy says about password managers:

Isn’t that article about the attack surface pw extension can bring to browsers rather than server issue like Bitwarden could have?

Also Tavis’s article recommends to use a browser built-in password manager. However in the case of Firefox there’s the following

Firefox Sync has a different flaw: its client-side password hashing uses merely 1,000 PBKDF2 iterations, a ridiculously low setting. So if someone compromises the production servers rather than merely the stored data, they will be able to intercept password hashes that are barely protected. The corresponding bug reporthas been open for the past six years and is still unresolved.

So what is actually safer for the average user?
 
F

ForgottenSeer 97327

I don't use a password manager and use long complex pass phrases, but to be honest I apply some recurring logic and semantics to confirm on minimum complexity demands of most websites and web-services. For services and sites I rarely use/visit I had to ask for a password reset half of the time, so I came up with alternative 'memory associations'. For those websites I write down the year in which I changed the password, to remember the passphrase association. All my pass phrases of websites contain a complex element which can't be connected to me.

Not using a password manager is a hassle and IMO not do-able from mind without applying some recurring logic and semantics (which is a weakness itself). I really have no idea what is best.
 
Last edited by a moderator:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,993
Personally, I would like it if Bitwarden added secret key as an advance option.

I don't think it's in their 1st half 2023 roadmap

1674489322664.png
 
F

ForgottenSeer 76546

 

enaph

Level 28
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,772
 

Andrezj

Level 6
Nov 21, 2022
248
Isn’t that article about the attack surface pw extension can bring to browsers rather than server issue like Bitwarden could have?
no doubt ormandy is aware of the server-side issues with password managers, but of course he focuses his statements primarily on the attack surface of security and related software
he alludes to the server-side problems when he states that we cannot know if an overall password manager implementation is secure or insecure

So what is actually safer for the average user?
actually the answer is "none," at least not browser extension password managers
lastpass has been hacked at least 7 times in the past 10 years
as bitwarden grows in popularity it will get hacked as well
 

Wladimir Palant

Level 1
Oct 29, 2020
11
Confirms what Tavis Ormandy says about password managers:

No, it certainly wasn’t my intention to confirm that.
Thank you for bringing my attention to Tavis’ blog post, somehow I haven’t seen it. While I can certainly understand where he is coming from, my conclusions are different. I’ve written a reply here: Yellow Flag (@WPalant@infosec.exchange)
I wonder if Bitwarden was informed and what was their reply.
Yes, Bitwarden was informed. They replied here: Bitwarden (@bitwarden@fosstodon.org)
 

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,437
I cannot believe that I didn’t see this article by @taviso back when it was posted:

Password Managers.

Now I have also looked into quite a few password managers. Not sure how this compares to Tavis’ experience, but I feel like I’m also qualified to have an opinion.

And I certainly see where Tavis is coming from. I’ve also seen all kinds of bad. Which is why “just use a password manager” as an advise might indeed make thing worse than they were before.

I disagree with his conclusion however. Yes, the browsers’ built-in password managers are quite good. I don’t think that this is due to fundamental technological disadvantages of browser extensions, they merely happen to value security over features.

Things start to look dire when you look at the sync functionality however, a trap that inexperienced users are likely to fall into without a second thought:

Can Chrome Sync or Firefox Sync be trusted with sensitive data?

Chrome’s default is to upload all your passwords to Google’s servers without any client-side encryption whatsoever. I understand that Tavis won’t speak up against his employer, and if someone won’t leak this data then it’s them. But I simply don’t trust them to keep their own hands off that data.

And while Firefox Sync is designed in a much better way in principle, they have this long-standing issue of doing completely insufficient client-side key stretching (1,000 rounds of PBKDF2). I just don’t get it how this is still not fixed after six years.

Conclusion: built-in password managers are good and fine, but only as long as you don’t enable sync.

As to all the other password managers out there: yes, they are often flawed. Yes, some are more flawed than others, and users have no way of seeing that. Which is an issue, one I’ve been trying to address with my research, just like Tavis did.

In the end however, “any password manager is better than no password manager” is largely true. It’s rare that password managers flaws create an acute danger, especially compared with all the issues caused by not using a password managers.

For the most part, the dangerous combination is: lax security practices paired with exposure (popularity). That’s the reason I’ve been warning about LastPass for years.

1Password is also exposed, by they are a hard target. Bitwarden is also exposed, but they seem willing to learn from the LastPass debacle and improve. Everything else? Not really popular enough to be worth the time.

So my advise would rather be: anything but LastPass. And don’t put your passwords into the Google or Mozilla basket please.
 

Andrezj

Level 6
Nov 21, 2022
248
browser extension password manager's are insecure on multiple levels
are you willing to put your valuable personal data on someone else's server and hope they keep it secure? (obviously millions of people are willing to turn their online financial authentication credentials to Google, Microsoft, Mozilla, LastPass, Bitwarden, etc - and yet they are incredulous whenever something goes wrong, such as a hack and data is stolen)
there is no reason to think that bitwarden will get it any more right than lastpass in the long run, although bitwarden has not been hacked insofar as we know - assuming bitwarden would report it

the problem with credentials stored locally in the browser's integrated password manager is that an infostealer will wisk them away, so there's that

put your passwords into keepass portable and keep it stored in an encrypted vault on a usb flashdrive (and a backup drive in case you lose it)
i've asked people why they will not do this and bascially the answer is always the same... "too lazy"
 

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,437

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,437
@Wladimir Palant Is there any action that you recommend that a Bitwarden user must do now?
This is what I did:
Changed the KDF iterations setting from the default 100,000 to the new default of 350,000.
Changed my master password into a four random word passphrase.
2FA was already enabled.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top