If my bitwarden vault gets stolen (as per Lastpass customers) would 2FA still provide additional security?

Hi all,

I’m new and just about to jump ship from Lastpass. Before I move to Bitwarden I wanted to find out about 2FA.

If, hypothetically, Bitwarden was hacked and all its customer’s vaults were stolen, would a hacker still require the 2FA method set up on on the vault (yubikey in my case) if they managed to crack the master password?

I believe this isn’t the case with Lastpass. Even though I had 2FA with Lastpass, it means nothing now if the hackers cracked my master password.

Any thoughts to put my my at ease would be much appreciated.

Thanks,
Fin

I am also a LastPass refugee. I am interested in the correct answer. A key difference is that a very significant part of our LastPass vaults were not encrypted at all. That would allow a hacker to better focus their hacking efforts on higher value vaults. Also, I believe that the LassPass seeding and hashing techniques were generally not as strong as BitWarden’s. To answer your question: I have a “guess” that the answer is that the hacker would not require the 2FA method. However, that guess is not based on any facts or knowledge, so I suggest we continue to monitor this post to see what the very knowledgeable members of the forum have to say. I am quite sure that a very strong password can make cracking the master password so time consuming and expensive that the hackers would probably move on to lower hanging fruit giving you plenty of time to change your passwords. Of course, the definition of what constitutes a very strong password and how much time is “plenty of time” can be debated.

Welcome to the forum!

The response by @BitCommunity is essentially correct.

In essence, the way this works is that your vault contents are stored encrypted on Bitwarden’s servers (in the case of LastPass, the stored passwords were encrypted, but a lot of other sensitive information was stored unencrypted). The login process authenticates you to the cloud servers (i.e., you convince the server that you are you, by using a master password that only you should know, and by proving that you are in possession of a 2nd factor that only you should have); once you pass the authentication test, the server delivers a copy of the encrypted vault data to your device, where the decryption process occurs. Decryption involves using your master password as a decoder to decipher a scrambled encryption key, and then using the encryption key to decrypt the vault contents. Note that the 2FA factor is used only in the authentication process, but it is not used in the vault decryption process that happens on your device.

If an attacker is able to break in to the cloud servers where your vault is stored, or if they are able to break in to one of your devices that have a cached copy of your vault (the copy that was downloaded when you logged in), then they can make a copy of your encrypted vault data (and in the case of LastPass, also your unencrypted vault data). Thus, they would have no need to go through the whole authentication process, the goal of which is to request a copy of the vault data to be delivered to you by the cloud server. Therefore, 2FA is irrelevant to this type of attack scenario — and that is true of any online data that require authentication by password and 2FA to gain access.

Ultimately, the main defense against a breach of your vault is a strong master password. Unless you are a high-value target, a master password with around 50 bits of entropy or more will be sufficiently strong to secure your vault. Note that entropy can be produced only by randomness from unbiased, unpredictable sources (e.g., cryptographically secure pseudorandom number generators, electronic noise, dice throws, or coin tosses — not the human mind, not matter how creative or unconventional you perceive your thought processes to be). You can generate a sufficiently strong master password by using the passphrase option (set Type=Passphrase) in Bitwarden’s Password Generator. If you are sufficiently disciplined to select the first passphrase generated (without touching the “Regenerate” button), then you can reduce the number of words to 4 (e.g., by pressing your keyboard’s ← button once) and pick the first passphrase displayed. Conversely, if you think that you will be tempted to use the “Regenerate” button to weed out passphrases that you don’t like, leave the number of words at 5 (to compensate for the entropy reduction caused by such cherry-picking).

If you have generated a strong master password in this way, then it is virtually uncrackable and you do not have to worry about anybody being able to guess your vault password. The 2FA is primarily protection against a different type of attack — in which the attacker already knows your master password (e.g., by shoulder surfing or by phishing), and therefore doesn’t have to do any brute-force guessing.

I look at it this way: 2FA acts as permission to send a package to the device where the 2FA was used. Your master password then gives you permission to unwrap that package.

2FA has no value for either client-side attacks (encrypted vault scooped from your local device) or server-side attacks (all the vaults scooped in a hack like LastPass). It does have tremendous value in thwarting remote attacks: for example, someone in a different country who theoretically already has your master password is unable to get it delivered to them as they can’t provide that permission via 2FA. This is why 2FA is weakest via SMS (device cloning so they can receive your 2FA code via text), then via an Authenticator app (susceptible to phishing/keylogger malware), and finally a hardware security key via WebAuthn (the most secure form of 2FA) in settings, not via the slightly weaker but still good Yubikey OTP.

