LastPass breach and implications for BitWarden

2FA is only for authentication (proving that you are you), not for encryption — this is true for Bitwarden and any other password manager that I am aware of. The thing that makes it impossible to break the vault encryption is your Master Password, which must be sufficiently strong for this task (e.g., a passphrases of 5-7 words that have been randomly selected from a large list, typically 7776 words for diceware lists).

A few years ago Lastpass was acquired by Logmein which had a dodgy reputation at the time - not sure if it has now. But their clear intention was to make profit. There are fees for Lastpass but is it possible that the metadata they don’t encrypt is sold for additional profit?

I would absolutely imagine so, part of what prevented us from moving to this as any form of a corporate password manager.
LastPass’ US Privacy Policy has a few questionable provisions about what data is collected and how it is processed, but namely to me

LastPass may use and share customer account and registration data, service data, billing data, and feedback with our third-party service providers to:
(g) provide analysis or valuable insights to our customers and users; (h) assess the needs of your business to determine and promote other LastPass products which we believe may be helpful to you; (i) provide product updates and marketing communications; (j) conduct research and analysis for business planning and product development; and (k) display content based upon your interests. To the extent permitted by law, we may also combine, correct and enrich personal data we receive from you with data about you from other sources, including publicly available databases or from third parties to update, expand and analyze our records, identify new prospects for marketing, and provide products and Services that may be of interest to you.

While it seems fairly easy to opt-out, though I personally would rather have to opt-in to any marketing and data harvesting where possible, and the use of personal data for up-selling a product meant to not know anything about you just seems wrong to me IMHO.

1 Like

I read the post whose you show the link, grb. Very interesting indeed. Thanks again.
That one :

Would it help if the vaults were encrypted with all three keys derived from:

  1. Master password
  2. 2FA key or URL
  3. Secret key or seed phrase

1Password made a good point: humans will be humans. Many will not have strong master passwords. Those in infosec will likely have, but that’s a small minority of the population.

Your post has a lot of speculation that is not accurate. What you have written above is not true about Bitwarden, and it is not true about LastPass. Also, neither service claim “100% encryption”, they only claim “zero-knowledge”, which essentially means that the encrypted data cannot be decrypted by the company.

This GitHub Gist shows an example of what the user vault data would look like when stored on Bitwarden’s servers — please take a look. There is no server-side encryption of the vault data:

1 Like

False. Bitwarden does not hold your encryption key. Your key never leaves your own device, and Bitwarden provides evidence that this is true. Suggesting otherwise is both false and irresponsible, IMO.

Bitwarden’ big advantage over the other big password managers is that its entire codebase is open source and publicly available, so they cannot claim one thing and then do another without exposing their deceit. It just won’t happen. And on top of that, Bitwarden undergoes third-party security audits that specifically check for vulnerabilities and are made public.

I believe LastPass got away with deceitful marketing because their codebase is proprietary and secret, and who knows what kind of security audits they have done, if any.

I feel I must defend myself.

Many people will look at the screenshot below and come away thinking that bitwarden encrypt everything.
But they don’t encrypt everything locally with the master password so the extra encryption is done by bitwarden and a hacker will be able to decrypt that part.

I urge people to focus on what is encrypted locally with the master password, and ignore the “all vault data” claims.

1 Like

Could you expand on “Bitwarden is equally secure to 1Password if you are using a strong Master Password.”? My understanding is that the 1Password Secret, which never leaves your devices, is combined with the Master password to unlock the vault. Therefore it seems like an additional factor of authentication is being provided, and this (at face value) would appear to be more secure than a single password (in the case of Bitwarden).

I think I understand what you’re saying that beyond a certain point of password complexity, the Secret will have little impact on the “crack-ability”, but I think that for the vast majority of users, having a second Secret provides a significant uplift in the complexity of the key required to unlock the vault.

Am I understanding correctly?

1 Like

What you have written about 1Password is not accurate.
The secret key in 1Password will add 128 bits of entropy to whatever password is used and so make the encryption stronger.

@anaccount you are on the right track (and welcome to the forum!); @DoctorB you are technically correct.

Let’s assume even a modestly secure master password drawn randomly from a keyspace of 1020 possibilities (i.e., 66 bits of entropy — say, a 5-word passphrase). Brute forcing this password will cost an attacker over 100 billion dollars to do in a reasonable amount of time, or will take them a million years to crack at a reasonable cost.

In practice, would it really matter if those two numbers were inflated by a factor of 6×1038 (i.e., adding 38 zeros to the end of each number), which is what 1Password’s secret key does?

If the secrets in your vault are worth a trillion dollars or more, and if you are not worried about any attacks targeting the local vault copies stored on your devices, but you are concerned about a breach of Bitwarden’s servers, while at the same time you can’t be bothered to memorize more than 5 words for your master passphrase — then, yes, a secret key à la 1Password would be useful!

That didn’t last and LastPass is now an independent company. I can’t help wondering if that was done to protect Logmein from any claims that might arise from the breaches.

I would not be suprised to learn that selling metadata was the norm for all the password managers. Just that LP seem to have more unencrypted fields than the average.

I strongly advised several friends of mine to use Bitwarden. Following what happened to Lastpass they now doubt and we understand them.
When I read for example this comparison, it appears that the two softwares are supposedly great! And the author even prefers Lastpass in the end.
Lasstpas is recommended on many sites!
Wan what happened to Lastpass also happen to Bitwarden? why not ?
If we have a strong main password, is there really no risk for our data on Bitwarden, even in the event of hacking? Are we really sure af that?
Is it really so obvious? I’m not sure.

1 Like

If “it” means a breach then I think it can happen at BitWarden, in fact we should assume it will.

I am in the process of moving from LP because I have lost all confidence and trust in LP.
I think Bitwarden is much safer than LastPass because BW have encrypted more of the data in the vault (that we enter) so when they get breached less info is going to be exposed.

Also BW are more trustworthy because of the open source model. I don’t trust LP, they could have weak crypto code. LP is closed source but hackers have their source code and will be analysing every line of it looking for weaknesses in it.

Just remember to use a strong master password. 2FA is fine but no substitute for a strong master password.

Yes. What you say sounds logical, but the article I mentioned above said that both Lastpass and Bitwarden were both encrypting everything!
Was is false, then, for Lastpass? How could they tell that in that case? Was that said by the Lastpass company? A Lie then?

The phrase “encrypting everything” is a little mileading.
In the worst case scenario we have to look only at what has been encrypted locally on your workstation using the master password (and ignore other encryption applied later). At this point neither of the 2 companies encrypt everything but BitWarden does encrypt all the important data items (the ones that you have typed in). LastPass have chosen to leave some of the data items unencrypted.

That’s a crap article basically IMO. There are a lot out there. They just regurgitate the same info over and over without truly testing (and more importantly investigating) the product they are testing. Often they are an old review from 2-3 years previous and they have just ‘tarted it up’ with some new info about the latest features. People need to be very selective about which websites they read these reviews from, many are just trying to get clicks for advertising revenue and aren’t truly cybersecurity experts or similar…

The latest LastPass incident is their 7th major breach in the last ~12 years, so no one should have had accounts with them anyway, even before this incident (as there had already been 6 significant intrusions to their systems). You have to wonder how many more minor or unpublicised breaches there have been! Any review articles in 2021-2022 not referencing this for LastPass are suspect - even Mozilla Firefox “Highly Recommends” LastPass!!! So not worth the paper they are printed on. :dizzy_face:

Everyone rushing to leave LastPass now is a bit late, it’s ‘closing the gate after the horse has bolted’ territory… Any sites that haven’t referenced the previous breaches in their LastPass reviews you know haven’t done a thorough review or have an ulterior motive for a positive review of LastPass or are just incompetent or slaphappy… I’m still gobsmacked looking back at old articles and posts on the web and how any people rave about LastPast over the last few years despite the regular reports of breaches of their system.

Bitwarden & 1Password are the 2 main providers who haven’t had breaches and have high levels of integrity/respect. Even Nord, which is fairly new but is well respected and has good integrity from what I can see, has had a couple of breaches (albeit on their NordVPN side of business prior to launching NordPass).

I quickly skimmed through a few sections of the linked article and found several errors. It seems like a low-quality publication, that derives revenue from advertisement and affiliate links — for such websites, there are no negative repercussions for publishing misleading or inaccurate information, so there is no incentive for being accurate. Why pay any attention to such an advertorial?

Because that’s not the only one to promote Lastpass
I’m not a specialist of all this.
Thanks for your answers, you both.
But tell me what sites or forums are reliable? in addition to this forum of course. It can be interesting.