I didn’t mean exactly as back-doors. For all I care it can be passkey-only or security key-only. Just wan to eliminate the need for a password. Again, the passwordless movement is growing, and as said a lot of times recently, password is the weakest form of authentication.
The feature I’m requesting doesn’t have to be a mandatory for all users. It’s an option. Means someone will have to opt in or opt out.
Just like master password, master passkey or master security-key. The idea is to avoid passwords.
You’re right about the backdoors. It’s something we don’t have now and shouldn’t have in the future.
I’m no security expert, maybe there’s a reason behind using a master passsword and not a master passkey, but I think it’s better because it’s a stronger form of authentication.
Between passkeys (for the web vault), pins, face/fingerprint, and login with device, you can largely accomplish this today.
A password is not weak, provided it is long, random, unique and never used. Their primary weaknesses:
replay attacks can be defended against by never using or reusing the password and perhaps coupling it with TOTP.
brute force can be defended against by setting a 2040 random dice-word master password. TOTP also helps here because it time-limits a given “attack run”.
2040 dice-words are enough because your vault is encrypted with a 256512 bit “encryption key”, which is in turn encrypted by your master password. A master password that has 256512 bits of entropy is no less difficult to “crack” than the encryption key itself.
So, one could effectively have no master password by setting a 2040 random dice-word master password, configuring it for TOTP and then discarding both after they have been used to set the master password.
Perhaps the word “backdoor” has a bad connotation because it implies an “easier” way in. Better terms may be “recovery key”, “Plan-B” or “disaster plan”. We absolutely do have these today and strongly recommend their use. There is no need for this to be any weaker than your normal ‘Plan-A’.
The important bit is to have an alternate path incase the primary one fails. We know this to be important because every week or so we do encounter someone that has lost access to their vault and wants someone to come to the rescue. Backups are a decent solution here, but not a perfect substitute because they tend to become outdated.
The encryption key is actually “only” 256 bits (the generated 512-bit key also includes a 256-bit MAC key). Thus, a maximally strong passphrase would only need to comprise 20 words.
I just described exactly why it can be weak and all my problems with it:
So not only is it weak, but also not convenient. There’s no option for me to use a random master password, how am I supposed to remember it? Write it down? Someone can steal what I’m writing down.
See my point?
There’s a lot of messing around using password as the master password, while it is safer to use passkeys. Right now I login with passkeys to the web vault and it works fine. What I’m suggesting is to use this or a security key to log in to the vault in any app, and to opt to make it the only way to log in to the vault. It doesn’t need to be mandatory, but some of us want to avoid using passwords at any cost.
I have to go back to my previous question (which was not answered yet): Why are you changing your master password “often”? It should only be changed if it has been compromised.
Also, why are you using your master password so often? Are you logging out of your vault each time you use it, and if so, why? Normally, one would remain logged in semi-permanently, and just lock the vault to protect it while not in use. To unlock the vault, you can use a simpler password or PIN, or even a fingerprint or Face ID.
You need to use a random high-entropy master password that you can memorize. This means that your master password should be a randomly generate 4-word passphrase.
And yes, because memory can fail, you do also need a written record of the master password — but this “emergency sheet” must be stored in a secure location. If you have no fully secure locations available for hiding your emergency sheet, you can use a technique such as Shamir Secret Sharing.
I use the master password often because, for security concerns, on desktop app and browser extension the vault timeout (auto-lock) is on system lock. I have a habit of locking up the computer when I go away from it. So yeah, I tend to use the master password frequently, that’s also to keep remembering it because if I forget it, I’m screwed.
Changing passwords often means every few months or so, I don’t want to wait until I get hacked to change my password. It’s only a good practice.
But I didn’t ask a feature to get debated on how I use my master password. As I previously said, passwordless movement is going forward, it is more secure than passwords and it is a well-known fact that bitwarden says as well.
If feature requests are not really welcome, you can just go ahead and say it. All I’m doing here is requesting a feature which I think will help users further secure their vaults and also help them to not get locked out, having a choice on how to encrypt their vaults, me included.
As far as I can tell, bitwarden cannot say to users passwords are not secure and passkeys or security keys are more secure than passwords and let users log in to their vaults on every app using only the master password. It makes no sense.
Let’s face it, the only way a master password is secure, is if it exists only in the user’s head and nowhere else. That’s why I want to get rid of that need, to allow another method to get into the vault.
I think we will need to agree-to-disagree on this one. There are two major classes of credential risk – exposure and loss. Everyone thinks about the risk of bad guys stealing their passwords, but many fewer think about losing their own access until after they have experienced loss due to fire, brain-fart, operational mistakes, etc.
Passkeys do indeed reduce the theft risk, but they also increase the locked-out risk. I have had to reset maybe a half-dozen of my own passkeys in the past year, using whatever recovery mechanism I had set up… generally, setting a new long-random-unique password and stashing it in my vault to be used only upon emergency.
And the risk of loss applies to the vault itself. This is why I create occasional backups/exports and also keep them in my vault… and the password for the backup is stored on my emergency sheet.
Listen, your feature request is fine, but we are noticing based on what you’ve described that some of your habits are not the most secure. Some of the responses above have been attempts to educate you about this. But if you are not open to receiving such advice, that’s fine, I will butt out.
I’m very open to be educated. The issue is you are asking me questions regarding how I conduct my security rather than talking about the feature request, which I see no problem with. For all I care a user can choose to log in (at login time) via master password, a security key or a passkey, or some combo at that.
If you have advice for my security habits they are more than welcome. I don’t recall seeing something like that.
Correct, but again, my feature request is not that it would be mandatory, it could be a choice between that and something else at login time, up to the user, or it could be configured at settings so login will be that or that, up to the user.
Anyway guys, I’m not here to debate you on my security habits, I’m here to talk about the feature request I presented.
As far as I can see, there’s nothing wrong with that feature request, nothing that doesn’t align with the bitwarden vision.
Then I would recommend, reading some posts here again. One point I have in memory: since a few years some guidelines regarding “passwords” have changed. E.g. changing password frequently without a (security) reason is no longer recommended.
I guess, that was one thing, @grb (and others) tried to convey to you.
Another thing I can stress again: yes, write down your master password (and other things like the 2FA-recovery code) on an emergency sheet and store that in a safe place. That is part of “best practice” with a password manager.
To this - did you see my early post Passwordless-only Login To The Vault - #2 by Nail1684 ? → I tried to say, Bitwarden has your main request, as I understood it, already on it’s radar and already partially implemented (for the web vault). PRF (pseudo-random function) being more widespread (browser, OS?!) is a main thing they are waiting for implementing it in the other apps, as I understand it… though I’m not sure, if there are more technical hurdles…
