![]() ![]() For example, you could generate a random passphrase using the diceware approach. And the only real way to get there is generating your password randomly. This means that you need a strong master password. The default protection level of LastPass and Bitwarden is identical. Only the client-side iterations really matter as protection. This simple tweak removes all the protection granted by the server-side iterations and speeds up master password guessing considerably. Instead, for each guess they would derive an encryption key (100,000 PBKDF2 iterations) and check whether this one can decrypt the data. But the attackers wouldn’t waste time doing that of course. Testing the guesses against the master password hash would be fairly slow: 200,001 PBKDF2 iterations here. PBKDF2 is meant to slow down verifying whether a guess is correct. And for that, they will have to guess the master password. So what happens if some malicious actor happens to get a copy of the data, like it happened with LastPass? They will need to decrypt it. This is pretty much the same flaw that I discovered in LastPass in 2018. If we look at how Bitwarden describes the process in their security whitepaper, there is an obvious flaw: the 100,000 PBKDF2 iterations on the server side are only applied to the master password hash, not to the encryption key. ![]() Bitwarden password hashing, key derivation, and encryption. So two different values are being derived from it: a master password hash, used to verify that the user is allowed to log in, and a key used to encrypt/decrypt the data. The Bitwarden server isn’t supposed to know this password. Like most password managers, Bitwarden uses a single master password to protect users’ data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |