Bitwarden Increases KDF to 600k, double-encrypts data, working on Argon2 support

Bitwarden Increases KDF iterations to 600k for new accounts and double-encrypts data at rest. Exploring applying this as the minimum KDF to all users. Also notes in Mastodon thread they are working on Argon2 support.

All around great news and a perfect example of a product built on open source code actively listening to its community!

Mastodon Post: Bitwarden Security Enhancements

Respect, Bitwarden!

4 Likes

It’s great that Bitwarden improves security. It’s a pity that this only applies to new accounts.
As a current user with a very, very long password and 2,000,000 (2 million) letters, is there anything more I can do? Now Bitwarden will start offering some kind of double data encryption. I don’t quite understand what this means, but if it is to increase security, as a current user, can I turn it on somehow? Will rotating the encryption key e.g. activate this double encryption?

Sorry for my english, i’m using google translate

1 Like

Can someone from Bitwarden comment on this statement from: Bitwarden design flaw: Server side iterations | Almost Secure ?

Even if you configure your account with 1,000,000 iterations, a compromised Bitwarden server can always tell the client to apply merely 5,000 PBKDF2 iterations to the master password before sending it to the server. The client has to rely on the server to tell it the correct value, and as long as low settings like 5,000 iterations are supported this issue will remain.

I am not from bitwarden and am NOT a cybersecurity guy, but my understanding is as follows, and I have some questions as well.

There are a number of steps required for PBKDF2 encryption at the basic level.

  1. The actual encryption
  2. The number of iterations

Basically, this problem impacts the number of iterations. Is the # of iterations sent as not part of the vault?

I imagine you change a password in your vault, so the updated vault must be encrypted and then sent off, and in order for the client (web, apps…) to know how many iterations the person wants, it must ask the server, and if the server is comprised, the hacker can say that “Oh, we want the min # of iterations (5000)”, and so the client does this, and as such, the password/vault is very slightly easier to crack (not a large impact as far as I am aware). Is this what happens or is it encrypted (zero access?)?

Thanks

I’m not from Bitwarden, but I hope you don’t mind me chiming in. Although the scenario described is theoretically possible, it is unlikely to cause any real damage. Let’s examine it:

The number of KDF iterations is cached in your local vault, so none of this applies unless you are logging in to a Bitwarden client. If you don’t have a locked vault on your device and you are logging in, then there is an unauthentication prelogin in which fetches the number of KDF iterations from the server, that part is true. This is the the part of the story where Mr. Palant raises the spectre of a rogue Bitwarden server that returns kdfIterations: 5000 instead of kdfIterations: 2000000. OK, what are the consequences? Your client app now hashes your master password 5000 times (instead of 2000000) to derive the Master Key, which is then hashed 1 more time and transmitted to Bitwarden’s authentication servers, where another 100,000 iterations of hashing take place to finally produce a final master password hash. To authenticate you, Bitwarden’s authentication server then compares the resulting final master password hash to the previously stored final master password hash (which was saved in the cloud database the last time that you changed your master password). Well, guess what? If the stored hash was generated using the correct number of iterations (2,100,001) and the transmitted hash was generated using a lower number of iterations (105,001), then the two hashes will not match, so your login attempt will fail. At worst, such an attack will result in denial of service.

If the server that handles the prelogin call (to return the KDF iteration value) is the same as the server that authenticates your master password (or if they are two different servers, and the attacker has gained control of both — without anybody at Bitwarden noticing), then the rogue authentication server would receive a copy of your master password hashed only 5,001 times. The attacker could then start working on a brute-force cracking attempt against this hash (which would be up to 400 times easier than using the MAC). In the meantime, what happens? Most likely, the rogue authentication server will tell the client that login failed. The alternative is that the rogue server pretends that the authentication was successful, and then transmits the encrypted vault and the Protected Symmetric Key from the database server to your client app. Your client app now attempts to derive the account encryption key from the downloaded protected key, but because the Stretched Master Key was derived using the wrong number of iterations (5,000 instead of 2,000,000), this operation produces a garbage encryption key. The message authentication key (MAC) will also be incorrect. As a result, your client app will not be able to decipher any of your vault contents. Not sure if the app will produce an error message, but you will definitely notice.

The end result, is that very quickly, it will become apparent that none of Bitwarden’s users can log in, or that they can log in but cannot see their vaults (coupled potentially with error messages). Thus, this type of attack will be discovered and shut down very quickly. Any users whose master password hashes were compromised and who were using a weak master password would have plenty of warning to change their account passwords before any damage could be done. Those with a strong master password (a passphrase consisting of 5 random words or more) wouldn’t need to loose any sleep at all — even someone using a passphrase of only 4 words would have several months’ head start against an attacker with a $150k rig containing 100 GPUs, and decades’ worth of time before a lesser adversary would have any reasonable chance of cracking the master password.

4 Likes

I will assume the double encryption will apply to everyone as they are taking your encrypted vault (your keys) and then encrypting it a second time (their keys).

The increase to 600k iterations is the new default for new accounts. They are exploring applying it to all current accounts. However, you can still manually increase your own iterations now up to 2M.

Extending the length of your master password is still your greatest protection.

1 Like

No, this request happens before you log in, not when you’re encrypting modified vault contents. See my post above.

1 Like

@qFKesZC77KY83rJHoJs

To provide some clarity on this, PR #2571 states: “Data is upgraded in place as the fields are accessed, so backwards compatibility is preserved.”

So basically, once the the PR is merged and released, all you have to do is to log in using any client, and the new protection will be applied automatically.

1 Like

Thank you for that explanation. It’s definitely reassurring.

2 Likes

When I increased the PBKDF2 iteration number on the web site, i had to re-login and specify whether I wanted to logoff my other devices. Because neither BW nor LastPass increased iterations automatically for existing accounts, I imagine it is because of this need to re-login to make the iteration change take effect.

1 Like

Thanks so much for directing us to the Github page, @grb. Bitwarden encrypting the key and master password hash and then users’ master passwords encrypting all the fields within the vault is an elegant, valuable security enhancement.

1 Like

I have just created a new account and KDF iterations was 100,000 not 600,000

1 Like

I think there’s a 5-week release cycle for software updates.

2 Likes

It’s just been announced on Mastodon. These changes are not yet live or formally communicated yet.

Thanks for that

1 Like

Thanks for your patience all, more information coming soon!

A post was merged into an existing topic: Master pass stopped working after increasing KDF

how do you enter this password into the Master Password field.
I was told that copy and paste is not safe, even if I immediatly clear the clipboard
thanks
dan

Is the server also getting a similar upgrade to its PBKDF?

I am thinking that now 100,000 rounds of PBKDF is no longer considered good enough. Should the server

  1. increase the iterations inline with the client
  2. use latest algorithm Argon2

That is the 2 boxes on the diagram look so similar that if one changes, why not the other?

1 Like

Thank you for you explanation. That is very reassuring and helpful.

1 Like