Please clarify the risks of PIN-only unlock use

I’m still new to BW. Although I have spent some time with the BW Security Whitepaper and reading forum posts, much remains unclear to me. In particular, I cannot complete a risk-benefit analysis of PIN use (a popular option, apparently) without fully understanding the risks of this feature.

Let’s make the following assumptions:

• The computer is physically secure (only used inside a private home).
• The Master Password is sufficiently strong.
• The only BW client is a browser extension on the computer.
• The extension settings are set to Vault Timeout Action Lock; further, Unlock with PIN is enabled, but Lock with master password on browser restart is disabled. My understanding is that these are the settings required to use a PIN in lieu of the Master Password for unlocking the vault (please correct me if I have misunderstood).
• The PIN is low-entropy.
• The user never logs out of or manually locks the vault account while using the computer at home.

Thus, the vault would remain unlocked at all times, except for when a browser is first opened (until the first input of the PIN). The vault doesn’t even lock when entering or waking from sleep, or when locking/unlocking the OS – although it does lock on reboot. Thus, what threats does the user face while their browser extension vault is unlocked under the assumptions outlined above?

It seems the main threat is access to the local computer by an attacker, through malware or through a remote connection, but what exactly would they have access to? While unlocked, is the vault stored in decrypted form on disk and/or in RAM, thus allowing exfiltration of the stored secrets by an actor who has broken into the computer and knows where to look?

Would the same actor have the ability to obtain the Master Password, either by memory scraping to find plain-text instances of the password, or by stealing some credential that can be decrypted using the PIN (which is susceptible to brute force guessing)?

Finally, can any of the risks/threats be mitigated by manually locking the vault (e.g., using Lock Now – not sure if there is a hotkey for this) when not in use? What happens when the vault is locked (but not logged out)? Presumably, any decrypted copy of the vault is erased from memory and disk (although these days, there are no guarantees of complete erasure from disk drives, so some risk would remain if the decrypted vault did exist on disk while it was in the unlocked state). However, can an attacker learn
the Master Password by a successful brute-force attack against the PIN?

I believe that with a unique and sufficiently strong Master Password, the encrypted vault stored on Bitwarden’s cloud is pretty much impenetrable, so the main risks would be those resulting from threats against the local computer/device. Thus, to make an informed decision about how to balance usability vs. security, knowing the answers to the above questions is essential.

Thank you!

The chief reason to use the pin is to avoid using your master password. If someone has a key logger, typing in the master password may be logged. If someone use a pin that is unique to the device, and they steal that pin, it is not useful outside of that device. To be secure, the pin must be unique to each device.

If you attempt to brute force a pin, it will allow only certain number of tries before it reverts to password.

According the following link, logging in copies the vault from the cloud to the device but the local vault is still encrypted and can be unlock using your choice of unlock method (password, pin, biometrics).

Thank you for your response and for sharing the link to the BW knowledgebase. I think that if an attacker has been able to install a key logger on your device, they would also have the ability to do memory scraping, or copy files from your harddrive or from active browser extensions (including the vault, stored hashes or keys, etc.). Thus, my question goes to the level of encryption/security of any such data that might be exfiltrated by an attacker.

For example, if the key that can open your vault is encrypted so that the PIN is required to decrypt the key and allow the vault to be unlocked, then it would be easy pickings for an attacker who has copied the encrypted key and key-logged your PIN. Even if they only copy the encrypted key and do not log your PIN, surely it should be easier to brute force the PIN than to brute force the Master Password? The five-attempt limit for the PIN won’t protect you if the attack is done on the copied files instead of using the BW clients installed on your machine.

The linked information from Bitwarden’s help documentation is a bit confusing to me, but it does offer some clues. The way I read it, the state of the vault depends on whether you are logged in vs. out and locked vs. unlocked:

Logged in & Unlocked:
The vault is stored on your hard drive without encryption (all secrets exposed).

