2

Bitwarden claims that it is more secure than traditional cloud password managers (such as Google) as it only stores the encrypted version of the passwords database. But for some reason the password you use to authenticate on their website is the same as the vault password - meaning that the company could potentially decrypt your entire vault when you login or simply store the password in plaintext to be able to decrypt anyone's vault at any time.

I've tried looking into their settings and I don't see a way to enable separate passwords for the vault and for the Web UI. Am I missing something or is Bitwarden actually extremely unsecure, presuming you don't trust the owners of their backend?

Marcel
  • 4,094
  • 1
  • 21
  • 40
JonathanReez
  • 1,034
  • 1
  • 8
  • 16
  • So, how do you think it would work if you had a separate password? They still need to store and protect that. If they are malicious, then it doesn't matter how many passwords you have. – schroeder Dec 21 '20 at 08:28
  • 3
    This question would also be valid for LastPass. They also have the same password on the (potentially offline) vault and the Web UI. – Marcel Dec 21 '20 at 08:29
  • 1
    @schroeder one password for the Web UI, which just let's you tweak account settings. Then you download the full password dump and decrypt it with your second password, which doesn't ever leave your device for any reason. – JonathanReez Dec 21 '20 at 08:33
  • That's not just a password management thing you propose. You are proposing converting it to a non-cloud-based solution. To do what you propose, you could just as easily use any cloud storage solution (Dropbox, etc.) – schroeder Dec 21 '20 at 08:49
  • @schroeder so is Bitwarden lying when they say they're a true zero trust service? – JonathanReez Dec 21 '20 at 08:55
  • Do they say that they are "zero trust"? And what do they mean by the term? – schroeder Dec 21 '20 at 08:58
  • 1
    I think what you mean is "zero knowledge" and they explain all that in their FAQ: https://bitwarden.com/blog/post/end-to-end-encryption-and-zero-knowledge/ – schroeder Dec 21 '20 at 08:59
  • This question is valid for any cloud based solution. It's not a question of "If they are malicious", as someone asked; it's a question of "if they get hacked". Think Solarwinds as the latest example (not related to passwords, but to the concept of "not malicious but still caused plenty of problems for their users"). –  Dec 26 '20 at 02:55
  • see also https://security.stackexchange.com/a/234767/172415 – karlsebal Aug 23 '21 at 16:01

1 Answers1

5

The user password is pre-hashed with a slow password hashing function on the client side, twice, using different algorithms and/or salts. One hash is used to generate a login token (used like a password) which is sent to the server (where it gets additional hashing, and possibly also requires stuff like MFA). The other one is used as a "password-derived key" that is the first step to obtaining the master key for decrypting the database.

Typically the master key is stored on the server, alongside the user's data, in encrypted form. This encrypted master key, along with the encrypted data, is transmitted to the user upon successful authentication. A simple implementation is to encrypt the master key with the password-derived key; this encrypted master key can only be decrypted on the client (the server never sees the password-derived key). More advanced schemes involving public key cryptography are sometimes used to enable sharing select data with other users, without giving them access to your master key or any data you didn't want to share. The password-derived key is not itself used to encrypt/decrypt the data, because then if the user changed their password it would be necessary to re-encrypt everything. Instead, changing a password just requires decrypting the master key with the old password-derived key, and re-encrypting it with the new one.

CBHacking
  • 48,401
  • 3
  • 90
  • 130
  • Key Encryption Key is what described there. Also, one can share the key encrypted with the public key and data in the encrypted form. – kelalaka Dec 23 '20 at 22:00