Bitwarden vs Secret Key or Keyfile

This has been discussed in great depth already, but unfortunately the BW admins closed the main topic for its discussion, bad enough as it prevents further discussion, worse still considering this was done after they had previously deleted the discussion. And I’ll just say, I’m already very unlikely to subscribe due to the lack of this feature, but even more so based on BW’s handling of that topic. Anyways, on to the actual discussion.

I looked at BW a bit a couple years ago and, for various reasons, including the lack of this feature, decided to stick with KeePass. I’m again toying with the idea of trying out BW, but I’m bothered that not only does this feature still not exist, but, as mentioned, all discussion on it was halted. I certainly don’t have any hopes or expectations at this point that it will ever be added, but then I’ll also continue to vote with my wallet as will, I suspect, many others. I do, however, want to respond to some points made and questions asked in that thread.

As has been pointed out multiple times, 2FA (TOTP) is completely useless in the event of a hack on BW where vaults are stolen, as happened with LastPass, and so the only defense at that point is a strong password. Points were made regarding the need for a strong password regardless, how a secret key would encourage users to use weak passwords, how malware or theft, i.e. device access of some form, would negate this added level of protection, and so on. So here are my thoughts on these arguments and questions.

As far as the claim it only adds protection for weak passwords, this isn’t really true. As was pointed out, even strong passwords can be shoulder-surfed, and what’s a sufficiently strong password today may not be tomorrow. And if a user would prefer to have a weak(er) password with a secret key / keyfile to make it easier to type, then that should be their choice, and if it’s between a weak password only (since many users are going to do this regardless) and a weak password with an additional factor, then the latter will always be better. And a four-word password is still quite strong (i.e. not necessarily “weak”) but still easier to remember and type than a 5-6 word password. Similarly, the argument that a user can do this themselves simply by using a longer password is invalid, both due to the aforementioned points about not wanting to have to remember/type such a long password, but also because, regardless of how long it is, a password is still a single factor of authentication.

For the concern about device access (malware, etc), this wouldn’t necessarily mean they’d have access to the keyfile, or know what file to use.

Regarding the concern of being locked out and placing barriers on accessing the account from a new device, this is really quite simple. All you need to do is use a file that you can access from anywhere. For example, you could use the Google logo or a text file you can create on the fly containing a passphrase.

Another common argument is that users advanced enough to know about and use this feature are apparently the same users that would have secure passwords, and those that wouldn’t have secure passwords wouldn’t know about it. This is full of holes. First, there’s a wide range of levels of knowledge, and an “advanced” user could have basic understanding of password hygiene but not enough to know what they don’t know, e.g. that a password they think is secure isn’t. A user could be fairly basic and know little to nothing about passwords but take the time to poke around in settings or do some web searching and find the option. And BW could take steps to help with this, as well as with the other common concern that it would trick users into using weak passwords. They could simply add a warning to the feature to still make sure to use a good password, and they could make it a prominent, but optional, feature when creating a password, so even basic users would see it. In fact, they could have it recognize that the password the user is entering is weak and encourage them to either strengthen it (which, I believe, they already do) and/or use this feature. It doesn’t have to be a black and white thing.

The big advantage would be to have a decently strong password with this simply adding more entropy to make it much stronger, preventing the need to remember and type a longer password. And despite all the arguments against it, I fail to see any real downside aside from development time, which it seems there are ways it could be done to require relatively little. For example, it could be as simple as a text file containing a passphrase which you point BW to and type in your password, and BW would simply append the passphrase to your password. Heck, you could get crazy with it and add parameters to tell it to insert x number of characters from the file every y number of characters in the password to increase the security so even if the file were stolen as well, it wouldn’t matter. Essentially all you’d be doing is making a long password but only needing to type a short part of it, but it would be more secure than e.g. using a PIN. And ultimately, while there would be potentially some risk if someone gained access to the file and your vault, it would still be significantly less risk than if somebody gained access to your vault but not the file, which is the scenario people are concerned about and, arguably, that is more likely.

A question was asked by @222 why people that want this feature don’t simply use 1P or KeePass. I obviously can’t speak for anyone else, but as I said, I already use KeePass, and have been for probably 15+ years, and I’m quite happy with it. But it has its drawbacks, namely the need for mandatory syncing of the database and the inability to use it in many situations, e.g. on my work computer. That latter reason is what drove me to take another look at BW now, and the former is why I generally feel BW is better than KeePass for most less advanced users. It’s hard enough trying to convince most people to use a password manager to begin with; KeePass’ more complex UI and requirement for manual syncing, I find, is usually a dealbreaker. But it would be nice both for myself and those I try to get to use it if BW would offer more protection by doing this, not to mention protecting them better if, due to them being a basic user, they end up using a less-than-ideal password. In other words, BW is simultaneously better suited and less suited for these types of people. As for 1P, it’s closed-source (biggest issue) and costs (more) money. And again, I don’t look at BW just as a solution for myself, but for friends and family, and again, it’s hard enough to get people to consider using a password manager even if it’s free.

