Assuming I would need to do this within the browser extension correct?
~LDogg
Bitwarden Design Flaw : Server side iterations
- Thread starter Gandalf_The_Grey
- Start date
~LDogg
none of that will help in the type of attack that led to the most recent lastpass breach
the threat actors got into the lastpass system by first gaining access to the the 2FA authentication server (twilio authy 2FA service) that stored the 2FA data to gain access to lastpass, okta, signal app, doordash
the threat actors did not gain access by brute forcing, credential stuffing, or password spraying individual user lastpass accounts - they stole the users' lastpass data from the server directly
Gandalf_The_Grey
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
No in the Bitwarden web vault itself.
Password Manager Web App | Bitwarden
Learn how to get started with the Bitwarden password manager web app, including creating your first login, generating a strong password, and creating an organization.
Gandalf_The_Grey
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
They stole the (partially) encrypted user data.
To get to the encrypted (passwords) part they need to decrypt that user data.
The number of iterations and the quality of your master password determines how easy or impossible that is to do.
that is correct, and they did decrypt it as a result of lastpass not upgrading older accounts with low iterations to higher iterations - at least that is partially a plausible explanation, but not the whole reason
nothing is impossible, if a threat actor got the entire bitwarden user database then they would find all the resources and money they need to decrypt it by reaching out to the crybercriminal underworld and nation-states just salivating at such a gem
when i used bitwarden from day 1 iterations were set to 1,000,000 but at the end of the day a user cannot assume that bitwarden or anyone else is getting their backend properly configured - all the historical data proves otherwise - users increased their iterations but then the password manager service did not implement them on their backend
Increasing KDF iterations certainly won’t hurt. OWASP just changed their recommendation to 600,000 – check whether your hardware (smartphones in particular) can deal with it.
But more importantly: you need a strong master password. The blog post recommends using diceware.
I see that mine is set to 50,000.
So that means when I created my account, the default was 50,000
Thanks for confirming that Bitwarden didn’t update older accounts.I see that mine is set to 50,000.
So that means when I created my account, the default was 50,000
I’d guess that you created your account somewhere between June and August 2018? I think the default was increased to 25,000 in April 2018, then to 50,000 in June, 75,000 in August and finally 100,000 in September 2018.
Gandalf_The_Grey
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
You are probably a longtime user of Bitwarden.I see that mine is set to 50,000.
So that means when I created my account, the default was 50,000
View attachment 272361
The best thing that Bitwarden can do is change the iterations for all users to the their new default of 350,000.
i have used 1,000,000 on iphone 12 mini without problemsMy Bitwarden iterations is set to 1000.000which is fine for me as I only use it on a pc,
My accounts (to be precise spouse's and mine) were created in 2017. And yes one was set to 50K and other to 100,100. Only difference was mine was a premium subs and the other one was not. While my account was actively used, the 2nd one was dormant for the most part because my wife preferred Lastpass.
I've mentioned elsewwhere on this forum that all BW users who created accounts >4 years ago i.e. 2018 or earlier should double check KDF iteration values. Do this on high priority.
PS - I am beginning to think the iteration count in my account was increased automatically since I change passwords at 6-8 monthly interval.
Last edited:
Don't remember the exact timeframe but yeah, somewhere in the middle of 2018.
I'm curious to see if Bitwarden will do something now after your criticism to increase it for older accounts in the next couple of weeks.
They clearly didn’t plan to, but I hope that now there will be sufficient pressure for them to do it. There are people commenting that they had 5,000 iterations configured – pre-2018 accounts apparently. And allowing that is just negligent.
I created my Bitwarden account quite awhile ago but mine was set at 100,000. I just set it to 350,000.
Yellow Flag (@WPalant@infosec.exchange)
You know how #Bitwarden always boasts about their third-party audits? Well, third-party audits aren’t much help if their results aren’t being used. The 2018 Security Assessment of Bitwarden is probably worth a closer look. And not just Bitwarden’s summaries but the auditor’s full report and...
Sorry. But Master Password isn't that Secret Key ?
Bitwarden has Master Password, 1Password has Secret Key. So their reliability is about the same?
Bitwarden has Master Password, 1Password has Secret Key. So their reliability is about the same?
No. Not the same
About your Secret Key | 1Password
Your Secret Key keeps your 1Password account safe by adding another level of security on top of your 1Password account password.
You may also like...
-
Password Managers: Essential Security Tool or a Massive Risk?- Started by Bot
- Replies: 9
-
-
-
-
