Hot Take Bitwarden Design Flaw : Server side iterations

military

military

Level 4
Verified
Well-known
Aug 13, 2012
186
The Master Password is stored on the server, the Secret Key is stored locally. Got it, thanks. It's worth using both. But Bitwarden only has the Master Password.
 
Wladimir Palant

Wladimir Palant

Level 1
Oct 29, 2020
11
Azure said:
Saw this comment. And wanted to know your opinion.

Click to expand...

This comment is somewhat ridiculous. Here is what I replied on Reddit:
Why would they have this mechanism if they never used it? It’s a fairly complicated flow which needs to be thoroughly tested, not something you implement just to keep it around.
  1. Underpowered devices that justify using 5,000 iterations do not exist, not in year 2023. I even doubt that they existed a decade ago when Bitwarden was created. There is zero reason to have accounts with less than 100,000 iterations today. And it is questionable whether there is a reason not to migrate everyone to the new default of 350,000 iterations.
  2. The UX issues here are solvable. For one, this upgrade should usually happen only after the user logged in with their master password. If they never do because they forgot it, they can be forced to set a new master password. And initially it doesn’t have to be an unconditional change that will log them out at an inconvenient time – they can be offered a one-click upgrade that is strongly recommended.
Informing users is not good enough for security-relevant decisions. Bitwarden has been keeping users on known insecure settings for five years.

Mind you, increasing PBKDF2 iterations forever is certainly not the solution. PBKDF2 is a known bad algorithm, it’s way easier to attack than to defend. That’s why Bitwarden needs to implement something better. And their own 2018 Security Assessment already said that, an advice they chose to ignore. Let’s hope Argon2 support lands soon and existing accounts get upgraded to use it.
 
  • +Reputation
  • Like
  • Hundred Points
Reactions: Stopspying, enaph, Azure and 4 others
LDogg

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
Gandalf_The_Grey said:
No in the Bitwarden web vault itself.

bitwarden.com

Password Manager Web App | Bitwarden Help Center

Learn how to get started with the Bitwarden password manager web app, including creating your first login, generating a strong password, and creating an organization.
bitwarden.com bitwarden.com

View attachment 272359 View attachment 272360
Click to expand...
I'll do this when I get back onto my laptop!

~LDogg

Gandalf_The_Grey said:
You are probably a longtime user of Bitwarden.

The best thing that Bitwarden can do is change the iterations for all users to the their new default of 350,000.
Click to expand...
I think Bitwarden should do this as a default for all users on their backend, regardless of it's open source, they need to act on flaws such as this quickly to prevent a LastPass-type breach from occurring, as nothing is 100% secure.

~LDogg
 
  • Like
Reactions: Stopspying and Gandalf_The_Grey
zkSnark

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
203
I think iterations was 50,000 on mine too but I increased it to 2,000,000 last week. And I use master password with 35 characters and Aegis for 2FA.
 
Last edited:
Andrezj

Andrezj

Level 6
Nov 21, 2022
248
MrBananaxx said:

Jeremi M Gosney :verified: (@epixoip@infosec.exchange)

@WPalant @dchest@mastodon.social @bitwarden@fosstodon.org I don't typically beat up password managers for PBKDF2, nor for iteration count. I don't like PBKDF2 but it's the only NIST and FIPS approved KDF outside of Balloon, and unlike Balloon it's widely supported. And while I've never given...
infosec.exchange infosec.exchange
Click to expand...
no matter what you tell people they will not change, they are determined to use browser extension password managers despite all the weaknesses
the assumption is that if a user employs a strong password and increases the iterations that all will fine no matter what, and that just ain't true
 
  • Like
Reactions: Stopspying
LDogg

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
My iteration was 100,000 as well when I logged in. Will change at some point.

~LDogg
 
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
Default iterations are planned to change to 600,000

Bitwarden (@bitwarden@fosstodon.org)

In addition to having a strong master password, default client iterations are being increased to 600,000 as well as double-encrypting these fields at rest with keys managed in Bitwarden’s key vault (in addition to existing encryption). The team is continuing to explore approaches for existing...
fosstodon.org fosstodon.org
 
  • Like
Reactions: Stopspying, HarborFront and Gandalf_The_Grey
LDogg

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
Azure said:
Default iterations are planned to change to 600,000

Bitwarden (@bitwarden@fosstodon.org)

In addition to having a strong master password, default client iterations are being increased to 600,000 as well as double-encrypting these fields at rest with keys managed in Bitwarden’s key vault (in addition to existing encryption). The team is continuing to explore approaches for existing...
fosstodon.org fosstodon.org
Click to expand...
I can't quite make out if this is being implemented for existing customers or new ones joining their service. Any updates on this from other avenues, noticed the question was asked in the reply but no answer from the devs.

~LDogg
 
  • Like
Reactions: Stopspying and Gandalf_The_Grey
Wladimir Palant

Wladimir Palant

Level 1
Oct 29, 2020
11
LDogg said:
I can't quite make out if this is being implemented for existing customers or new ones joining their service. Any updates on this from other avenues, noticed the question was asked in the reply but no answer from the devs.
Click to expand...
The answer was: “It will apply to new accounts as it rolls out, the team is exploring the process for existing accounts.”
 
  • Like
Reactions: Stopspying and Azure
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,567
LDogg said:
I can't quite make out if this is being implemented for existing customers or new ones joining their service. Any updates on this from other avenues, noticed the question was asked in the reply but no answer from the devs.

~LDogg
Click to expand...
The team is continuing to explore approaches for existing accounts.
Click to expand...
Nothing concrete yet.
 
  • Like
Reactions: Stopspying
LDogg

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
Lavamate said:
Is it safe to just stay with Bitwarden or should i switch to Dashlane/1Password?
BTW i set my KDF Iteration from 100.000 to 700.000, but is that enough at all?
Click to expand...
From an evidence-based point of view yes, just enable 2 Factor Authentication too. You have to think that everything is not 100% secure. To credit BW, they are open source, their code is examined by IT professionals to disclose any vulnerabilities and security weaknesses. So as BW gets more popular the risk of people seeking to attack BW will increase. BW are normally good at closing any holes in their security.

~LDogg
 
  • Like
Reactions: Stopspying and Gandalf_The_Grey

Similar threads

Gandalf_The_Grey
    • Applause
    • Like
New Update Bitwarden's app is about to get a lot prettier
Replies
2
Views
401
Passwords and passkeys
Researchspace
Researchspace
Gandalf_The_Grey
    • Like
    • Thanks
New Update Bitwarden App for Web, Desktop and Browser
Replies
12
Views
1,581
Passwords and passkeys
Gandalf_The_Grey
Gandalf_The_Grey
Ink
    • Thanks
    • Like
  • Poll
Poll Bitwarden Vault - Have you migrated from US to EU storage?
Replies
0
Views
956
Passwords and passkeys
Ink
Ink

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top