Is it possible to totp brute force attack on bw's totp authentication?

Hello,

I read this artile at reddit.

Is it really possible to totp brute force attack on bw’s totp authentication?

OK, i did not see the link you had earlier, so Yuri is correct, TOTP is a moving target, so you would not only need to guess the code, but also do it at the right time because the code changes every 30 seconds.

One issue is if someone breaks your master password, they would know your secret and know your TOTP. This is why security conscious users don’t like to store the secret in the password manager. They would recommend that you store the 2fa on a separate application, so if they hack your password manager, they have to hack your 2fa application, too.

I’m not qualified to talk how Bitwarden works, but I believe I can clear some misunderstandings based on what you linked.
That post on reddit sends to an article which talks about brute forcing TOTP, assuming that someone already stole your username and password. Keep in mind that if someone does that, without TOTP, or any other two factor authentication methods, you are already considered as completely hacked and compromised.
As you probably know, TOTP as is provided by Google Authenticator, gives you a 6 digit code EVERY 30 seconds. This code is calculated based on time from a static code (that QR code you scan, which is actually just a sequence of characters). For any code generation, there are 1000000 possibilities, which helps to know to calculate the chance of success of finding the right combination.

Assuming that no security measures are in place, you can make many attempts per second. In the article, a random number is chosen, that being 10. That means that in the conditions stated, someone could try to guess the code about 300 times in and only in that 30 second span. This gives you about 0.03% chances to find the right numbers. Because each 30 seconds attempt you are looking for another combination, the chances do not change, not being unaffected by the previous result. Your chance to get it right it’s still 0.03% in the end.

The article says you can compute all the possible codes in about 3 days at that rate. Sure, IF the code never changed that would be a concern, BUT it changes every 30 seconds.

That is also assuming that you don’t have security measures in place. Most sites, have something to prevent you from spamming those brute force attacks. So a more realistic number of attempts at brute forcing per 30 seconds would be perhaps around one attack per second or even less. So that brings us to about 30 attempts for the time span of 30 seconds. Some go even further and after you reach a given number of attempts will block you for a while, which lowers the actual chance of success over a larger period of time. Anyways, that brings the chance of guessing your TOTP in those 30 seconds to about 0,00003%. And because what was tried in the previous 30 seconds it could still be a viable option in the next 30 seconds, you’re still averaging about 0,00003% chance to get your TOTP correctly.

Again, this considers that your user and password are already known by the attacker. Without those, the attacker must brute force every single length of possible passwords until it reaches the maximum, which I’m not sure what it is, but just to crack a 16 characters password can take more than your next few lives and it’s only going up from there.

10 attempts is unrealistically low for “no security measures”. More like 100+, especially with threading.

I was curious and tried out the enter bad TOTP into an outlook account. It let me enter like 5 tries and then said that it was no longer accepting input and to try it later.

Based on this, and depending on implementation, it would be difficult to brute force a 2FA. You would need to

1. Break the password.
2. Try repeatedly to enter the TOTP code with in the time windows. This will be limited by how many times you can enter the code and get a response and how quickly the site shut you down. I think most sites will shut you down after about 5 tries.

Assuming your password is crap and they guess it because you used your name as password or something. They now have to guess a 6 digit code, they have to guess it within a 30 second window and also have to work within 5 tries. They can keep repeating this of course, but doing this repeatedly probably raise some alarm that you account is being hacked. Perhaps you wills start getting hundreds of thousands of login failed email, which will prompt you to change your password.

It’s probably much easier to bypass 2FA either through social engineering or by reading the secret off your device (if that is even possible).

Thanks for your kind reply.

Keep in mind that if someone does that, without TOTP, or any other two factor authentication methods, you are already considered as completely hacked and compromised.

OK. I’m assuming, master password has already been compromised, but TOTP autheticator has not been compromised yet.

Most sites, have something to prevent you from spamming those brute force attacks.

I care about Bitwarden’s TOTP authentication.
When I try to input wrong codes 11 or 12 times at bw’s totp authetication, I come across the ratemilit.
But, at the same time, I can input other totp code from the computer which has other golobal IP address.

Does this mean I can increase the maximum rate limit as I prepare the computers which have global ip address?

