Bitwarden more secure than offline password managers?

I open this discussion to make you understand that: I did my own study and experiment, and I came to the conclusion that cloud password managers like bitwarden are more secure than offline ones.
Why? Because if someone manages to steal the database of an offline password manager and violates the password, they can do whatever they want and even if we change the password it will be useless because the attacker has a copy of our database and will be able to continue to log in with the old password.
On the contrary, if a hacker steals the database of an online password manager (like bitwarden), if we manage to change the password, the attacker will not be able to log in even if he managed to discover the password, he can try to operate offline but the 2FA token is missing and he will be kicked out, in addition, as soon as the connection is activated he will be kicked out of the database, I tried and it is actually like this.
So with bitwarden (if used with all the security measures) it is much more secure than offline password managers.

@xmestessox Hi!

As “enthusiastic” as I am about Bitwarden - and as much as I appreciate the convenience and security of online password managers (starting off with KeePassXC myself and I still like and use it):

I think here are some misunderstandings…

If a hacker would be able to steal your online database of Bitwarden…

(I guess the two main scenarios for that: 1) malware on your device and stealing the local cache/storage and 2) breaking into the cloud system - or for self-hosted breaking into the “own” server - and stealing a copy of the database - BTW as far as I know, for the “cloud” this has never successfully happened to Bitwarden… not counting possible logins to accounts with phished credentials - and I wouldn’t call this “hacking the cloud” since the villains can just login, like the owner of the vault, if they got hold of the login credentials…)

… changing your password wouldn’t change a thing, since they would literally have an offline copy of your database on their own computers and could brute force it etc. as they like. Any password changes on your side wouldn’t affect that stolen copy at all. (and actually, that is not that much different from offline password managers, if someone got hold of your database file…)

And as far as I understand it - as important as the 2FA is for your vault e.g. for not getting access to the vault - as 2FA is not part of the encryption of the vault, 2FA doesn’t help much with such a scenario of a stolen database…

On the other hand, Bitwarden has multiple layers of encryption (Inside Bitwarden: The power of multifactor encryption | Bitwarden Blog) - and in the end, it comes down to a strong master password (long, random, unique, not containing any personal information, …), good 2FA (FIDO2 if possible because of it’s phishing-resistance), probably Argon2 instead of PBKDF2 as KDF etc. (emergency sheet and backups/exports for your own ability for recovery scenarios…)

(others may contribute more details to everything…)

PS: With KeePassXC, a YubiKey can be added to your database with so-called “Challenge-Response” and as far as I understood it, this form of “2FA” then actually “adds up” to your master password so that it get’s part of the strength of the encryption, so to speak… and, to emphasize it, everything also depends on how you set things up. You can have a very secure offline password manager i.e. database - and you can have a very weak offline database… (and the same goes for online password managers)

1 Like

If they can steal your vault (not just your credentials), for Bitwarden it’s either the one stored on Bitwarden’s cloud or your local machine, and they know your master password, they can crack your vault. 2FA info isn’t used to encrypt the vault; it’s used to protect retrieval of the vault from Bitwarden’s cloud.

Your local offline PWM vault, like KeepassXC, can be secured additionally by a security key whose information cannot be remotely extracted, so if they have your vault and your master password, they still cannot open the vault anyway.

Bitwarden does have a “Login with Device” feature, that allows you to login without inputting the master password except during setup, this may mitigate keylogger’s threats.

Generally, if you have a malware on your system, especially ones you can’t identify, you more less assume everything is compromised and you burn the whole thing and start over anyway. If you can confidently identify the threat, you may be able to selectively burn and get away with it.

1 Like

You all have written some very interesting contributions on security and very detailed.

I tried to copy the bitwarden local database also protected by 2FA to another computer. In the meantime I changed my password pretending to have noticed a violation.
I installed bitwarred on another computer and opened the stolen database without an internet connection, I typed the old password (pretending I guessed the password with brute force) but it gave me an error message like “you don’t have the security token” and so I couldn’t access. I then activated the connection by entering the old password again but I got the error message “incorrect password”.
In any case and in any way I was unable to connect to the database.

This little experiment of mine made me feel a little more confident.
But I’m not an expert, surely someone with advanced computer knowledge could overcome the obstacle I had to access the database.

What exactly did you copy?

The bitwarden-appdata folder of bitwarden portable. Which I believe contains the same database files as other bitwarden apps.

Hmmm… interesting. I have two logged-in accounts on a portable app, and saw the following error message for one of them:

Followed by this notice after attempting to unlock the active account:

I have not previously seen this. On the other hand, my second account was not logged out, and I was able to unlock it as usual.

I will need to experiment with this further to determine what is going on (and what the repercussions are for relying on a portable app for accessing vault data offline).

Regardless, the fact that I was able to unlock and decrypt one of the account vaults suggests that you may not want to rely on this new error message as a security feature.

