Hot Take Bitwarden Design Flaw : Server side iterations

Andrezj

Level 6
Nov 21, 2022
248
This is what I did:
Changed the KDF iterations setting from the default 100,000 to the new default of 350,000.
Changed my master password into a four random word passphrase.
2FA was already enabled.
none of that will help in the type of attack that led to the most recent lastpass breach
the threat actors got into the lastpass system by first gaining access to the the 2FA authentication server (twilio authy 2FA service) that stored the 2FA data to gain access to lastpass, okta, signal app, doordash
the threat actors did not gain access by brute forcing, credential stuffing, or password spraying individual user lastpass accounts - they stole the users' lastpass data from the server directly
 

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,454
Assuming I would need to do this within the browser extension correct?

~LDogg
No in the Bitwarden web vault itself.


1674504306832.png 1674504380214.png
 

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,454
none of that will help in the type of attack that led to the most recent lastpass breach
the threat actors got into the lastpass system by first gaining access to the the 2FA authentication server (twilio authy 2FA service) that stored the 2FA data to gain access to lastpass, okta, signal app, doordash
the threat actors did not gain access by brute forcing, credential stuffing, or password spraying individual user lastpass accounts - they stole the users' lastpass data from the server directly
They stole the (partially) encrypted user data.
To get to the encrypted (passwords) part they need to decrypt that user data.
The number of iterations and the quality of your master password determines how easy or impossible that is to do.
 

Andrezj

Level 6
Nov 21, 2022
248
They stole the (partially) encrypted user data.
To get to the encrypted (passwords) part they need to decrypt that user data.
The number of iterations and the quality of your master password determines how easy or impossible that is to do.
that is correct, and they did decrypt it as a result of lastpass not upgrading older accounts with low iterations to higher iterations - at least that is partially a plausible explanation, but not the whole reason
nothing is impossible, if a threat actor got the entire bitwarden user database then they would find all the resources and money they need to decrypt it by reaching out to the crybercriminal underworld and nation-states just salivating at such a gem
when i used bitwarden from day 1 iterations were set to 1,000,000 but at the end of the day a user cannot assume that bitwarden or anyone else is getting their backend properly configured - all the historical data proves otherwise - users increased their iterations but then the password manager service did not implement them on their backend
 

Wladimir Palant

Level 1
Oct 29, 2020
11
@Wladimir Palant Is there any action that you recommend that a Bitwarden user must do now?
Increasing KDF iterations certainly won’t hurt. OWASP just changed their recommendation to 600,000 – check whether your hardware (smartphones in particular) can deal with it.
But more importantly: you need a strong master password. The blog post recommends using diceware.
 

Wladimir Palant

Level 1
Oct 29, 2020
11
I see that mine is set to 50,000.
So that means when I created my account, the default was 50,000 🤔
Thanks for confirming that Bitwarden didn’t update older accounts.
I’d guess that you created your account somewhere between June and August 2018? I think the default was increased to 25,000 in April 2018, then to 50,000 in June, 75,000 in August and finally 100,000 in September 2018.
 

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,454
I see that mine is set to 50,000.
So that means when I created my account, the default was 50,000 🤔
View attachment 272361
You are probably a longtime user of Bitwarden.

The best thing that Bitwarden can do is change the iterations for all users to the their new default of 350,000.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
So that means when I created my account, the default was 50,000

My accounts (to be precise spouse's and mine) were created in 2017. And yes one was set to 50K and other to 100,100. Only difference was mine was a premium subs and the other one was not. While my account was actively used, the 2nd one was dormant for the most part because my wife preferred Lastpass.

I've mentioned elsewwhere on this forum that all BW users who created accounts >4 years ago i.e. 2018 or earlier should double check KDF iteration values. Do this on high priority.

PS - I am beginning to think the iteration count in my account was increased automatically since I change passwords at 6-8 monthly interval.
 
Last edited:

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,624
Thanks for confirming that Bitwarden didn’t update older accounts.
I’d guess that you created your account somewhere between June and August 2018? I think the default was increased to 25,000 in April 2018, then to 50,000 in June, 75,000 in August, and finally 100,000 in September 2018.
Don't remember the exact timeframe but yeah, somewhere in the middle of 2018.
I'm curious to see if Bitwarden will do something now after your criticism to increase it for older accounts in the next couple of weeks.
 

Wladimir Palant

Level 1
Oct 29, 2020
11
I'm curious to see if Bitwarden will do something now after your criticism to increase it for older accounts in the next couple of weeks.
They clearly didn’t plan to, but I hope that now there will be sufficient pressure for them to do it. There are people commenting that they had 5,000 iterations configured – pre-2018 accounts apparently. And allowing that is just negligent.
 

enaph

Level 28
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,775
 

military

Level 4
Verified
Well-known
Aug 13, 2012
186
Sorry. But Master Password isn't that Secret Key ?
Bitwarden has Master Password, 1Password has Secret Key. So their reliability is about the same?
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,710
Sorry. But Master Password isn't that Secret Key ?
Bitwarden has Master Password, 1Password has Secret Key. So their reliability is about the same?
No. Not the same



 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top