Bitwarden design flaw: Server side iterations

My technical knowledge of the subject is not adequate to assess the validity of the claims. What do you think?

Like the author of this article states, it seems that Bitwarden has recently made rapid progress moving from PBKDF2 to Argon2, which would improve their security significantly over their existing solution. Currently, if you’re using a strong enough master password (at least four randomly generated diceware words), you should be fine.

I posted about this in the Bitwarden forum. There doesn’t seem to be any disagreement on the assertion that the server-side hash iterations don’t do much, at least not to protect against a LastPass-style security breach.

However, they have already raised the default client-side PBKDF2 iterations to 350,000 for new accounts and it seems like good progress is being made on Argon2. If you are an existing Bitwarden customer, you should definitely raise the PBKDF2 iterations on your own in the account settings. No word on if/when existing accounts will be migrated to the new default.

Does it require the master key?

My understanding is that changing the number of iterations does not require the master key since changing that setting logs you out of all existing sessions but does not re-encrypt the vault.

Okay, I thought the reason why LastPass didn’t do it. I remember someone saying that changing it server side could result in a new key being derived, and that was the reason why they never changed the original keys.

The author, Wladimir Palant, was one of the security experts who tore into LastPass’s response to the security breach. He is now taking a look at Bitwarden and is claiming similar problems, basically calling it an open source carbon copy of LastPass. I switched over from LastPass to Bitwarden after the breach and I still trust it, but I am following what he’s got to say and how Bitwarden responds.

It doesn’t seem like the rest of the community is immediately following suit, but it’s an ongoing discussion. And this is the positive thing about Bitwarden being open source - an expert like this can take a look and find problems. So we’ll see how it plays out.

One thing I don’t appreciate is how he’s communicating it on Mastodon. Yes, it’s important to share what you’ve found, but his tone kind of puts Bitwarden on blast, and I’m not sure they’ve done something so bad as to deserve a call out post. But maybe it turns out they are that bad? lol

For now, I’m assuming I’m fine enough. Bitwarden is not some bootleg, ready-to-be-cracked product. It’s probably reasonably fine for most threat models still.

2 Likes

I agree his tone could be more congenial, but I think it’s really important he’s broadcasting this issue. One of the biggest criticisms levied against LastPass after the breach was that they didn’t migrate old accounts to the new, higher default number of KDF iterations. I think this criticism of LastPass was very fair and it seems Bitwarden essentially has the same problem. Bringing attention to it is almost definitely a net positive.

As a little update, I did notice that my account’s iterations were set to 100,000. I don’t know if the increase to 350,000 or 600,000 is recent, but I also remember people saying that 100,000 was the standard for a long time. I guess I don’t mean to make judgements one way or another, but if you use Bitwarden it could be worth up the number of iterations it takes.

New Bitwarden accounts are set to 350,000 iterations by default as of a few days ago. The OWASP recommendation was raised to 600,000 from 310,000 yesterday. Talk about timing…

2 Likes

Folks are being pretty responsive in the thread @Gunther opened. It’s been helpful to keep a pulse on the back and forth. Some seem to be pushing back on the idea that this issue that was found is that bad. Bitwarden employees are aware of this but I feel better about it.

Bitwarden touching on this topic on their Mastodon. It’s a good sign!

1 Like

Here’s another researcher providing a counterpoint to worrying about this iteration stuff going on. He was also one of the main critics of the latest LastPass breach.

I read that going from 350K to 600K iterations only adds half the complexity, when compared to adding an extra character to the password, if the length of the password is 13 or more characters.

From what I understand, adding complexity to the password is the better way to go. The iterations thing is more for people who may not have as strong a master password as they should.

2 Likes

This is correct. A complex and lengthy password with a single MD5 hash is certainly more secure than a weak password with many iterations of the latest and greatest hashing algorithm. That said, as much as possible has to be done to protect those who do not make strong master passwords and most passwords fall in between the extremes of “QB2wzLZvvu#G99W$w@Tv” and “Password1234!”.

4 Likes

Good article. I bumped mine up to 600,000 iterations and now I can go to sleep at night. Gotta give it to Mozilla for doing everything right and then using 1,000 :melting_face:

Just Mozilla being Mozilla.

1 Like

Here’s a video from Tom Lawrence going through the situation. TL;DR - Have a strong master password and don’t sweat this iterations thing if you have a strong master password.

1 Like