I’d also like to point out that, despite my being a fairly knowledgeable person regarding all of this and technically-inclined, I didn’t realize until I did some digging that the TOTP 2FA currently provided has the limitations it has, so I’m sure there are many users that are operating under the assumption it will protect them in the case of a hack/breach. Of all of the people arguing that a secret key / keyfile would give a false sense of security and cause people to use weaker passwords, it seems mostly ignored that the 2FA is doing exactly this, and BW hasn’t made it anywhere near clear enough what it does and doesn’t do AFAICT. Not only that, but the 2FA, which is considered very important despite doing the same thing, only applies to accessing the vault, whereas this feature would apply to decrypting it, which is arguably more important. I just don’t understand why one form of 2FA is so looked down on while another is considered essential, when they are largely the same with many of the same vulnerabilities.

It was also asked, by @grb, why people don’t just use biometrics or a PIN. First, that basically assumes you’re using it on a mobile device, but it doesn’t help for remembering/typing a long password on a computer (granted, not as difficult as doing on a phone, but still). Second, a PIN isn’t nearly as secure, and while there are ways to make it more secure, I don’t think BW really does any of that (I could be wrong, I haven’t looked much into this). As for biometrics, that’s particularly thorny, since you can be compelled by law enforcement to unlock things that are protected by biometrics, but not those locked with a password. Also, I haven’t followed the state of biometrics in quite some time, but IIRC as recently as 10 years ago or less fingerprint readers on mobile devices were known to be very weak, and I haven’t seen anything indicating this has changed.

Seeing as this hasn’t been added, likely will never be added, and the previous discussion about it has been deleted and then locked, it seems the best option may be to use a text expander app to insert a few words when typing a short sequence, essentially a hack to provide the same functionality. Or, of course, continuing on without using or recommending BW. I’d be interested in what others have to say regarding these points, and especially regarding the “multifactor encryption,” which the other thread as well as BW’s blog make vague statements that make it sound like it negates the need for this feature (“Beyond this, Bitwarden adds additional layers of encryption and protection – called multifactor encryption…makes it practically impossible for a bad actor to break into your vault, even if they were able to gain access to your encrypted vault data.”), but don’t seem to really explain how.

Finally, related to this, it seems a common use-case for BW would be to access login credentials to access sites while on a public/work computer, but this presents the very real risk of said computer seeing your input when logging into BW, thereby completely negating the protection provided by the password. If the vaults were ever stolen, the 2FA would no longer apply, and the owner of this computer (or someone that installed malware or a physical keylogger on it (in case someone wanted to point out that malware could just read the contents of the vault once unlocked)) could then easily access your vault. Having the ability to require a keyfile of some sort could help protect against this. For example, if using the Google logo as mentioned above, you could point BW to that when logging in on a public computer, something that would be significantly harder, if not impossible, for a keylogger to see.

The primary reason behind closing feature requests is to free the votes so the voters may apply them to something else. This seems a natural next step after Bitwarden either implements or decides they will not implement the FR.

That the FR remains visible indicates to me that they are not trying to prevent discussion. Continuing the discussion simply requires opening a follow up conversation, just as you did. Moving it to “Ask the community” was a good choice on your part as it does not re-raise the concern of tying up votes.

Regarding your interest in a secret-key-file, you could (somewhat inconveniently) simulate one by appending to your typed master password a random string copy/pasted from a file you keep on your device(s).

There is no need for this random string to be more than 43 alphanumeric characters long because the 256 bit account encryption key limits how much entropy one can stuff into the encryption. Since each character contributes just under 6 bits of entropy, 43 characters maxes it out.

My understanding is that the deletion of comments from that thread was an unintentional clerical error by a forum admin, so I would advise you to apply Hanlon’s Razor to that situation. If Bitwarden staff wanted to engage in some kind of censorship, there would have been more effective ways to remove all traces of the topic in question.

And as noted by @DenBesten above, the closure of that thread today was simply for housekeeping reasons, with an official position statement from Bitwarden as the final comment:

There are two cases for the use of a keyfile that seem to be mixed in your comment (note: I’m one of those that advocated in favour of the secret key/file):

1. Addressing the issue of weak passwords: I consider this to be very important when considering large audiences, like students of a school, or friends-and-family. This would be fairly easy to implement as you said but it means that an insider (or a hacker) at the BW-side can in theory still log your decryption key and access your data. IMO it also means that governments can compel BW to provide access to your data.
2. Making it impossible for a BW hack to expose your data: This means that BW must not have, at any point, enough information to decrypt your vault (or else the hacker wins). 1P achieves this by having the decryption happen at the client-side. BW’s model is different and this would require massive re-architecting. So not easy at all.