Logged in & Locked:
The vault is stored on your hard drive in an encrypted state; the vault can be decrypted using a “decryption key”, which is stored in RAM. Thus, an attacker who scrapes your memory can decrypt the vault. It is unclear how strong the vault encryption is when it is stored locked on your hard drive – has it gone through the full 200,000 PBKDF2 iterations, salting etc., same as is done to secure the encrypted vault that is stored on BW’s cloud servers? If an attacker was able to exfiltrate the locked vault from your harddrive but did not get the “decryption key” from RAM, is it feasible to crack the vault by a brute-force attack (and would such a brute-force attack be made easier if the vault has been locked with only a 3- or 4-digit numerical PIN?)?

Logged Out:
Unclear, but the knowledgebase article seems to imply that no copy of the vault (either decrypted or encrypted) is stored on your computer when the user is logged out. I recall reading elsewhere that in the absence of an internet connection, there is still a local copy of the vault that can be used in read-only mode – if this is the case, the off-line copy of the vault is presumably encrypted, but again, it is unclear how strong that encryption is compared to the encryption used for storage on Bitwarden’s cloud servers.

I have to disagree with you that if someone installed a keylogger, they would have other spying abilities. Keep in mind that keylogger is just a specific software. Being able to copy file is another program altogether.

Based on the reading, I would expect that when you log into Bitwarden, a copy of the vault is retrieved to your device and then stored encrypted in memory. Once logged in, the vault stays in memory until you logout and which point the vault is destroyed. This is why if lose your internet connection you can access the vault until you logout and then you won’t be able to get your vault back until you restore your connection.

The unlock operation basically decrypts your vault to get at the entries on your device. The decryption is what you set as the unlock key, which may be a pin or a biometric fingerprint. Say an attacker steals your pin, they would be able to decrypt your local vault, but unless they physically have access, they can’t decrypt your remote vault. The key is only good for the local vault. The local vault also lock after timeout and need the pin to unlock.

This brings us to the issue of keyloggers. Think of keylogger as someone who managed to access the security camera at your house. They can see you entering a key combo to a safe that has your family’s secret recipe for fried chicken, but they can’t use that camera to steal the receipe. You also have a remote vault at a much more secure location with the same receipe, but it has a different combination so that key combo is useless.

It’s possible to write a malware to do keylogging and gain access to the computer, but today’s OS is far more secure than in the past. If you take the necessary precautions, having your OS compromise is rare and fairly costly to do. Exploits are costly to find and once you deploy it, it is found quickly and then the loophole is closed.

So I wouldn’t get hung up too much on attacks on the vault, I think local attacks are rare unless you are targeted. It’s more likely that they will attack your individual accounts either because you reuse a password or if you are using a commonly use password. Concentrate on not reusing your password, having really long password so that they are not common, and enable 2fa if possible. Also eliminate or obscure security questions that can be used as backdoors.

As for your device, I would recommend that you secure it with layers. Suppose you have a phone, make sure that the storage is encrypted so that you cannot remove the storage and read off it (most devices are encrypted these days). Make sure that you secure your phone with some sort of pin or biometic, then set the password manager to force you to reenter a pin or biometric everytime you open it. That way if someone snatches the device out of your hand when it’s unlock, they still can’t get into the password manager most of the time. If you are really security consicous you can employ different method to unlock the phone and password manager.

As for stealing information through RAM, I supposed it is possible. Even if you encrypt everything some info will always leak out because the vault has to be decrypted to be filled. If you search the entire computer memory for your master password, I am pretty sure you will find it, but if you don’t know what the password is ahead of time, it would be pretty hard to find in a sea of information.

grb,

You mentioned that your PIN is low entropy. Its very easy to use an 8 digit PIN for example. IF the PIN is unique the odds of someone selecting the correct PIN in only five attempts is virtually zero. After 5 incorrect attempts BW will log out automatically and now only a full master password (along with hopefully U2F or some other two factor authentication method) can unlock your vault. As mentioned above a stolen PIN is somewhat worthless unless it is used on your exact device ----------- > that is unless you use the same PIN on other devices as well. Regardless a remote capture of your PIN won’t help someone on THEIR device at all.

