Hi,
If i’m not wrong, Bitwarden uses end-to-end encryption ? Yet, it is still possible to connect from any device or web browser and access all our passwords from anywhere.
How is it possible, since Bitwarden doesn’t our password and therefore cannot compare with the one used to connect from a new device ? In the end, what I would like to know is how end-to-end encryption can work for multiple devices.
Could someone explain that with simple words, for curious beginners ?
Thank you.
It works because your multiple devices are syncing with the Bitwarden Vault in the Azure cloud service they use. BW uses a zero knowledge approach, which means NO data leaves your devices until it is encrypted locally on the device. The encrypted package is sent to the BW cloud. Even the BW team cannot possibly decrypt your information because ONLY you know the password to decrypt the file. So in essence your cloud held BW vault is the master file. All connected devices will sync with that service. That means that when you log on from a device,the totally encrypted data is sent down to you and then you must decrypt it on your local device.
As an example on my end - If I went to a new device and installed the BW app I could open my vault on the device. I would need my username, password, and U2F (2FA) key to authenticate before the file would be sent down. It comes down encrypted and again it is decrypted locally. That is how it works across devices and maintains security during the process. The cautionary warning is that because the process is zero knowledge for BW you MUST maintain your own access. If you forget your codes they CANNOT help you in any way.
Which is what made me believe the service is trustworthy (as opposed to other service where they have the keys to unlock your vault if you lock yourself out).
Would you agree with that @OpSec?
maclm,
I absolutely agree that ANY security service should be set to zero knowledge on “their” part. If any service provider can access your stuff at their discretion you know that someone is eventually going to abuse that elevated privilege. Sounds harsh but if users are adults then they should be responsible for their accounts. If you lose your keys and don’t have an established backup plan then are you REALLY being an adult?
This is also true for the self-hosted versions. I was foolishly researching things like “how can our admins change the password of a user?”, but it’s impossible, of course! If a user forgets their master password, their encrypted info is gone forever. The only option is to delete the user and create it again 
If an admin could set the master passphrase for someone, they could also use it to log in and read that user’s existing passwords, but BitWarden makes this absolutely impossible.
That’s how it should be, IMO, your encrypted data is yours and no one else’s.
So, one’s data are encrypted by means of one’s BW master password on one’s local device and only then sent to the server? (Which means that the master password must also be impossible to guess or deduce from public knowledge about the person?)
Hi @FrankC and welcome to the community 
,
The more accurate detail would be: a symmetric key is randomly generated to encrypt your vault data, and your email + password are used to generate another key to encrypt the symmetric key. The encrypted vault, along with the encrypted symmetric key, is then sent to Bitwarden’s server. See the white paper here:
Since Bitwarden never has the plaintext symmetric key on the server at any time, it can’t read your encrypted vault.
More accurately, the master password must be randomly generated, and have sufficient entropy to make the cost of brute-force guessing untenable (at least 50 bits of entropy). The best practice is to use a passphrase consisting of at least 4 random words (e.g., scope-transform-sponge-strenuous), picked with the help of a cryptographically secure pseudo-random number generator (CSPRNG) or a true entropy source (such as dice), from a word list comprising at least 6000 words containing at least 3 letters each.
If I would be a billionaire, I would certainly do that. 
Not sure what you mean. Generally, brute-force cracking of a vault that is protected by a 4-word random passphrase would require a multi-million dollar investment, so no rational attacker would undertake such an effort to crack the vault of a user with a net worth less than 10 million dollars. On the other hand, if the assets protected by your vault have a value in the billions of dollars, then a 4-word random passphrase would not offer sufficient protection — you would need a passphrase consisting of at least 5–6 random words.
Conversely, a passphrase consisting of only three random words could be cracked in about 2 months by an attacker who has invested only $10k in their cracking hardware (and even faster by a network of attackers who are coordinating their efforts). A non-random master password is at risk of being cracked with even less cost.
Thus, unless your net worth is less than a few thousand dollars, it does not make sense to use an insecure (i.e., non-random) master password for your vault.
To see what grb is talking about, see the cost of cracking passphrases at:
setting the 2nd number to 600000 (Bitwarden default).
I don’t mean that it would cost me too much money. I mean that if I would be a billionaire, numerous people would try to get into my password database.
Neither @Neuron5569 nor I were suggesting that this is what you meant.
