Hot Take Bitwarden Design Flaw : Server side iterations

Andrezj

Andrezj

Level 6
Verified
Well-known
Nov 21, 2022
248
Gandalf_The_Grey said:
This is what I did:
Changed the KDF iterations setting from the default 100,000 to the new default of 350,000.
Changed my master password into a four random word passphrase.
2FA was already enabled.
Click to expand...
none of that will help in the type of attack that led to the most recent lastpass breach
the threat actors got into the lastpass system by first gaining access to the the 2FA authentication server (twilio authy 2FA service) that stored the 2FA data to gain access to lastpass, okta, signal app, doordash
the threat actors did not gain access by brute forcing, credential stuffing, or password spraying individual user lastpass accounts - they stole the users' lastpass data from the server directly
 
Gandalf_The_Grey

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
LDogg said:
Assuming I would need to do this within the browser extension correct?

~LDogg
Click to expand...
No in the Bitwarden web vault itself.

bitwarden.com

Password Manager Web App | Bitwarden Help Center

Learn how to get started with the Bitwarden password manager web app, including creating your first login, generating a strong password, and creating an organization.
bitwarden.com bitwarden.com

1674504306832.png 1674504380214.png
 
  • Like
  • Thanks
Reactions: Stopspying, Andrew999 and plat
Gandalf_The_Grey

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
Andrezj said:
none of that will help in the type of attack that led to the most recent lastpass breach
the threat actors got into the lastpass system by first gaining access to the the 2FA authentication server (twilio authy 2FA service) that stored the 2FA data to gain access to lastpass, okta, signal app, doordash
the threat actors did not gain access by brute forcing, credential stuffing, or password spraying individual user lastpass accounts - they stole the users' lastpass data from the server directly
Click to expand...
They stole the (partially) encrypted user data.
To get to the encrypted (passwords) part they need to decrypt that user data.
The number of iterations and the quality of your master password determines how easy or impossible that is to do.
 
  • Like
  • +Reputation
Reactions: Stopspying, Nevi, mlnevese and 3 others
Andrezj

Andrezj

Level 6
Verified
Well-known
Nov 21, 2022
248
Gandalf_The_Grey said:
They stole the (partially) encrypted user data.
To get to the encrypted (passwords) part they need to decrypt that user data.
The number of iterations and the quality of your master password determines how easy or impossible that is to do.
Click to expand...
that is correct, and they did decrypt it as a result of lastpass not upgrading older accounts with low iterations to higher iterations - at least that is partially a plausible explanation, but not the whole reason
nothing is impossible, if a threat actor got the entire bitwarden user database then they would find all the resources and money they need to decrypt it by reaching out to the crybercriminal underworld and nation-states just salivating at such a gem
when i used bitwarden from day 1 iterations were set to 1,000,000 but at the end of the day a user cannot assume that bitwarden or anyone else is getting their backend properly configured - all the historical data proves otherwise - users increased their iterations but then the password manager service did not implement them on their backend
 
Wladimir Palant

Wladimir Palant

Level 1
Oct 29, 2020
11
Gandalf_The_Grey said:
@Wladimir Palant Is there any action that you recommend that a Bitwarden user must do now?
Click to expand...
Increasing KDF iterations certainly won’t hurt. OWASP just changed their recommendation to 600,000 – check whether your hardware (smartphones in particular) can deal with it.
But more importantly: you need a strong master password. The blog post recommends using diceware.
 
  • Like
  • Thanks
  • +Reputation
Reactions: Stopspying, CyberDevil, Nevi and 2 others
Wladimir Palant

Wladimir Palant

Level 1
Oct 29, 2020
11
SeriousHoax said:
I see that mine is set to 50,000.
So that means when I created my account, the default was 50,000 🤔
Click to expand...
Thanks for confirming that Bitwarden didn’t update older accounts.
I’d guess that you created your account somewhere between June and August 2018? I think the default was increased to 25,000 in April 2018, then to 50,000 in June, 75,000 in August and finally 100,000 in September 2018.
 
