Hot Take Bitwarden Design Flaw : Server side iterations

military

Level 4
Verified
Well-known
Aug 13, 2012
186
The Master Password is stored on the server, the Secret Key is stored locally. Got it, thanks. It's worth using both. But Bitwarden only has the Master Password.
 

Wladimir Palant

Level 1
Oct 29, 2020
11
Saw this comment. And wanted to know your opinion.


This comment is somewhat ridiculous. Here is what I replied on Reddit:
Why would they have this mechanism if they never used it? It’s a fairly complicated flow which needs to be thoroughly tested, not something you implement just to keep it around.
  1. Underpowered devices that justify using 5,000 iterations do not exist, not in year 2023. I even doubt that they existed a decade ago when Bitwarden was created. There is zero reason to have accounts with less than 100,000 iterations today. And it is questionable whether there is a reason not to migrate everyone to the new default of 350,000 iterations.
  2. The UX issues here are solvable. For one, this upgrade should usually happen only after the user logged in with their master password. If they never do because they forgot it, they can be forced to set a new master password. And initially it doesn’t have to be an unconditional change that will log them out at an inconvenient time – they can be offered a one-click upgrade that is strongly recommended.
Informing users is not good enough for security-relevant decisions. Bitwarden has been keeping users on known insecure settings for five years.

Mind you, increasing PBKDF2 iterations forever is certainly not the solution. PBKDF2 is a known bad algorithm, it’s way easier to attack than to defend. That’s why Bitwarden needs to implement something better. And their own 2018 Security Assessment already said that, an advice they chose to ignore. Let’s hope Argon2 support lands soon and existing accounts get upgraded to use it.
 

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
No in the Bitwarden web vault itself.


View attachment 272359 View attachment 272360
I'll do this when I get back onto my laptop!

~LDogg

You are probably a longtime user of Bitwarden.

The best thing that Bitwarden can do is change the iterations for all users to the their new default of 350,000.
I think Bitwarden should do this as a default for all users on their backend, regardless of it's open source, they need to act on flaws such as this quickly to prevent a LastPass-type breach from occurring, as nothing is 100% secure.

~LDogg
 

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
203
I think iterations was 50,000 on mine too but I increased it to 2,000,000 last week. And I use master password with 35 characters and Aegis for 2FA.
 
Last edited:

Andrezj

Level 6
Nov 21, 2022
248
no matter what you tell people they will not change, they are determined to use browser extension password managers despite all the weaknesses
the assumption is that if a user employs a strong password and increases the iterations that all will fine no matter what, and that just ain't true
 
  • Like
Reactions: Stopspying

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
My iteration was 100,000 as well when I logged in. Will change at some point.

~LDogg
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,710
Default iterations are planned to change to 600,000

 

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
Default iterations are planned to change to 600,000

I can't quite make out if this is being implemented for existing customers or new ones joining their service. Any updates on this from other avenues, noticed the question was asked in the reply but no answer from the devs.

~LDogg
 

Wladimir Palant

Level 1
Oct 29, 2020
11
I can't quite make out if this is being implemented for existing customers or new ones joining their service. Any updates on this from other avenues, noticed the question was asked in the reply but no answer from the devs.
The answer was: “It will apply to new accounts as it rolls out, the team is exploring the process for existing accounts.”
 

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,437
I can't quite make out if this is being implemented for existing customers or new ones joining their service. Any updates on this from other avenues, noticed the question was asked in the reply but no answer from the devs.

~LDogg
The team is continuing to explore approaches for existing accounts.
Nothing concrete yet.
 
  • Like
Reactions: Stopspying

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
Is it safe to just stay with Bitwarden or should i switch to Dashlane/1Password?
BTW i set my KDF Iteration from 100.000 to 700.000, but is that enough at all?
From an evidence-based point of view yes, just enable 2 Factor Authentication too. You have to think that everything is not 100% secure. To credit BW, they are open source, their code is examined by IT professionals to disclose any vulnerabilities and security weaknesses. So as BW gets more popular the risk of people seeking to attack BW will increase. BW are normally good at closing any holes in their security.

~LDogg
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top