Bitwarden design flaw: Server facet iterations
Within the aftermath of the LastPass breach it turned more and more clear that LastPass didn’t defend their customers in addition to they need to have. When folks began in search of options, two favorites emerged: 1Password and Bitwarden. However do these do a greater job at defending delicate information?
For 1Password, this query could possibly be answered pretty simply. The secret key functionality decreases usability, requiring the key key to be moved to every new gadget used with the account. However the truth that this random worth is required to decrypt the information implies that the encrypted information on 1Password servers is sort of ineffective to potential attackers. It can’t be decrypted even for weak grasp passwords.
As to Bitwarden, the media largely repeated their declare that the information is protected with 200,001 PBKDF2 iterations: 100,001 iterations on the shopper facet and one other 100,000 on the server. This being twice the default safety supplied by LastPass, it doesn’t sound too unhealthy. Besides: because it seems, the server-side iterations are designed in such a method that they don’t supply any safety profit. What stays are 100,000 iterations carried out on the shopper facet, primarily the identical safety stage as for LastPass.
Thoughts you, LastPass isn’t solely being criticized for utilizing a default iterations depend that’s three time decrease than the current OWASP recommendation. LastPass additionally failed to encrypt all data, a flaw that Bitwarden doesn’t appear to share. LastPass additionally kept the iterations count for older accounts dangerously low, one thing that Bitwarden hopefully didn’t do both (Edit: sure, they did this, some accounts have significantly decrease iteration depend). LastPass additionally chose to downplay the breach instead of suggesting meaningful mitigation steps, one thing that Bitwarden hopefully wouldn’t do on this scenario. Nonetheless, the safety supplied by Bitwarden isn’t precisely optimum both.
Edit (2023-01-23): Bitwarden elevated the default client-side iterations to 350,000 a couple of days in the past. Up to now this variation solely applies to new accounts, and it’s unclear whether or not they plan to improve current accounts routinely. And in the present day OWASP modified their suggestion to 600,000 iterations, it has been adjusted to present {hardware}.
How Bitwarden protects customers’ information
Like most password managers, Bitwarden makes use of a single grasp password to guard customers’ information. The Bitwarden server isn’t speculated to know this password. So two totally different values are being derived from it: a grasp password hash, used to confirm that the person is allowed to log in, and a key used to encrypt/decrypt the information.
If we have a look at how Bitwarden describes the method of their security whitepaper, there’s an apparent flaw: the 100,000 PBKDF2 iterations on the server facet are solely utilized to the grasp password hash, to not the encryption key. That is just about the identical flaw that I discovered in LastPass in 2018.
What this implies for decrypting the information
So what occurs if some malicious actor occurs to get a replica of the information, prefer it occurred with LastPass? They might want to decrypt it. And for that, they must guess the grasp password. PBKDF2 is supposed to decelerate verifying whether or not a guess is right.
Testing the guesses in opposition to the grasp password hash could be pretty sluggish: 200,001 PBKDF2 iterations right here. However the attackers wouldn’t waste time doing that in fact. As a substitute, for every guess they might derive an encryption key (100,000 PBKDF2 iterations) and test whether or not this one can decrypt the information.
This straightforward tweak removes all of the safety granted by the server-side iterations and quickens grasp password guessing significantly. Solely the client-side iterations actually matter as safety.
What this implies for you
The default safety stage of LastPass and Bitwarden is equivalent. Which means that you want a powerful grasp password. And the one actual approach to get there’s producing your password randomly. For instance, you could possibly generate a random passphrase utilizing the diceware approach.
Utilizing a dictionary for five cube (7776 dictionary phrases) and choosing out 4 random phrases, you get a password with barely over 50 bits of entropy. I’ve performed the calculations for guessing such passwords: roughly 200 years on a single graphics card or $1,500,000.
This must be a safety stage ample for many common customers. If you’re guarding worthwhile secrets and techniques or are somebody of curiosity for state-level actors, you may need to take into account a stronger password. Including yet one more phrase to your passphrase will increase the price of guessing your password by issue 7776. So a passphrase with 5 phrases is already nearly unrealistic to guess even for state-level actors.
All of this assumes that your KDF iterations setting is ready to the default 100,000. Bitwarden will let you set this worth as little as 5,000 with out even warning you. Ought to your setting be too low, I like to recommend fixing it instantly. Reminder: current OWASP recommendation is 310,000.
Is Bitwarden as unhealthy as LastPass?
In order it seems, with the default settings Bitwarden supplies precisely the identical safety stage as LastPass. That is solely a part of the story nevertheless.
One query is what number of accounts have a safety stage beneath the default configured. It appears that evidently earlier than 2018 Bitwarden’s default was once 5,000 iterations. Then the builders elevated it to 100,000 in a number of successive steps. When LastPass did that, they failed upgrading current accounts. I wonder if Bitwarden additionally has older accounts caught on suboptimal safety settings.
The opposite side right here is that Dmitry Chestnykh wrote about Bitwarden’s server-side iterations being useless in 2020 already, and Bitwarden ought to have been conscious of it even when they didn’t understand how my analysis applies to them as nicely. However, utilizing PBKDF2 with solely 100,000 iterations isn’t an ideal default in the present day. Nonetheless, Bitwarden failed to extend it prior to now years, apparently copying LastPass as “gold customary” – they usually didn’t modify their PR claims either:
Customers have been complaining and asking for better key derivation functions since not less than 2018. This variation wasn’t thought of a precedence nevertheless. Solely after the LastPass breach issues began shifting, and it wasn’t Bitwarden’s core builders driving the change. Somebody contributed the adjustments required for scrypt support and Argon2 support. The previous was rejected in favor of the latter, and Argon2 will hopefully turn out to be the default (solely?) selection sooner or later in future.
Including a secret key like 1Password would have been an alternative choice to handle this subject. This suggestion has additionally been round since at least 2018 and accrued a substantial quantity of votes, however thus far it hasn’t been applied both.
On the intense facet, Bitwarden clearly states that they encrypt all of your vault information, together with web site addresses. So in contrast to with LastPass, any information lifted from Bitwarden servers will in truth be ineffective till the attackers handle to decrypt it.
How server-side iterations may have been designed
In case you’re questioning whether or not it’s even attainable to implement server-side iterations mechanism appropriately: sure, it’s. One instance is the onepw protocol Mozilla launched for Firefox Sync in 2014. Whereas the outline is pretty difficult, the vital half is: the password hash acquired by the server is just not used for something earlier than it passes via further scrypt hashing.
Firefox Sync has a unique flaw: its client-side password hashing uses merely 1,000 PBKDF2 iterations, a ridiculously low setting. So if somebody compromises the manufacturing servers moderately than merely the saved information, they may be capable of intercept password hashes which might be barely protected. The corresponding bug report has been open for the previous six years and continues to be unresolved.
The identical assault state of affairs is a matter for Bitwarden as nicely. Even when you configure your account with 1,000,000 iterations, a compromised Bitwarden server can at all times inform the shopper to use merely 5,000 PBKDF2 iterations to the grasp password earlier than sending it to the server. The shopper has to depend on the server to inform it the right worth, and so long as low settings like 5,000 iterations are supported this subject will stay.