BUT it changes every 30 seconds

Yes, it changes every 30 seconds.
But when I prepare 100 pc with global ip address, and try to input “same static” unique totp codes 10 times at each pc,
I can try 1,000 codes per 30 seconds. And if I keep on try same 1,000 totp codes every 30 seconds through a day,
Isn’t it the same as drawing a lottery with a winning probability of 0.1% , 2,880 times a day?
(2,880=24hour60min60sec/30sec)

I know Yubikey OTP is safer than TOTP, but I want to know how TOTP is safe.

You were asking about Bitwarden TOTP, which is stored in the account. If they have hacked your master password, then they would have access to your TOTP in Bitwarden and would not need to brute force your TOTP. They could just use Bitwarden to log into the account, so your scenario only applies if you use a different TOTP like google authenticator, authy, etc. This is why many security expert recommend that you do not store TOTP in your password manager. Once someone hacks your master password, it’s all over.

How a site respond to the wrong TOTP code is control by the site’s code. I believe the recommendation for the TOTP standard is to allow may be 5 login before locking you out temporary. You cannot control what a site does.

I am no expert, but I would assume that a TOTP give you 1 in 6 digit combination to succeed each time you try it. If you continuously try the same number, it’s possible to hit on the right combo eventually, but keep in mind that on most sites you will probably lock the account out for like 15 minutes after 5 tries or so. Also continuous attacking TOTP would probably be notice either by the user who will call the helpdesk about why his or her account keeps locking out or by the vendor who notice unusual login pattern. Unless you are being targeted specifically, TOTP brute force will probably not be deployed since it is not practical.

If you are targeted, a Yubico key would be the way to go, but you just use the Yubico FIDO/U2F and not the OTP. The TOTP on yubico is essentially the same as OTP anywhere else.

Thanks for your kind reply.

Sorry for confusing you with my poor english.

You were asking about Bitwarden TOTP, which is stored in the account.

No, I’m not asking Bitwarden Autheticator(TOTP function to login to the web site stored in the items in the bitwarden account.)
https://bitwarden.com/help/article/authenticator-keys/

I’m asking TOTP function which I use to login to bitwarden account.

How a site respond to the wrong TOTP code is control by the site’s code.

I care about how bitwarden control wrong TOTP codes.

Ah Ok, that makes more sense now. You may want to email Bitwarden directly to figure out how to implement TOTP incorrect login. My guess is that they will at least have 5 login limit with a limited time lockout. Since it’s the password manager, I am not going to try it on my end since it may lock out the account and require some sort of call to Bitwarden to unlock.

Every time you missed a login, I believe Bitwarden sends an email to your email address. If someone is bruteforcing your account, you will get hundreds of thousands of email, which will alert you that someone has your master password, so you would go and change it.

I would recommend a yubikey is you get the premium version, since it’s not vulnerable to brute force. While TOTP is vulnerable to brute force, it would be really difficult to hack it using brute force before someone notices.

As I mentioned, I’m not aware about the way Bitwarden implemented this, but since you said you noticed this behavior, I have tested this as well.

Assuming that the username and password have been compromised, my findings are the following:

Introducing the TOTP code wrong about 10 times will block your attempts per IP for a while. Using a new browser did not help. I did not have the time to experiment and figure out if changing devices lessens the block time, but if that’s not the case, the block duration is really small.
You can’t use the same IP to brute force it from my tests, therefore you need multiple ones. This can be achieved with a CONDOM, but realistically is yet to be determined if you can truly brute force it.

Depending on what VPN you’re using, it may allow a random number of connections. Taking into consideration the 10 attempts per 30 seconds, this means that we need 100 000 connections to be able to have an 100% chance of guessing the TOTP.

This brings us to a new problem. How many connections is it realistically possible to obtain in order to break the TOTP.

Depending on the answer to that, this could be an issue if there is indeed no safety implemented. I was not able to lock myself out of the account by doing this from the same browser but with different IPs. Perhaps the reason to that if is that my attempts were not fast enough (still needs to be confirmed).

Further tests need to be conducted on this. I also didn’t get any emails regarding those attempts.

