Questionable PIN Security

Jmac · March 21, 2022, 6:54pm

Preface: I am a long time user of KeePass with multiple plugins and also used Myki before it was announced they were shutting down. I liked the automated features in Myki and have migrated over to Bitwarden, paying for premium. Really missing Auto-Type and hoping that will be coming soon!

Anyway, on to the reason I’m posting… I’m a bit concerned about the PIN security implementation and am keen to hear other thoughts…

I have “Unlock with PIN” enabled to avoid entering my obscenely long master password every time. I assumed there was some kind of unique ID specific to my device that was used in conjunction with my PIN making it unique to my device. Therefore, if the data file was ever taken elsewhere, the full password would be required to unlock.

However, with the vault locked, I copied the %AppData%\Bitwarden\data.json file and placed it on to another computer where I installed Bitwarden app offline and restored the file to the same location (internet disabled), only to find the same PIN unlocked the database as it did on the original PC with no need to enter the full master password.

This means if my original PC was ever infiltrated, either by Ransomware or over the network, that file can be copied off and hacked into within mere seconds.

I was always under the impression the PIN Unlock was unique to the PC it was applied to, but it doesn’t seem to be the case.

I would be keen to understand whether I’m over thinking this or is this some kind of oversight in the security of the app? Are extensions affected in the same way?

bw-admin · March 21, 2022, 7:33pm

Hi @Jmac, the Unlock with PIN page in the help Center provides additional information on this feature:

Note

If you turn off the Lock with master password on restart option, the Bitwarden application may not fully purge sensitive data from application memory when entering a locked state. If you are concerned about your device’s local memory being compromised, you should keep the Lock with master password on restart option turned on.

Jmac · March 22, 2022, 10:10am

Would it not be better to implement PIN security in conjunction with some kind of unique identifier of the system to ensure it can only be unlocked on the device it was applied to?

Jmac · March 22, 2022, 10:40am

After ensuring the “Lock with master password on restart” option is enabled in the PIN unlock settings, I’m now asked for the Master Password when copying the file to a different computer.

I think this will have to be the acceptable middle ground for now.

Perhaps using some kind of unique parameter of the system, in conjunction with the PIN would provide the security needed to allow this in the future.

OpSec · March 22, 2022, 6:50pm

Slightly varying the thread but it might apply and help you. I have debated this same issue in the past (within my own mind) and the method I use to allow me to have peace over this is:

I use BW on linux LUKS encrypted drives. When I am absent and the machines are off there is NO access to anything and in this case specifically BW! There can be no copying at all.

The issue you sight is common to all software encryption in that a “bad guy” that has pawned your machine will always have control over the drive’s content.

All the above said I REALLY like the concept of a PIN that uses device specific “qualities” as a sort of second factor authentication to allow access. In fact it is a major improvement in security if that feature is feasible I would thumbs up a vote for it. Great idea!!

GrizzlyiAK · March 22, 2022, 7:26pm

+1. This sounds like a reasonable improvement.

rpaulson · June 14, 2022, 8:21am

I think the whole documentation regarding Unlock with PIN and Understanding Unlock vs. Log In should be clarified. The following paragraphs are the relevant information I found in the help center and the white paper. IMO it’s contradictory and the behavior described by @Jmac is not covered either.

Enable Unlock with PIN
If you turn off the Lock with master password on restart option, the Bitwarden application may not fully purge sensitive data from application memory when entering a locked state. If you are concerned about your device’s local memory being compromised, you should keep the Lock with master password on restart option turned on.

Understanding Unlock vs. Log In
Unlocking can only be done when you’re already logged in. In other words, only when your Vault data is already stored (encrypted) on your device. Because your Vault is already downloaded and your decryption key stored in memory:

You don’t need the decryption key derived from your Master Password, so you’re free to use other access methods, like PIN codes and biometrics.

You don’t need to be connected to the internet (or, if you’re self-hosting, connected to the server).

White Paper
We do not keep the Master Password stored locally or in memory on the Bitwarden Client. Your encryption key (Symmetric Key) is kept in memory while the app is unlocked. This is needed to decrypt data in your vault. When the vault is locked, this data is purged from memory.

