[WARNING] Bitwarden design flaw: Server side iterations

Sky-Knight said:
Actually... it isn't.

The number pads the master password to create the encryption key.

Longer keys are harder to crack. This It doesn't change the amount of time a GPU has to take to try a key, it just makes the key longer so it's harder to crack to start with.

BUT, if your password is strong enough on its own, you're still dealing with centuries or longer to crack. KDF matters, but not as much as you'd think. And the person doing the cracking has to figure out what your KDF iteration count is, if they want to use a password to generate the key. So just having a number there... ANY number there, that isn't quite the same as everyone else is yet another password of sorts just by varying the entropy length.
Click to expand...
With respect that isn't correct.

PBKDF2 - Wikipedia

en.wikipedia.org en.wikipedia.org
PBKDF2 applies a pseudorandom function, such as hash-based message authentication code (HMAC), to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching.
Click to expand...
The iteration is the number of times that the hash is re-encrypted. The hash function is repeated 600,000 times for the new defaults. That takes time which is the point of the function. So a hacker has to guess a password, guess the salt, and then hash it the correct number of hash iterations to finally get your derived key. But a good GPU can run BILLIONS of such hashes so running a password and all the hash combinations just takes time.
 
nlinecomputers said:
With respect that isn't correct.

PBKDF2 - Wikipedia

en.wikipedia.org en.wikipedia.org

The iteration is the number of times that the hash is re-encrypted. The hash function is repeated 600,000 times for the new defaults. That takes time which is the point of the function. So a hacker has to guess a password, guess the salt, and then hash it the correct number of hash iterations to finally get your derived key. But a good GPU can run BILLIONS of such hashes so running a password and all the hash combinations just takes time.
Click to expand...
If the GPU is brute forcing the hashes itself, it's not going to bother with the salt or anything else. It's just trying a huge number against a standard decode to see if the text becomes readable. In these cases, all we've done with KDF is make the key longer.

Since in Bitwarden's case the salt is random per account, if they're going to try to get at the key via an intelligent process they have to guess the password, the salt, AND the iteration count to get the key. That's not going to happen, straight up brute force is what we're talking about here realistically.

And you'd know this, if you read any of bitwarden's docs on the topic. People are way too paranoid about this, and I can't really blame them it's terrifying to consider. But I trust the experience of those that I know that actually develop crypto for a living. Honestly I'm more concerned about this: https://bitwarden.com/help/bitwarden-security-white-paper/#sharing-data-between-users

Organizations get properly randomly keyed and then encrypted via the public key associated with a given account. Each account then gets basically its own copy of the vault based on the master password therein. So my wife's much weaker master password has a copy of the vault she can see in my organization that is more easily cracked than my own. But again, that's not the KDF, that's the weak password being used.

I need a policy engine that enables me to force family members to use good settings. Bitwarden has it, but only on the enterprise level subs.
 
Sky-Knight said:
Since in Bitwarden's case the salt is random per account, if they're going to try to get at the key via an intelligent process they have to guess the password, the salt, AND the iteration count to get the key. That's not going to happen, straight up brute force is what we're talking about here realistically.

And you'd know this, if you read any of bitwarden's docs on the topic. People are way too paranoid about this, and I can't really blame them it's terrifying to consider
Click to expand...
Yes exactly. This is why I don’t foresee much Cracking of the lastpass vaults because of the salt and the iteration value. Of course we don’t know if the salts and iteration amounts were taken but I consider it likely as we are now hearing reports that LogMeIn, who owns LP, was breached just as severely with even internal keys taken.
 
nlinecomputers said:
Yes exactly. This is why I don’t foresee much Cracking of the lastpass vaults because of the salt and the iteration value. Of course we don’t know if the salts and iteration amounts were taken but I consider it likely as we are now hearing reports that LogMeIn, who owns LP, was breached just as severely with even internal keys taken.
Click to expand...
Oh plenty of vaults will be breached I have no doubt of that. But those vaults will be breached because they used weak passwords, not because they had low KDF iteration counts.

The attackers in the LastPass situation had access to a development environment. So we have to assume they also know how the salts were generated and have code samples of how the encryption engine works. With that detail, they can break into AES. It's still not going to be easy UNLESS someone had a short password. Because in this case the attackers could setup a decryption system that works identically to how Lastpass itself unlocks the vault, and just start trying actual passwords until they get in. That makes the problem MUCH smaller.
 
www.ghacks.net

How to change the KDF iterations count in Bitwarden Password Manager - gHacks Tech News

PSA: Here's how to change the server side iterations count in Bitwarden Password Manager to protect your account.
www.ghacks.net

It seems that Bitwarden is finally reacting, after determining they're just as vulnerable as lastpass was. And new account defaults are now set to KDF iteration 600,000.

In an unrelated search I discovered the encryption for the vault won't rotate unless you tell it to, so my recent lengthening of my master password didn't really solve the problem it was intended to solve. So I have to go back and do that too, it's on my list for tomorrow.

So for anyone like me that's on an OLD bitwarden account, you need to ensure your master password has a strength in centuries as shown by https://bitwarden.com/password-strength/, while you're setting that you need to rotate your encryption keys, and then increase your KDF iteration count to 600,000 to be inline with today's default settings on new accounts.

There is no news as to if or when Bitwarden will automate these changes to enforce upgrades to everyone. They claim they are working on that problem though, but there's no real need to wait.
 
Sky-Knight said:
So for anyone like me that's on an OLD bitwarden account, you need to ensure your master password has a strength in centuries as shown by https://bitwarden.com/password-strength/,
Click to expand...