  • Like
Reactions: Stopspying, SeriousHoax, Nevi and 2 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
SeriousHoax said:
I see that mine is set to 50,000.
So that means when I created my account, the default was 50,000 🤔
View attachment 272361
Click to expand...
You are probably a longtime user of Bitwarden.

The best thing that Bitwarden can do is change the iterations for all users to the their new default of 350,000.
 
  • Like
  • Hundred Points
Reactions: Andrew999, SeriousHoax, Nevi and 2 others
R2D2

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
SeriousHoax said:
So that means when I created my account, the default was 50,000
Click to expand...

My accounts (to be precise spouse's and mine) were created in 2017. And yes one was set to 50K and other to 100,100. Only difference was mine was a premium subs and the other one was not. While my account was actively used, the 2nd one was dormant for the most part because my wife preferred Lastpass.

I've mentioned elsewwhere on this forum that all BW users who created accounts >4 years ago i.e. 2018 or earlier should double check KDF iteration values. Do this on high priority.

PS - I am beginning to think the iteration count in my account was increased automatically since I change passwords at 6-8 monthly interval.
 
Last edited:
  • Like
Reactions: Stopspying, SeriousHoax, Nevi and 1 other person
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,868
Wladimir Palant said:
Thanks for confirming that Bitwarden didn’t update older accounts.
I’d guess that you created your account somewhere between June and August 2018? I think the default was increased to 25,000 in April 2018, then to 50,000 in June, 75,000 in August, and finally 100,000 in September 2018.
Click to expand...
Don't remember the exact timeframe but yeah, somewhere in the middle of 2018.
I'm curious to see if Bitwarden will do something now after your criticism to increase it for older accounts in the next couple of weeks.
 
  • Like
Reactions: Stopspying, Gandalf_The_Grey and Wladimir Palant
Wladimir Palant

Wladimir Palant

Level 1
Oct 29, 2020
11
SeriousHoax said:
I'm curious to see if Bitwarden will do something now after your criticism to increase it for older accounts in the next couple of weeks.
Click to expand...
They clearly didn’t plan to, but I hope that now there will be sufficient pressure for them to do it. There are people commenting that they had 5,000 iterations configured – pre-2018 accounts apparently. And allowing that is just negligent.
 
  • Like
  • Wow
Reactions: Stopspying, Gandalf_The_Grey and SeriousHoax
enaph

enaph

Level 29
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,881
infosec.exchange

Yellow Flag (@WPalant@infosec.exchange)

You know how #Bitwarden always boasts about their third-party audits? Well, third-party audits aren’t much help if their results aren’t being used. The 2018 Security Assessment of Bitwarden is probably worth a closer look. And not just Bitwarden’s summaries but the auditor’s full report and...
infosec.exchange infosec.exchange
 
  • Like
  • +Reputation
Reactions: Stopspying, SeriousHoax, R2D2 and 2 others
military

military

Level 4
Verified
Well-known
Aug 13, 2012
186
Sorry. But Master Password isn't that Secret Key ?
Bitwarden has Master Password, 1Password has Secret Key. So their reliability is about the same?
 
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
military said:
Sorry. But Master Password isn't that Secret Key ?
Bitwarden has Master Password, 1Password has Secret Key. So their reliability is about the same?
Click to expand...
No. Not the same



About your Secret Key | 1Password

Your Secret Key keeps your 1Password account safe by adding another level of security on top of your 1Password account password.
support.1password.com support.1password.com
 
  • Like
Reactions: Idanox, SeriousHoax and military

Similar threads

Gandalf_The_Grey
    • Like
    • Thanks
    • +Reputation
Malware News Fake Bitwarden ads on Facebook push info-stealing Chrome extension
Replies
4
Views
370
Security News
oldschool
oldschool
Gandalf_The_Grey
    • Like
    • Applause
    • +Reputation
New Update Bitwarden just launched a new authenticator app.
Replies
9
Views
949
Passwords and passkeys
aidunno
A
Gandalf_The_Grey
    • Like
    • Hundred Points
New Update Help Bitwarden test the new Manifest v3 Chrome extension
Replies
4
Views
676
Passwords and passkeys
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top