Here is the same message I got when I tried to unlock the database protected with 2FA without internet connection on another device.

These experiments are beautiful :slight_smile:

I did the exact same experiment but this time with the desktop app.

This time I exported the database located on “AppData\Roaming\Bitwarden” on another PC where I installed the Bitwarden desktop app and copied the entire folder. I tried to access offline and it gives me the same token error.

So excluding the web app where an internet connection is required, it is impossible to access all Bitwarden apps offline on other devices with any 2FA enabled like google authenticator (I use this).
With the active connection instead it obviously asks for the 2FA code to access.
The only way to access our Bitwarden passwords is to use our PC physically if it is left on and unlocked and someone takes possession of it, which is unlikely.

First, 2FA is irrelevant, if the local vault database has been stolen.

Second, it is not “impossible” to access the data from a copied data.json file. The file contains the protected encryption key (user_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_masterPassword_masterKeyEncryptedUserKey), so it would not be difficult for an attacker with knowledge of the master password to extract the vault encryption key, and to then decrypt the entire contents of the data.json file.

There is only a small speed bump for an attacker, in that they (sometimes) may not be able to use the Bitwarden app itself as a way to access an offline vault. My guess is that some work-arounds exist for this inconvenience, as well, but I would need to do additional testing and research to better understand the cause of the error message.

I’ll be curious to know what you can find out with your test :slight_smile:

I will post an update here if/when I get a chance to do more research on this new behavior.

Regardless, your assertion that “Bitwarden [is] more secure than offline password managers” is unfortunately not accurate.


Update: My current theory is that this new behavior is a bug in the portable version.

Update: My current theory is that this new behavior is a bug in the portable version.

It also happens with desktop software.

P.S.
However if I make a comparison with the password manager I currently use as Enpass (which is offline) with the same experiment I did it is much easier to access the database through its application, you don’t even need to examine the .json file, you just need to crack the password and find the key file and you can easily access, and even if you change the password you can still access with the old password because the new password is not updated even if you are connected to the internet.

Now I don’t want to say which password manager is better, but the difference I noticed is this. I think that to access Bitwarden you need more advanced knowledge.

It’s not a bug in the Desktop software, because the Desktop app is not designed to be moved from one computer to another. When it comes to the Portable app, however, it is specifically designed to be moved from one computer to another, and this is no longer possible, because the refresh token is currently being stored on the PC motherboard (probably in the TPM) instead of in the portable app’s data folder.

I did another slightly more sophisticated test.

I opened the “enpass” process (password manager that I currently use) with HxD ( HxD - Freeware Hex Editor) I copied a password that is this “secret_password” then I blocked enpass and as if by magic the password continues to be stored in the memory of the enpass process even when it is closed.

After 10 minutes with enpass locked the password continues to remain in unencrypted memory,
I also tried with keepass and the same thing happened with the database locked.
So be careful if you use enpass and keepass. I will try this test with other password managers as well when I have time.
Serious security problem!

I did the same thing on bitwarden and when I block the database all bitwarden process memory empties and it is not possible to read it even with HxD

This is the objective proof that (with its defects) bitwarden is certainly more secure than enpass and keepass,

After discovering this I will migrate all the passwords to bitwarden that even if it stores the passwords on the cloud does not have this serious problem.

As interesting as your experiments are - you are now only looking again at just one thing/part of the whole security functions. And you changed now from your first post from the “stolen database scenario” and it’s security to the “currently in working memory scenario”.

And if one apple is red, you can not conclude from that, that “all apples must be red”.

As interesting as your experiments are - you are now only looking again at just one thing/part of the whole security functions. And you changed now from your first post from the “stolen database scenario” and it’s security to the “currently in working memory scenario”.

And if one apple is red, you can not conclude from that, that “all apples must be red”.

What I discovered was something that scared me, but I am not able to make definitive conclusions because I am not an expert. But I have told you the results I had with the experiments I did. Hoping that those who are more expert than me can give us more precise indications.

I will add a question mark to the title then, as it seems to be more a “question” than an assertion.

And I’m no expert as well.

But I think even your search for “precise indications” is a bit problematic, e.g. as there are intense security audits for some password managers - online and offline. One method may be to compare them - but I would doubt, that you will get a definite answer from that. - And with the next update, it may be different already. (PS: And that would only compare certain password managers - and not the category “online/offline” itself…)

And as far as I understand your last experiments about the working memory: that at least shows, that different password managers do that differently. But that isn’t derived from their status being online or offline password managers - it (basically) just shows, they are handling that part of the working memory differently.

(BTW, did you do the same experiments with KeePassXC?)

(BTW, did you do the same experiments with KeePassXC?)

Not yet because I haven’t had time, but I will do it as soon as I can, if I can this evening and then I will update you.

I installed KIeepass XC and tried to read its process memory, and surprisingly its process is not even listed, it seems to be invisible, and that’s a good thing.
But I noticed that it doesn’t ask for any password to export the database.