@OpSec The threat model I’m concerned with is someone who has gained access to the local system and exfiltrated the vault and and any stored hashes or keys; if they have acquired sufficient privileges to install a keylogger, then they will also not have any problems scraping the hard drive and RAM. Thus, the brute-force attack would not be limited to 5 attempts.

The threat model you describe is super-unlikely. There is no general software hack everything. You need to write code that would infritrate your OS to delivery the malware and then separate malware to target Bitwarden. The amount of resources require would be super costly.

Malware has to be targeted to specific application and OS. Bitwarden is not the most popular password manager, so if they want to target password manager, it would be something more popular like Last Pass.

An why would you target the password manager. It’s probably the most protected part of the system. Password manager are like the special ops military person carrying a machine gun. If you are a robber, would your target the special ops person?

The most likely attack is to either encrypt your hard drive and send you a ransome note or attempt to scan through the hard drive for sensitive information.

Unless you are an individual of interest or have something of interest and you are specifically targetted, you specific threat is unlikely.

This is precisely the claim that I have been unable to verify. If the PIN is stored on disk in plaintext or as an MD5 hash, then it is vulnerable, and could be used to unlock the vault. I have no evidence that this is how the PIN is stored, but also no evidence that would allow me to exclude this possibility.

There is a lot of information about how the vault is encrypted and decrypted on Bitwarden’s cloud servers, so I have no concern about the vulnerability of the vault in the cloud. However, there seem to be very little information about the security measures and vulnerabilities of the vault and user credentials on the local computer. Is the security afforded by Bitwarden on the local computer any better than, say, storing secrets in a locally stored, password-protected Excel sheet?

Here’s the code

Pin appears to be stored as some sort of encrypted hash. I would suggest using a 8 digit key for security.

It would matter what hash function algorithm is used. For example, an 8-digit key can be cracked in a few minutes if the hashing function is something like bcrypt, and instantly if hashed using MD5. Unfortunately, I don’t have the expertise to deduce what algorithm is used to encrypt the PIN by reading the source code (thanks for linking it, though; it was interesting to see).

Based on Bitwarden’s page, it’s probably PBKDF2. The code seems to imply that they combine the pin with your bitwarden email, so it probably pays to use an email that you don’t use normally.

In any case, bitwarden will only allow you 5 tries, so you can’t bruteforce the pin. After 5 tries, Bitwarden won’t let you continue until you enter the master password. You can try this yourself.

Does “Bitwarden’s page” refer to a source other than their Security Whitepaper (or equivalent)? If so, that whitepaper appears to discuss only communication between the client and the cloud, not the locally stored credentials that have been encrypted by PIN.

As I’ve stated before, the 5-attempt limit only applies if someone is trying to break in using one of the Bitwarden client apps on the victim’s device. If the data have been exfiltrated, there is no limit to how many cracking attempts can be made.

You can see encryption use at

Your statement " If the data have been exfiltrated, there is no limit to how many cracking attempts can be made." does not make sense. You are thinking that someone get access to your machine, they will have unlimited access to your vault. The vault is still encrypted locally. A malware program cannot read it. If the malware attempt to use the PIN to access the vault, it will failed after 5 tries and be prevented from further attempt until someone re-enters the master password. Why do you think there will be unlimited attempts.

Again, the link you have shared, while informative, speaks only to the security of the vault in the cloud and during transfer to/from the cloud. I does not address anything that happens on the user’s computer when the local vault copy is locked or unlocked.

The vault (and/or the stored decryption key) can certainly be copied and transferred to a threat actor (example).

Once a copy of the data is in the attacker’s possession, they don’t have to use the Bitwarden apps to do the decryption. The algorithms are open source, so there is nothing to stop a hacker from reproducing the decryption algorithms minus the part where the PIN is reset after 5 attempts.

Depending on how the vault decryption key has been protected, it may be as simple as using a third-party tool like Hashcat or John the Ripper to crack it (and then use it to unlock the vault).

I think the easiest way to get to the answer I am looking for, is to clarify whether or not using a locally stored, encrypted Excel file to store passwords would be any less safe a solution than using Bitwarden. I would hope that Bitwarden would represent a more secure solution, but so far I have not seen any evidence of this.