I was basing this on testing on a different services mostly because I can’t afford to lock out the bitwarden account. I was basing this on an assumption that TOTP is probably very similar across different vendors

I was also based an assumption that one could not brute force a TOTP so easily because it would be difficult to attack it with only a few tries per TOTP window. However, I was not nearly clever enough and did not think about using multiple clients, which would greatly increase the odds of getting a hit. My math is a bit rusty on combinations, so I am not certain it’s 100,000 connection, but I will take your word on it. One would think if you try with all possible combination of 6 digit, it might work, but I would think the firewall would not perhaps 100,000+ connection to the same account. Even if you can try 100,000+ connection, only 10 would be accepted within the 30 second window so may be more clients may not help.

I was mistaken about the email because I can see lots of email, but a closer look reveal that they were telling me that a new device was added and not that a login as failed.

I was mostly asleep while writing that, and in a bit of a hurry, but I will explain the logic I used, just to ensure there’s no flaw in it.

Given that there are about 6 numeric characters in a TOTP for Bitwarden, each one of them having 10 possibilities (numbers from 0 to 9), that means that we have 10^6 total different codes that we can obtain, which is 1 000 000 possibilities.

When I tested the TOTP, I was blocked on a single IP after 10 wrong attempts, regardless of the device, but the block didn’t last that much… maybe 30 seconds or so. Testing with different IPs at the same time, I was limited at 10 per IP.

That means that for one IP I can have 10 codes to try. That implies that we need to coordinate about 10^5 IPs to have a 100% chance of breaking the TOTP… that is 100 000 IPs.

It is quite unrealistic that we need all those 100% chances in order to do it… so I will cut it further… I personally believe that any number between 1% and 10%+ is an issue…
This leads us to 1 000 - 10 000 IPs for 1-10% chance.

For reference, the Tor network has about 8500 nodes, which is quite close to the 10% chance mark. Now the question is whether it is realistic that hackers can obtain such resources, and if there really aren’t any protections.

Do correct me if I’m wrong.

Perhaps someone from the Bitwarden team could address this?

Thanks, I was half asleep in my reply, too. so you need to guess from 000000 to 999999 with 10 attempt per 30 minutes. So the account does not lock after 10 attempt? You can actually increase that 10 limit by using another network node.

I think TOTP by nature is only resistant to brute force, but it’s not not proof against it. You still need a combination of good password + 2fa. If you are targeted by hackers because you have stuff like Crytpocurrency, then you should try to protected it using something like a Yubikey, since it’s possible to brute force 2fa overtime, but only after you can crack the password.

The only way I can think of to prevent this would be some sort of account lockout policy where you have to contact the vendor to unlock the account. However, this would increase customer service cost, which may explain why Bitwarden wouldn’t want to do this.

The next best thing would be to generate some sort of warning when you failed to login along with IP location from login. A large number of email would alert the user that something is amiss. The message should explain in a matter for layman terms what is happening.

Honestly, if you’re terrified that someone still has a 0.00000001% chance of finding your TOTP—simply because it’s a non-zero chance—then you should get a Yubikey. Having a hardware USB key that you must insert in order to log in would 100% prevent someone from accessing your vault without it, whether they knew your credentials or not.

@ chyron8472 if you’re going to barge into a discussion, please ensure you know what the discussed subject is. We’re not talking about 0.00000… chance to break into your account, but a 1-10% chance of it happening.

@ paulsiu The account didn’t lock from 30 attempts per 30 seconds done simultaneously from 3 devices on 3 different IPs. I have continued to try entering wrong OTPs by using other IPs, but still nothing. No warnings or locks.
This is concerning, as it indicates to me that there may not be any security checks besides a simple IP limiting of having 10 tries per 30 seconds.

The solution to this can be actually very simple.

You keep the initial 10 tries per 30 seconds per IP.

Once someone tried to connect and got the password right, but the OTP was wrong 10 times consecutively, regardless of the IP/device used or the time passed, send an email to the user warning them that they may be compromised.

Once the user is warned, the number of tries should be reduced to about 1 to 3 per IP per 30 seconds. This can greatly reduce the chances of someone brute forcing it, even if they can get a ridiculous amount of IPs, while not inconveniencing the actual user who can get those credential right likely from the first try.

Once the user logs in, this number of tries should be reset to the 10 per 30 seconds. Perhaps also show an alert inside the vault to inform the user that their master password may have been compromised.