Fellow KeePass user here (and 1P). My approach is to store it in Google Drive. There are clients that sync local files to Google Drive (Insynq, Android’s built-in drive functionality, official GDrive sync, chromebook’s GDrive support). This works fairly well for me for many years now.

This is inaccurate information. Bitwarden vault data are always encrypted client-side only. Bitwarden uses a zero-knowledge approach, like 1Password.

As does Bitwarden. It might help to read Bitwarden’s Security Whitepaper, which states:

All cryptographic keys are generated and managed by the client on your devices, and all encryption is done locally.

If you do have a demonstrable path for an insider to get your decryption key, please report it through their bug bounty program and maybe earn some cash.

Attacks against the website are stymied by the fact that like your vault itself, the encryption key never leaves your device without it too being encrypted.

It is a bit subtle. There are two encryption layers. The master password is used to encrypt/decrypt the encryption key. The encryption key itself is used to encrypt/decrypt the vault. The encryption key is again encrypted to become the protected symmetric key. This protected symmetric key is then uploaded to the website so it can be shared amongst your devices.

Why the two-layers? It creates flexibility. One can change a master password without needing to reencrypt/upload the vault itself (only the new protected symmetric key needs upload). And, the encryption key can be stored in your devices HSM to be used by biometric unlock (decrypt a downloaded vault).

The primary reason behind closing feature requests is to free the votes so the voters may apply them to something else. This seems a natural next step after Bitwarden either implements or decides they will not implement the FR.

Fair enough, but IMO they should have converted/moved the discussion and kept it open, as it was clearly a popular one with very active participation.

That the FR remains visible indicates to me that they are not trying to prevent discussion. Continuing the discussion simply requires opening a follow up conversation, just as you did.

True, but the fact it went from a very actively discussed topic to next to nothing for two years shows that, while restarting it was/is possible, the actual effect of closing that off was to shut off the discussion, which likely would have kept going otherwise.

you could (somewhat inconveniently) simulate one by appending to your typed master password a random string copy/pasted from a file you keep on your device(s).

Yes, but I’d say this would be more than just somewhat inconvenient.

Perhaps, though I recall getting the distinct feeling at the time it was intentional. Also, not much more effective ways than to delete it. And either way, intentional or not, it destroyed a very popular thread with active conversation, and the BW staff did nothing to address that. If it was accidental, it would have made sense for them to have stated that and to have apologized, but they didn’t. So either way, I’m unimpressed by their handling of it, not to mention the few times they commented they didn’t answer any questions or provide any additional context/info, other than to comment on upcoming and new changes.

I’m confused by your points. How would it allowing an insider/hacker access? The whole point of it is that it would make it less accessible as they would need the keyfile (or at least the hash of it). And I thought BW does do decryption client-side. Can you explain these more?

I also use GDrive for this, but I guess in my attempt to use Google as little as possible I’ve stopped doing this and kind of forgotten about it. And even with that, it’s still less convenient than just having it automated, which makes it a minor but mostly acceptable nuisance for me, but pretty much a non-starter for most people who, as I said, are hard enough to convince to use a password manager without requiring extra steps like this.

Closing is the reversable action.

Moving results in the votes being permanently lost. If the decision is made to revert, the voting would start back at zero.

Closing maintains the record, with the votes not counting against one’s 20-vote quota. If the decision is made to revert, the votes again count.

Hey @vertigo, rest assured we don’t intentionally remove ongoing discussions.

Edit: My complaint should be addressed by 2FA. I’ll have to consider how well that will work with my workflows before I decide whether I’m going to make the switch to Bitwarden. I’m leaving the comment up for posterity.

I was considering switching from 1Password, and I’m honestly shocked that this is not an option with Bitwarden. Not having a secret key / key file is a non-starter for me, and I suspect the same is true of anyone who really takes security seriously.

I often work in public places (public transit, coffee shops, etc…) and I can’t risk having someone looking over my shoulder gaining full access to all of my passwords.

Closing this topic as there are no plans to implement this, given that all new accounts are created with 600k KDF iterations, Argon2 is another encryption option, and multifactor encryption is an additional layer of protection for the encrypted data at the server-level that doesn’t add any user overhead to manage.

I don’t mean to be rude, but the fact that the previous discussion was closed with this statement is, quite frankly, laughable. All the encryption in the world does jack if someone can sit and watch me type in the decryption key.

Welcome, @drtz to the community!

Most us us prefer to keep the vault locked, as opposed to logged out (what’s the difference?). This allows us to use biometrics to unlock the vault, which is both extremely convenient and can not be duplicated by a shoulder surfer. The convenience is important because it reduces the incentive to keep the vault unlocked.

You are on the right path with more strongly securing the login to your vault and that 2FA is a great defense. Key-files can help with physical shoulder surfers, but not electronic eavesdroppers (e.g. via a compromised WiFi hotspot). To additionally defend against them, you need to send something different each time you login. TOTP solves this because each 6-digit code can only be used once.