Thanks for the link. I thought I had a good master pw, but it was shown with a time of 4 years to crack. Adding one single extra character, though, changed it to 'centuries'. I can't be so close and not step over the line, so I guess I'm changing my PW tomorrow, and rotating the keys.
 
According to https://bitwarden.com/password-strength/ it would take centuries to crack a simple phrase of sufficient length such as thisismyverysafepassword

Makes me wonder why the conventional wisdom is to mix uppercase, lowercase, numbers and symbols, when such a simple phrase would be far more acceptable and memorable for the average IT-challenged customer. Maybe simply because most people pick a shorter one?
 
Seems there's a wide difference of opinion - testing for thisismyverysafepassword

https://www.comparitech.com/privacy-security-tools/password-strength-test/ - 29 quadrillion years
https://www.security.org/how-secure-is-my-password/ - 7 quadrillion years
https://password.kaspersky.com/ - 10,000+ centuries
https://bitwarden.com/password-strength/ - centuries
https://nordpass.com/secure-password/ - centuries
https://www.uic.edu/apps/strong-password/ - "weak"
https://cscan.org/PasswordStrength/ - "weak"
https://www2.open.ac.uk/openlearn/password_check/ - "weak"
https://www.passwordmonster.com/ - 3 hours

Which testers actually know what they're talking about?
 
Last edited:
The ones that say it is weak. Words you can find in the dictionary might as well be a single character. Not all the tests consider the words or sentence structure.
 
seashore said:
Ok, with a very minor tweak: Thisismyverysafepassword!

https://www.uic.edu/apps/strong-password/ - "very strong"
https://www2.open.ac.uk/openlearn/password_check/ - "very strong"
https://www.passwordmonster.com/ - 26 hours

Would you still trust passwordmonster.com above all the others?
Click to expand...
Yes because it’s considering things that the other password checks are not.

How does My1Login’s Password Strength Checker work?​

  • The password strength calculator uses a variety of techniques to check how strong a password is. It uses common password dictionaries, regular dictionaries, first name and last name dictionaries and others. It also performs substitution attacks on these common words and names, replacing letters with numbers and symbols – for example it’ll replace A’s with 4’s and @’s, E’s with 3’s, I’s with 1’s and !’s and many more. Substitution is very typical by people who think they’re making passwords stronger – hackers know this though so it’s one of the first things hacking software uses to crack a password
  • The password strength meter checks for sequences of characters being used such as “12345” or “67890”
  • It even checks for proximity of characters on the keyboard such as “qwert” or “asdf”.
Click to expand...
 
seashore said:
Makes me wonder why the conventional wisdom is to mix uppercase, lowercase, numbers and symbols,
Click to expand...

Because conventional wisdom is dealing with the lowest common denominator. Forcing mixed case numbers and symbols raises the average strength of passwords across the user base. I'm with you, by the way, but you have to live by the rules set by the accounts whose passwords you are generating. If Charles Schwab says you have to have mixed case, numbers and symbols and can't have more than 10 characters for your password, then as a concerned client, you have to come up with the most-secure password you can using those rules. The lowest-common-denominator client, though, thinks the other way: What's the simplest version of my favorite password that meets their rules? Buster1972! it is.

The correct approach (IMO) is for everything to be reprogrammed to allow 50 characters and judge their acceptability based on password entropy, not based on easier-to-program rules like "must contain 1 capital letter, 1 number, 1 lowercase letter, 1 symbol and must be at least 8 characters long". Of course this isn't going to happen, but a guy can dream, can't he?
 
nlinecomputers said:
But if you simply put a dash between each word:

this-is-my-very-safe-unguessable-password

It goes to 500 trillion years.
Click to expand...

and I would posit that if systems would allow it, most folks could simply adopt this as a pattern:

this-is-my-very-safe-unguessable-password-for-PNC
this-is-my-very-safe-unguessable-password-for-Amazon
this-is-my-very-safe-unguessable-password-for-Technibble

As long as you kept the system a secret, I could sleep very well at night with this. Of course, there is no standard across systems so this could never work IRL.
 
HCHTech said:
and I would posit that if systems would allow it, most folks could simply adopt this as a pattern:

this-is-my-very-safe-unguessable-password-for-PNC
this-is-my-very-safe-unguessable-password-for-Amazon
this-is-my-very-safe-unguessable-password-for-Technibble

As long as you kept the system a secret, I could sleep very well at night with this. Of course, there is no standard across systems so this could never work IRL.
Click to expand...
I wouldn’t. I’m a hacker and just busted Technibble because that is way easier than Amazon. I get your password and add it to my passwords list and see “Technibble” is part of the password. I know what site I hacked and can see the pattern. It’s not hard to find and replace Technibble with Amazon, WellsFargo, etc. Reusing passwords, even with this obvious system is always a bad idea.
 
nlinecomputers said:
But if you simply put a dash between each word:

this-is-my-very-safe-unguessable-password

It goes to 500 trillion years.
Click to expand...
To be honest, I'd settle for the 2000 years. :)
My point is that it seems a sufficient number of lower case dictionary words alone may be enough.
 
HCHTech said:
As long as you kept the system a secret,
Click to expand...

And you can even mix up your system a bit, but still have it be "a system" to you.

I can definitely sleep at night and have been using a system to construct long, unguessable passwords, for years now.

Even when I was using less secure passwords, never recording them or sharing them (which I can't believe that people STILL do) went a very long way toward preventing mayhem.
 
You must log in or register to reply here.
Back
Top