Is the login from the app encrypted?

will · February 22, 2023, 10:46pm

the login from the app is encrypted, so that if we connect in a hotel network for example without vpn, the login would still be encrypted and protected as an https web connection.

Russell_82 · February 23, 2023, 1:05am

I am not sure what your question is. Could you restate it.

grb · February 23, 2023, 1:20am

The master password is hashed into an unrecognizable form by your computer, and then encrypted for transmission to Bitwarden’s servers using the TLS protocol.

will · February 27, 2023, 7:52pm

Sorry for not answering sooner, I had a busy few days.
ok so the password before leaving my computer is hashed and encrypted to travel to the bitwarden server in such a way that it is never exposed.
correct?

Russell_82 · February 27, 2023, 11:33pm

@will The short answer is yes. Your master password is never transmitted or stored in plain text ever.

For a more complete explanation read this document. The graphs on pages 9-10 display the workflow.

https://bitwarden.com/images/resources/security-white-paper-download.pdf

grb · February 28, 2023, 4:38am

Yes, you got it!

will · March 14, 2023, 3:18pm

But if it is transmitted in hash … we still have a problem…

in this web you enter the password in hash format and it returns it to you in plain text.

grb · March 14, 2023, 3:44pm

From the crackstation.net webpage that you linked:

This only works for “unsalted” hashes.

The master password hashes that are transmitted by Bitwarden are salted, so these pre-computed hash tables are ineffective.

In addition, crackstation.net is only capable of cracking the following types of hashes:

LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)), QubesV3.1BackupDefaults

Bitwarden uses PBKDF2 for hashing by default, and Argon2id as an option, neither of which can be cracked using crackstation.net.

Finally, crackstation.net has precomputed hashes for only 1,493,677,782 words. Thus, it cannot crack passphrases, which consist of multiple words.

If you want to try it to convince yourself, create a strong mater password by using Bitwarden’s password generator with the Type option set to Passphrase (keep all other settings at their default values), then enter your email address and the generated passphrase into the Email and Master Password input fields on Bitwarden’s interactive cryptography page; optionally, change the value to Client PBKDF2 Iterations to 600000 (or to the actual value from your account settings, if you are using PBKDF2-HMAC-SHA256 for key derivation). Finally, copy the computed value shown in the Master Password Hash field, and try to use crackstation.net (or any other hash cracking tool, including Hashcat) to crack the hash. It can’t be done in a million years.

will · March 18, 2023, 2:32pm

Ok, so doubt solved, thank you very much for your answer and your time.