This does not require a lot of extra computing power, besides an email that is sent once when the 10 OTPs are consecutively introduced wrong, and a few more checks.

I’d still like to see what the take on this issue is of someone from the bitwarden team.

I understand the subject just fine. The subject is the probability and/or danger of someone hacking a Bitwarden Vault which is protected with a 2FA TOTP. And for the record, this is a public forum. People come and go. Additionally, you’re not setting a proper example of the Bitwarden community by talking down to me like that. So I would appreciate some respect.

Do you know what hyperbole is? And no, we’re not talking about a 1-10% chance. The chance of hacking a code with literally one million combinations in thirty seconds or less is not between 0.1 and 0.01.

If you would get over yourself, you could recognize that having an encrypted hardware key would make the probability zero percent, assuming someone didn’t 1) physically steal it, 2) know what it was for, and 3) know the username and master password. Therefore, it is a legitimate solution to suggest. I was not trolling. It was a legit suggestion for someone who is concerned about hacking probabilities to a singlular point of access to every account they have being non-zero. People have yubikeys for that reason.

So really, I would appreciate it if you made an effort to be nicer to people in the future.

Interesting that the account did not lock temporary after 10 tries, limiting the damaged to only 10 per 30 second. Is there a reason why the limit would be tied to an IP. If a request to bitwarden fails to login, shouldn’t the account prevent request from all IP? Why do you think each IP gets its own set of tries?

I agree with your recommendation. Perhaps you should put it as a feature request.

I notice the following article by someone who successfully use this method by hack the 2fa on an travel service provider in India. They were using a 4 digit OTP. The article did not say how long it took them to do it.

I am wondering if Bitwarden developer could chime in, too.

A number of my relatives are really bad at password and one of my recommendation to them was to use 2Fa to make up for the bad password. My thought was that even if they managed to get their password, they would still need to break 2fa and that would be really difficult. Now it appears that I should have paid more attention to how the 2fa may be implemented, so I think you for your thoughtful analysis.

Interesting article. However, for that indian server it seems like there was no security at all. In this case there is at least a limitation per IP from what I have noticed. It is a bit more difficult to put in practice as the attacker needs to obtain control over thousands of devices, although, history proved that it’s not impossible.

On the other hand, like I mentioned, there may be something that we don’t know, reason why I think it’s best to turn to someone from bitwarden. I have used so far limited resources to test this. Using 3 IPs to achieve 30 attempts per 30 seconds may not be enough to trigger some security checks which we may not know about.

It looks like someone asked before about brute force attacks on passwords, and this was the answer:

Unfortunately, that does not ensure that it works the same with TOTP.

Skimming through the code I’ve seen some functions to block IP, but to actually figure it all out it coud take a bit more time than I can offer.

I wonder if by tagging we can notify other users to see the topic.
Perhaps @tgreer can clarify whether there are any user notifications and security checks beyond the 10 tries per IP in a time span for TOTPs and whether it is possible to brute force it by splitting the workload among other IPs, having thousands of them try different TOTPs for a single account. (Assuming the user and password are already compromised). And if there are, what is the limit.

If tagging doesn’t work, then your idea @paulsiu about creating a feature request could be what we should do.

@chyron8472

Thank you for your reply.
Yes, I’m using Yubikey as 2SA(2FA) method to login my Bitwarden account.

I don’t want to know what is the safest 2sa method,
but I want to know the possibity to brute force attack on Bitwarden’s “Two-step Login via Authenticator” (bw’s totp authentication).

@Yuri

We’re not talking about 0.00000… chance to break into your account,

Yes,

but a 1-10% chance of it happening.

yes, but please don’t forget we can have 2,880 chances per a day.

When I roll the dice, I bet on 1. The probability getting 1 is 1/6.
If I can roll the dice again and again and again, and I keep betting on 1.
I must get the 1.

I care about,

• by preparing differect global IP address, increase the ratelimit
• by keep on using static totp codes (keepg on betting same totp codes)
• by trying totp authentication again and again(if no account locked out, no dely for a retry , no alert)

someone can break the Bitwarden’s “Two-step Login via Authenticator” with a realistic probability.

I see.

I’m wondering how it would work, to notify the user of a failed login attempt, if Bitwarden was self hosted…