Bitwarden Password Strength autofill Master Password

Didn’t find anything related to this, but it appears that when you go to the Password Strength Testing Tool | Bitwarden, the Vault Master Password is auto filled when the vault is in an unlocked state.

Anyone know if this is a reported bug and if this will be fixed?

Browser: Edge

Example: (not this is not my actual master password lol)

1 Like

Hi @matrix2280 and welcome to the Community!

Is it safe to assume that you are storing your Master Password in your Bitwarden Vault and you have Autofill turned on?

Interesting, yes (which i just removed) so thank you for pointing that out. So now that I’ve done that, the auto-fill does the password I have saved for this forum now. I would just think that the field on that page would not be recognized as a “password” field since the characters are not hidden, therefore should not be pulling/auto-filling anything from the vault itself.

1 Like

@matrix2280 The behaviors you are seeing are occurring because you are using the default settings for URI Match Detection. The default detection method is Base Domain, which means that any of your stored login credentials for vault.bitwarden.com or community.bitwarden.com will “match” (i.e., be auto-fillable) on any webpage on the bitwarden.com domain — including https://bitwarden.com/password-generator/.

To fix this, change the match detection option by editing the login item in your vault and clicking on the gear icon (:gear:) next to the stored URL, which displays a drop-down menu of match detection option. Change the setting from Default to Host for your both of your Bitwarden login items, and save. Now, you can go to any bitwarden.com site without autofilling your master password or community forum password in the wrong location.

1 Like

Edit: Oops, @grb beat me to it! Listen to what he says. :grinning:

You can leave your Master Password in your Vault if you wish, but change the URI to something like https://vault.bitwarden.com/#/login and then change from the Default Match to Exact Match. Then it should only autofill on the Bitwarden Vault login page.

3 Likes

Perfect, thank you @RogerDodger and @grb. I changed the setting and is working now. Very much appreciated.

2 Likes

I‘m curious. Why does the strength meter show that the password is basically uncrackable? There are some replacements of letters with special characters, but I don‘t really think it would survive long with 1‘000‘000 Guesses/second.

Bitwarden’s password strength meter uses the zxcvbn tool, which is good, but not perfect. There is a demo page available here, where you can type in Th!$iSmYMasT3rP@s$w0rd-NotReal and find out the details of how the algorithm attempts to break down this particular password. I agree that in this case, the estimated strength may be an overestimate.

1 Like

AFAIK, the strength meter uses level 3 of 4, assuming that an attacker can make 10‘000 guesses/s. That‘s somewhat low, even with 600‘000 PBKDF2 iterations. A decent server (thanks to the crypto boom there are thousands of now unused mining rigs) could probably manage to do that. (And let‘s hope that no one finds out that you can rent computing power from Amazon for cheap.)

It is low, but by coincidence, 10 kH/s is a relevant figure. Bitwarden is following OWASP recommendations for hashing cost, which in turn is based on the analysis by Steve Thomas. It so happens that the recommended KDF settings (e.g., 600,000 iterations of PBKDF2-HMAC-SHA256) are designed to throttle the guessing rate to <10 kH/s for a brute-force attack using a decent but affordable GPU (<$1k). Thus, as long as Bitwarden and its users continue to keep pace with OWASP’s/Thomas’s recommendations over time, the rate at which a single GPU can make guesses will always be on the order of 10,000 guesses per second.

Thus, the cracking time estimate provided by zxcvbn/Bitwarden should be reasonably accurate for an attack by a hobbyist/script kiddie. However, for a more sophisticated threat actor, the value would have to be reduced by a factor representing the total number of GPUs used in a parallelized or distributed attack. Unfortunately, because zxcvbn currently truncates all results to “centuries” when the cracking time exceeds 100 years, it is not possible to accurately determine the cracking time when the number of GPUs used by the attacker is in the range 100 or more.

1 Like

Ah, so does that mean that the new 600k iteration count together with 10k hashes/second counts for one single RTX 4090?

Yes, more or less. Put more precisely:

By coincidence, the 10 kH/s rate used in Bitwarden’s password strength tool corresponds to the guessing rate achievable against 600,000 iterations of PBKDF2-HMAC-SHA256 hashing, using only ⅔* of a RTX 4090 GPU.

*Note: Steve Thomas’s KDF cost recommendations are intended to protect against an attack by a “a current high-end but not super high-end GPU” (cost <$1k), whereas the RTX 4090 is a “super high-end GPU” (cost $1600). For reason’s explained in Thomas’s analysis, he considers the RTX 4090 to be equivalent to 1.5 GPUs, and scales the recommendations accordingly.

1 Like

Thanks for the reply. I don‘t know who Steve Thomas is, but I think he should refrain from recommending stuff in the future.
Although I understand the approach against „casual“ threats, the 4090 isn‘t that expensive to prevent its use by low level attackers.