You are not understanding how the vault works. You are thinking that the vault is store in a file somewhere and all I need to to is to copy that file and then run Hashcat on it. The vault does not exists in a file, it onliy exists in memory encrypted, you cannot dump it out . Bitwarden only decrypt what is requested so you would have to do it one entry at a time using the masterword key each time. There is no file to scan.

Ironically, your idea to use an encrypted excel will actually result in the vulnerability that you fear. An Excel file can be stolen and then decrypted off your machine. There are utiltiies to unlock excel files.The only way to make this work would be to store your excel file on a machine that’s totally offline where you would type in the password character by character manually by reading it off the off-line device. You will need to make sure that the password is long and secure enough so it will be very annoying to use. Please do not password in encrypted excel file on your computer connected to the internet.

The foundation of encryption is that everyone know the algorithm but the info is still secure because the other person don’t have the key, otherwise encryption will never work and you can only protect by obscurity. By making it open source, Bitwarden allow security experts to review their code to look for backdoors. How do you know Bitwarden is trustworthy? You can look at the code. How do you know Microsoft is trustworthy? You can’t and will have to just trust that they are.

With due respect, I believe the statement above is inaccurate, because it is directly contradicted by Bitwarden documentation, which spells out the locations where the (encrypted) vault is stored on the local computer:

For example, for my Bitwarden desktop app, the vault is currently stored in the file C:\Users\grb\AppData\Roaming\Bitwarden\data.json.

I am not advocating the use of an encrypted Excel file (for the reasons you state), I offer this comparison only to make the point that without documented information about how the local vault copy is encrypted, we have no way of knowing whether it is any more or less secure than an encrypted Excel file (which, by the way, uses AES256 encryption, so is reasonably secure if a strong password is used).

Moreover, Bitwarden apps remember the PIN used even after the computer is rebooted, which proves that the encrypted PIN must be stored on disk as well, and I believe that other credentials may be stored on disk if one chooses options like disabling “Lock with master password on browser restart” or setting the vault timeout to “Never”.

Edited to Add:
Here is another thread in which the OP (@Jmac ) reports he was able to copy the locked data.json file from one computer and unlock it on a different computer; the thread also includes a good discussion by @rpaulson about the inconsistencies in the available documentation):

OK, I stand corrected. Keep in mind that the data is ecrypted at rest and is remove when you log out. If you look at the code, the PIN does not decrypt the vault, but is used to retrieve the master key, so you cannot use the PIN to decrypt the vault. You then run into the limit of 5.

The remember your pin is depending on settings. When I reboot my computer, I have to re-enter my master password. Also different platform uses different method. On windows, ,I believe you can uase Windows Hello. You just need to go with the setting you feel safe with.

As for JMAC’s comment, see the last post where someone is unable to duplicate the results. It’s probable that vulnerability got plugged. Why don’t you try it yourself and report back?

If you have issue with the PIN, don’t use a pin and use Biometric or just enter the master password. These options are available to adjust to whether you are comfortable with. You can do what you like even use the encrypted excel spreadsheet, but I would advise it.

OK, but retrieve it from where? Based on the information provided by @RobertT in this thread, the encrypted master key is likely stored in one of the values “keyHash”, “encKey”, or “encPrivateKey” that are saved in the data.json file.

The questions remain – how well is the hashed master key encrypted, if it can be used to retrieve the master key using a PIN, and how well is the local vault itself encrypted (compared to the AES-256 encryption and 200,001-iteration PBKDF2 stretching that is used for cloud storage of the vault)?

The encrypted master key in stored in the data.json file.

This is not true. The limit of 5 tries enforced by the Bitwarden app. Another program that reads the locally cached vault has no limit.

If you have a weak PIN it does not matter how well the master key is encrypted. The weak PIN can be bruteforced, and once you have that you can decrypt the master key and the entire vault.

Great, now we have more info. I couldn’t find a bitwarden folder in my appdata\roaming. Is the folder hidden?

I think if you have a good master password. The question is if you can get at the master key locally. I am pretty sure that without the master key, it would be really hard to decrypt the vault on file. Will have to experiement when I have more time.