Concerns about Security - Single Point of Failure?

Ask the Community Password Manager
, , ,
1

Hello,

I’m a Bitwarden happy users from many years and today (sorry if I’m late) I discovered that it’s possible to set OTPs also on Bitwarden (Premium). My Bitwarden account has an OTP, but, is secure to store it on Bitwarden? If I can’t access to my Bitwarden account (premium not renewed, or lost access), I can’t also access to my Bitwarden OTP. Probably the solution for this is to restore the Bitwarden Account with the recovery phrase. Is it right or are there other options?

The second question is about the single point of failure, I checked and read about Bitwarden security, all data on the servers are encrypted, so aren’t there a possible failure? Is it impossible that an hacker can access the data in the Bitwarden infrastructure? (Obv, I don’t take into account the case that an hacker take control of my Bitwarden account is possible)

I’m a lil bit afraid to store in my vault various accounts and also the OTP, if an hacker (if possible) get the access could get all the data. obv it’s very comfortable to have also the OTPs on Bitwarden, but the question is if is it really secure..

I’m looking for thoughts and possibly other documentation about it.

Thank you

2

@federik95 I moved your post into the Password manager section of the forum, since it appears that you are asking about the Password Manager product, not the stand-alone Authenticator product.

If you lose your Premium privileges, the TOTP authenticator keys (“secrets”) will still be available to you, so you will be able to export them and set them up in a different Authenticator app.

To protect yourself against losing access to your Bitwarden vault data, you should create an emergency sheet and regularly make backup copies (i.e., exports) of your vault contents. At a minimum, your emergency sheet should contain your Bitwarden username (email address), master password, Two-Step Login Recovery Code, password for password-protected vault exports, as well as the login credentials (password and 2FA) for the email account where emails sent to your Bitwarden email address are received.

If you are referring to the “Recovery Code”, it cannot be used to restore your Bitwarden account. It’s sole purpose is to disable all two-step login (2FA) factors that have been enabled for logging in to your Bitwarden account.

If a hacker gains access to the database servers, they will only be able to see encrypted (garbled) data. They will only be able to decrypt the stolen data if they know, or are able to correctly guess your Bitwarden account master password. For this reason, it is essential that you use a unique (not used elsewhere), confidential (never disclosed except when logging in to an authentic Bitwarden app or extension), randomly generated, and sufficiently long that a hacker would need to make at least a trillion attempts to correctly guess the master password. A random passphrase containing at least 4 randomly selected words meets these criteria, and effectively makes your encrypted vault data uncrackable.

For your most sensitive accounts (e.g., financial accounts), it is advisable for the 2FA second factor to be stored only outside your Bitwarden vault — and ideally, only on a device on which you don’t also use any Bitwarden apps or extensions (for example, a Yubikey). That being said, using Bitwarden’s integrated authenticator can be reasonably safe, if you are adequately safeguarding your vault (e.g., using a unique, confidential, random and long mater password, and keeping your devices safe from unauthorized access and malware).

3

Is it OK to store your Bitwarden TOTP inside of Bitwarden itself? Yes, it is. It can be particularly convenient when extending access (e.g. using the desktop app to login to the browser extension). However, it should not be the ONLY place that you store the TOTP because, as you identified, there would be a problem if you were to find yourself locked out on all devices. This can be solved in one (or more) of a few ways:

  1. TOTP has a “secret key”, usually two dozen or so random letters. This should be written on your emergency sheet.
  2. Enroll your TOTP in a second authenticator using the above secret key. I use the one I need to have installed for my employer, but you could use Bitwarden Authenticator, Ente Auth or even Google Authenticator. Once done, you will notice that all authenticators generate the same 6-digit code.
  3. Make sure you have your recovery code written on your emergency sheet so you can turn off two-step authentication if things go wrong.
  4. Create and maintain a backup of your vault.

With respect to vault security, selecting a long, random and unique master password is your single most important defense. Bitwarden only has an encrypted copy of you vault, so if your vault can not be decrypted, it does not much matter if their servers are compromised. If interested in the details, check out their security whitepaper.

4

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.