And here is a link to some of the steps we take to protect the Bitwarden codebase.
The Bitwarden team continues to focus first and foremost on security, with the team undergoing regular security training, the open source codebase being under regular public scrutiny on Github, subjected to third party audits and consistently monitored by security researchers as part of the bug bounty program.
Whether you work for a security company or are protecting a family account, it is also important to remember that often when we hear about hacking, it is someone gaining access through social engineering attacks, which means a lot of the basics ring true for all team members, ensure that workstations are locked down, 2FA is utilized, zero trust where possible, and to be suspicious of any communications that rely on time/pressure to get a response.
One stipulation I’d like to point out here is any privacy concerns when it comes to the icon server.
URIs stored in your Bitwarden vault still rely on CloudFront CDNs or your own server if self-hosting for serving up favicons.
This may be a concern for some, though it’s pretty clear and made apparent from the getgo by Bitwarden.
Can be disabled by the user and Bitwarden is up-front and transparent about options to the user, and yes thankfully still never stored in clear-text ever.
Just a possible concern for some related to URIs while we are on the topic.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
Note how it says the format contains UNENCRYPTED data and ENCRYPTED data.
Does this mean that (for bitwarden) if we attach a note or a custom field to a Item (visible in cleartext but only after logging into your bitwarden) would that information have been leaked as well had a similar breach have occurred?
In other words, is our entire item entry encrypted with our personal key or are the plaintext fields visible when viewing an item left unencrypted by our personal key?
e.g. lets say we stored a one sentence reminder of our password on teh item entry in the notes field or a custom field. Is that data NOT encrypted by your personal key? I was under the impression that your entire vault was encrypted with your personal key.
Below is literally what a typical login item looks like when stored in your vault. Every gibberish string that starts with 2. and ends with = is an encrypted cipher string, which cannot be decoded without knowledge of your master password or account encryption key. You can see that the item name, URL (uri), username, password, and notes are all encrypted.
2FA including for instance a Yubikey every time you install bitwarden on a new device or open it from a new device would alleviate many (or should alleviate many) of your concerns. I don’t know of any Yubikeys that have been hacked, and if you’re super worried you can use the yubikey to open BW each time.
No, while 2FA offers great protection against compromised master passwords (especially if using Yubikey with FIDO2/Webauthn), 2FA will provide exactly zero extra protection against the kind of breach that occurred at Lastpass. The 2FA is only required to obtain a copy of your vault, it is not required to decrypt your vault. In the Lastpass breach, the vault data were exfiltrated through a side channel, and once the attackers have the vault data there is no need for authentication.
I agree with @grb , that the hack at lastpass exposed an awful security oversight, that lastpass failed to have enough (2fa) access control on backup files. In other words, to retrieve a backup file should a 2fa code as well as a login (at very least, and perhaps more safeguards).
Question: is there a public statement from competitors like 1Password that they have better access security, for their backup files, already in place?
Backup files are the crown jewels, the storage of your secrets. It helps that they are encrypted, but if a bad guy has a copy, they can take as long as they like to try new ways to decrypt. An analogy is stealing a big, heavy, iron safe, without opening it yet. Back in the garage, the thief can use as many saw blades as they want to attack the big iron safe.
I just read an article on this. It’s a shame that Lastpass didn’t reveal the problem sooner. They probably saw it as a sort of admission of failure, I guess, and they tried to avoid or delay it, probably. A bad way of thinking. It would have allowed customers to change their password and they would have been reminded to watch out for phishing attempts.
Let’s hope that Bitwarden would let us know quickly the same issue, in an identical situation.
I have the same questions as you.
Is everything 100% encrypted with Bitwarden?
It’s worth thinking about the consequences of data theft on the servers, indeed.
Isn’t everything encrypted with Lastpass? Why?
What are the differences between Lastpass and Bitwarden?
What can do some hackers with our encrypted data?
I thought that the answer was nothing. Was I wrong?
the Lastpass case is interesting.
I also think that there’s no server that can not been hijacked one day, unfortunately. not necessarily but it’s possible.
The good question is could the hackers have our data in clear in the end? Is it impossible?
Neither. Bitwarden is more secure than LastPass; Bitwarden is equally secure to 1Password if you are using a strong Master Password. If you are using a weak Master Password (which is a bad idea), then 1Password’s secret key would protect the vaults that are stored on their servers, but offers no additional protection for the local copies of the vault that are stored on your devices.
It seems that on Lastpass 2FA (like a Yubikey) only stops the downloading of a vault. Once a vault is downloaded out of LastPass’ internal backups then 2FA is bypassed.
Is this also true for Bitwarden? Or is Bitwarden’s vault itself protected by a Yubikey thus making it impossible to break into the vault?
2FA is only for authentication (proving that you are you), not for encryption — this is true for Bitwarden and any other password manager that I am aware of. The thing that makes it impossible to break the vault encryption is your Master Password, which must be sufficiently strong for this task (e.g., a passphrases of 5-7 words that have been randomly selected from a large list, typically 7776 words for diceware lists).
A few years ago Lastpass was acquired by Logmein which had a dodgy reputation at the time - not sure if it has now. But their clear intention was to make profit. There are fees for Lastpass but is it possible that the metadata they don’t encrypt is sold for additional profit?