Did you read what I wrote above? Yes, if you only have a few thousand dollars to your name, then you could possibly afford to continue to be cavalier about your vault security (but even then, you may still lose what little assets you have — this could happen as a crime of opportunity, if you get malware, if one of your devices is stolen, or if Bitwarden’s cloud servers are breached, any of which could make your encrypted vault data available to attackers). However, if you are an adult with a job and financial responsibilities, then you should take your password security more seriously.
It is not just about protecting one’s bank accounts. Compromised social media can be used for nefarious purposes (distributing illegal age-related materials, threats against political authorities, false police reports, money laundering, etc.), all with the goal of distracting the legal response away from the true actor and towards you.
One of the biggest benefits of a password manager is making effective password practices (long, random, unique-per-site) easy everywhere, not just on the sites for which you see risk.
@grb’s advise is a method to have a strong master password (long, random, unique), while keeping it memorable. For background, read up on Diceware.
Note: Edited the post due to missing the number of GPUs in the calculation.
To expand on @grb 's comment, here are some direct numbers, that can be modified for your password complexity / KDF settings: Assuming default argon2 settings (soon the default for account creation), with consumer hardware - RTX 4090 at $1500 - would get you 6 cards, which would run around 1.6KH/s Support for Argon2id on NVIDIA CUDA GPUs by fse-a · Pull Request #4284 · hashcat/hashcat · GitHub. For a three word list of 7776 words, 7776^3H / (6 * 1600H/s) ~= 1.5 years to try all options. For the default PBKDF2 settings, the same setup would run around 15KH/s per GPU. 7776 words, 7776^3H / (6 * 15000H/s) ~= 2 months. Either way, this is still in the range of feasibility and thus not enough for most users.
This was based on OWASP-recommended KDF settings, which are/were based on the tests published by Steve Thomas (sc00bz), which in turn were calibrated to throttle the hash rate to <10kH/s/GPU. I also assumed a GPU cost of $2k/GPU (which was an extrapolation, because the current retail price of top-tier GPUs is now closer to $3k, and because Thomas’s benchmarks assume a price commensurate with a “high-end but not super high-end GPU”, estimated at ⅔ the cost of a top-tier GPU). The bottom line is that I assumed that the effective hashing rate for a $10k rig would be 50 kH/s.
With the above assumptions, a brute-force attack against a 3-word passphrase would on average require ½×77763 = 235 billion guesses, which at 50 kH/s would require some 4.7 million seconds, which is 55 days.
Thanks for linking the Argon2id benchmark numbers. I read these as claiming 1667 H/s per GPU for the RTX 4090 (at m=64, t=3, p=1). So six GPUs (your assumption) should yield an effective rate of 6×1667 H/s = 10 kH/s, no? Or is there some kind of correction for the fact that Bitwarden uses p=4 by default? At 10 kH/s, and exhaustive search of 77763 possibilities should take 1.5 years, not 9 years.
Try a little friendlier tone next time. You’re creating bad blood.
Of course I’m taking my master password security seriously. But your method of using a passphrase consisting of at least 4 random, unrelated words carries a way too high risk of forgetting it.
No unfriendliness or offense intended, but my remark may have been a little frank, simply because you seemed not to be appreciating the seriousness of the advice that @Neuron5569, @DenBesten, and I were trying to give you.
I don’t doubt the sincerity of your intentions, but to be frank again, I get the impression that you may not have sufficient knowledge of cryptography to fully understand the dangers of using a nonrandom master password.
To be clear, this is not “my” method, it is a well-established best practice for cryptographic secrets (e.g., passwords) that must be memorized, manually typed, or spoken.
It is not difficult to commit to memory a passphrase consisting of 4 words (or even longer). This can be done via mnemonic devices and repetition, but generally requires some initial investment of time, and a commitment to practicing recall of the passphrase until it has been committed to long-term memory and muscle memory. It shouldn’t take more than a week’s practice to be able to type out the passphrase fluently at will.
That being said, it is dangerous to rely on human memory alone for the vault password, as the risk is high for memory failures (temporary or permanent) — a risk that is present for both random and nonrandom master passwords. For this reason, another best practice for those who use password managers is to create an Emergency Sheet to be stored in a secure location. This is an essential protection against memory loss.
This risk is significant regardless of how a password is generated. The solution is to maintain an emergency sheet and perhaps a backup/export.
Random is important in passwords because human behavior is predictable.
Also because effective strength of nonrandom passwords is unknowable, so using such a password for one’s Bitwarden account amounts to protecting the vault based only on hope, faith, or luck.