Bitwarden design flaw: Server side iterations

Discussion in 'other security issues & news' started by summerheat, Jan 23, 2023.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I didn't understand everything that was said in this topic, but what about securing the master password with 2FA? Is this possible in password managers and wouldn't this solve a big problem? Namely that even when hackers have cracked your master password, they still need either your 2FA code or even better your hardware security key?
     
  2. DjKilla

    DjKilla Registered Member

    Joined:
    Oct 4, 2021
    Posts:
    208
    Location:
    Tampa, FL
    Bitwardin does offer 2FA, biometrics, pincode and a hardware security key like Yubico to protect your account in addition to a master password.
     
  3. DjKilla

    DjKilla Registered Member

    Joined:
    Oct 4, 2021
    Posts:
    208
    Location:
    Tampa, FL
    I wanted to let everyone know that Bitwardin has upped their iterations to 350,000 as the default for new accounts. This happened within the last 2 days I believe. I'm also hearing that it could change again to 600,000. Also there was some questions about PBKDF2 not being secure enough in the future. Well you'll be happy to know that Bitwardin already has Argon2 working and will hopefully soon be added/merged with Bitwardins clients/software. Bitwardin has also just acquired Passwordless.dev, the leading API built on modern FIDO2 WebAuthn standards to help companies authenticate users without passwords. I know you guys like verification so here's a few links to verify the info to everything:

    https://community.bitwarden.com/t/i...-number-of-pbkdf2-for-existing-accounts/49550 (You'll have to read through the thread about the iterations and Argon2)

    https://www.businesswire.com/news/h...-API-Built-on-Modern-FIDO2-WebAuthn-Standards
     
  4. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    It adds protection against logging in to account provided Bitwarden server is not hacked.
    If Bitwarden server is hacked then only encryption applied by client matters.
    Maybe I am wrong but I don't think that something changing every minute or so can be useful for encryption. But I didn't looked seriously into topic for years. Maybe somebody figured some idea.

    Anyway I am quite confident that good master password is enough to store secrets remotely. Those password hashing alghorithms are mostly for convenience (shorter passwords) rather than a hard requirement for strong security.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I suppose you're now talking about my idea to protect the master password with 2FA? But I was thinking that if they somehow steal your master password, they still can't access your passwords because they need your 2FA code or hardware key. And turns out that this stuff is already possible, see links.

    Yes I saw it, it's already possible, so that's why I wondered what all the fuzz is about, but perhaps I'm missing something.

    https://www.stickypassword.com/help/protecting-your-data-with-two-factor-authentication-159
    https://bitwarden.com/help/setup-two-step-login/
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  7. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    If hackers have gained access to the database (like they did for LastPass) 2FA (authentication) no longer plays a role, since they have direct access to that database... (can try to decrypt it)

    Also, if they are able to steal the database, it's very likely they could steal the 2FA secrets (the seeds generating the 2FA codes) as well.

    This might be an interesting read on this subject: https://support.1password.com/authentication-encryption/
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I probably don't have enough knowledge about this subject. I will read it later, but I find it sometimes to be a bit complicated. So you're saying that once the server is breached, it doesn't matter if your master password is protected by some type of 2FA system?
     
  9. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    What do you mean with "protecting a password by 2FA"?

    Users have to type the password, so 2FA is no protection for that password.

    In general 2FA is used to protect an account/data from remote login attempts by hackers that only obtained your password.

    If they gaines access to the server itself (instead of your password) 2FA is no longer relevant (see previous post).
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I will try to explain. Let's say you have installed LastPass, Bitwarden or any other popular password manager on your PC. Normally speaking when you open this desktop app, it asks for the master password and it will grant you access to your password database.

    And let's say that some hacker steals your password database and your master password via info-stealing malware. He can now open the database on his machine, but hopefully you have protected most of your accounts (social media, email, banking) with 2FA.

    But what if your master password isn't enough to open your password database? What if you also have to use a YubiKey or Google Titan device? Then this hacker has a problem. I don't see what this has to do with getting access to the server, but like I said, I'm probably missing something.
     
  11. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    So using a password and some hardware key to encrypt/decrypt the database?

    That's super dangerous (data loss): if you lose the key or it breaks, you can no longer access your data...

    (You can use only one single encryption/decryption key, so it's not possible to add multiple hardware keys for this purpose)
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, this is a huge risk of course. But it doesn't have to be hardware based, it can also be based on authentication apps. All I'm saying is that since the master password is the most important one, you would think it needs to be protected with some type of 2FA system.
     
  13. DjKilla

    DjKilla Registered Member

    Joined:
    Oct 4, 2021
    Posts:
    208
    Location:
    Tampa, FL
  14. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    Essentially it would need to be either hardware-protected by PC (how one would make a backup of that, then? not to mention concerns around non-open technology) or stored outside of PC i.e. external cloud-solution.
    I don't think that TOTP can be used for that.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I must say that I'm a bit confused, because my idea actually has already been implemented by Bitwarden and Sticky Password, see link. Or are you guys talking about something else? So basically, after typing in your master password, you will still need to verify with 2FA code or hardware security key. I suppose a hacker who has access to your password database and master password needs to do the same.

    https://www.wilderssecurity.com/thr...er-side-iterations.450042/page-2#post-3129223
     
  16. DjKilla

    DjKilla Registered Member

    Joined:
    Oct 4, 2021
    Posts:
    208
    Location:
    Tampa, FL
  17. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
  18. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
  19. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,961
    There is no problem to create a strong master password of let's say 20 digits containing letters, numbers, marks etc., for instance by its generator. However the problem is that you need to login to Bitwarden extension with the master password every time you reopen browser unless you have enabled never log out and who is supposed to remember this generated password? It's a jumble of digits that can't be remembered. It would be useful to be able to log in with a device as is possible to log in in to the web vault.
     
  20. DjKilla

    DjKilla Registered Member

    Joined:
    Oct 4, 2021
    Posts:
    208
    Location:
    Tampa, FL
    My master password is around 30 characters long with capital/lowercase letters, numbers and symbols. I've got it memorized but use a little trick with logging in to the Bitwardin extension which I have it set to completely log off after 15 minutes for better security. The trick is to get a YubiKey. Even though you can use the YubiKey to authenticate, you also have a reserved slot on the YubiKey.. What I do is fill that slot using the YubiKey Manager to enter a portion of my master password like half the password or two-third of the password. Then when logging in, you long press the YubiKey which enters part of the password you entered and you then add the few characters you have memorized to complete the master password. So you're defeating any keyloggers from getting your master password, also protecting your YubiKey from having the complete password. The only person which has the rest of the password is you which is memorized. In case I lose the YubiKey, I have a backup YubiKey or the master password wriiten down and kept in a safety deposit box at the bank.
     
  21. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,961
    It's pretty smart. :thumb: It can also be done with browser's inbuilt password manager.
     
  22. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    Why would that be the case?

    (a keylogger does not care whether it’s you or the YubiKey that’s typing some characters of your password)
     
  23. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,961
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.