I would also argue -and some will disagree- that if your choice is between SMS and email delivery of a 2FA, an email account protected by a very complex password that is never reused and a hardware security key via WebAuthn will be more secure than SMS delivery (but if you already own the hardware key for email then set it up for Bitwarden, as well). That said, for most people who aren’t specifically targeted (by state actors; by hacking groups going after your crypto, etc.), SMS is going to still be an acceptable level of security. However, authenticator apps like the one available within Bitwarden for Premium plans is a good integrated solution and easy to use.

As another LastPass refugee, welcome to Bitwarden!!!

A very sincere thank you to both grb and 222.

Thank you very much for all the excellent info.

I’ve learned heaps and finally understand the distinction between authentication with 2FA and encryption of the vault using a strong master password. I’ll be following those entropy guidelines.

It’s very interesting and will continue to learn more. Bitwarden seems to have an excellent community that Lastpass didn’t. It’s very encouraging and I feel I’m making the right move moving to Bitwarden

In addition to the client side encryption, there is an additional encryption layer applied at at rest:

Bitwarden additionally uses Azure transparent data encryption (TDE) to protect against the threat of malicious offline activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest.

@grb thank you for the explanation. However I still think 2FA would be very useful to prevent certain scenarios, for example if a malware steals the vault from your local machine and your master password (with a keylogger).

So something like master password + key file in KeePass (see encryption - KeePass: use a key file or a regular password? - Super User), where the additional key would use some secure mechanism (Yubikey?).

I would be glad to pay for such feature.

@bitsec Welcome to the forum!

2FA would not protect against the scenarios you have described. In fact, if an attacker has the ability to install a keylogger on your device, then they would also have the ability to steal a “keyfile”, so neither a keyfile, nor any form of 2FA would provide any protection.

In fact, an attacker with such level of access to your device could just copy all of your unencrypted vault secrets directly out of your device memory, so they wouldn’t even have to bother cracking your encrypted vault.

Thank you for a quick reply!

I am not an expert on this topic, just brainstorming a bit here

I was under the impression that YubiKey has protection against malware (unless there’s some 0day vulnerability), so it shouldn’t be possible to easily steal the key. Not sure about protection for the data which is passed from YubiKey to the program using it. If it would be possible to use a short-lived token as a 2FA mechanism, then at least the impact might be somewhat limited… I see that KeePass has support for YubiKey, but it’s not clear if it’s possible to use it together with your master password (so it would be both “something you know” and “something you have”).

Regarding device memory, I was incorrectly assuming that OS offers this protection, but this is not the case. There are some mechanisms to improve memory protection, such as Intel SGX, which is also used by 1Password.

There are probably various ways this could be bypassed if you have malware running on the machine. Just wondering if it would make sense to implement additional security measures, to make it harder for the attacker…

@bitsec Let’s make two things very clear:

1. No form of 2FA provides any protection if an attacker has breached Bitwarden’s servers and stolen the vault database (e.g., what happened at LastPass). As @222 eloquently summarized it above: “2FA acts as permission to send a package to the device where the 2FA was used. Your master password then gives you permission to unwrap that package”; in this analogy, if the attacker has already stolen the package, then they no longer need to request that the package be sent to them by Bitwarden, so 2FA is irrelevant.

2. If you have malware on your device, then it’s “game over” — the attacker would have myriad ways of accessing your vault data, no matter what security measures you have put in place. Protecting your devices against malware should be your highest priority.

Hi @grb

1. I understand how 2FA is currently implemented at Bitwarden. I was just curious if it is theoretically possible to have a master key which unlocks a vault, that is combined from a master password (something you know) with a second secret, e.g. from a YubiKey (something you have). So it would not be possible to unlock a vault (ie. “unwap the package”) without both pieces of information.

2. I understand and mostly agree. However, I think with security it’s good to have a layered approach, and try to make it harder for an attacker. There are various types of malware, and some protection might be good enough for certain malware (e.g. if it runs as a normal user instead of root user, additional layer of protection might be enough to defend against it). There must be some value in mechanisms such as memory protection (including Intel SGX) for certain use cases, otherwise I don’t know why people would spend time investigating it. But if it adds meaningful protection to a password manager, I don’t know.

Anyway, this was not meant as a critique of your product (if it was perceived as such). Just curious what protections are possible and make sense from cost/benefit perspective.

cheers

I am not a Bitwarden employee; I have no affiliation with Bitwarden other than being a customer, just like you.

That would be possible today, if you use your Yubikey to inject a static secret before or after you type in the memorized part.

At least in Windows, a process running as user can read the process memory from any other process. Thus, as soon as you unlock your vault, its decrypted contents are available to malware running on your device.