I could imagine that this description of the locked state is misleading, as the memory is normally purged in the normal locked state (as described in the White Paper). Therefore, the Master Password is not only needed for the login process but also for unlocking the vault as the decryption key isn’t stored in memory. If I’m not mistaken, there are probably two different locked states, and maybe this should be pointed out here, the normal locked state (as described in the White Paper) and a PIN lock or less secure locked state. In the latter the decryption key has to be kept in memory as unlocking the vault doesn’t involve the master password, which would be needed to decrypt the symmetric key from the file system and load it to memory.

As far as I understand it, there are rather three different states involved if “Unlock with PIN” is used:

Login with Master Password: Authentication process (including 2FA) to receive encrypted data from server (Fallback after 5 failed PIN attempts)
Unlocking (from normal locked state) with Master Password: All data has been purged from memory (Fallback from PIN lock after app restart if Lock with master password on restart option is used, the default setting)
Unlocking (from less secure state) with PIN: encryption key is kept in memory even though the vault is locked
- Lock with master password on restart on: encryption key is kept in memory when entering PIN lock
- Lock with master password on restart off: encryption key is kept in memory and written to disk (the behavior @Jmac discovered when he transferred the local file to a different offline system)

Do you agree with this structure?
The white paper says that “Your encryption key (symmetric key) is kept in memory while the app is unlocked”. Do you know if the encryption key (symmetric key) is also kept in memory in the locked state (PIN lock) or if the PIN is used to encrypt the symmetric key when entering the locked state to then keep the encrypted symmetric key in memory or to write it to disk?

bw-tinkerer · June 14, 2022, 12:03pm

This means if my original PC was ever infiltrated, either by Ransomware or over the network, that file can be copied off and hacked into within mere seconds.

No, they get 5 attempts to guess your pin before your vault is logged out.

After 5 failed PIN attempts, the app will automatically log out of your account.

Logout means you have to enter your master password and any enabled 2FA to get back in (unless you set “remember me” in which case the 2FA is remembered for 30 days, but only on the same device).

With a 4 digit numeric pin that’s 5/10000 = 1/2000 = 0.05% chance of the hacker getting in. With 6 digit numeric pin, make that 5/1000000 = 1/200000 = 0.0005% chance of getting in.

If you use an alpha-numeric “PIN” (instead of numeric only), then you get far more security per character than those numbers above. 4 random characters from among aprox 72 character options allowed by bitwarden (26UC + 26LC + 10digits + approx 10 special characters) means there are 72^4 ~ 27 million PIN possibilities so hacker has around 1 in 5 million chance of guessing correctly in 5 attempts. That’s allowed on pc, I think mobile PINs are numeric digits only.

In the end the risk associated with the attack in your experiment is no more than the risk if an attacker accessed your pc with the pc unlocked but the vault locked (they’d have 5 chances to guess your pin either way). The access level required to copy those files was comparable, so at first glance it seems like the lock did what it’s supposed to do…

But I thought all the sensitive stuff was stored in memory (not on disk). And it does raise a question for me whether an attacker could make hundreds of copies of your logged-in database and move it to hundreds of machines in order to multiply the number of attempts beyond 5. Or do it on a single machine (maybe virtual machine) and wipe the history after each 5 attempts and then copy the “fresh” database back for another 5 attempts. Seems difficult but perhaps hackers could automate it. I don’t know the full answers, but no doubt “locked” is less secure than “logged out”. Also there are various settings to control the locking/logout behavior, in part dependent on the particular way you are accessing bitwarden (browser, browser extension, app).

dh024 · June 14, 2022, 4:56pm

I have been trying to replicate this behaviour with no success. I am always required to enter my master password to access my vault, regardless of whether I have copied the data.json file into the %AppData%\Bitwarden folder or not. Has anyone been able to achieve this, and if so, can you provide step-by-step instructions to make this work? I am now wondering if this is even possible and whether all the “what-if” scenarios in this thread are valid.

grb · July 19, 2022, 10:32pm

@dh024 Yes, @Jmac is right: I can reproduce this for a desktop vault that has been PIN-locked after disabling the option Lock with master password on restart. In my case, I assumed the attacker was using a portable desktop installation – e.g., with D:\Bitwarden-Portable-2022.6.2.exe installed on a USB (D:). On the victim computer, navigate to %AppData%\Bitwarden and copy the data.json file to the USB at D:\bitwarden-appdata\data.json. If the computer is locked or powered off, use a recovery environment on a bootable USB to access the file. The copied vault can still be unlocked using the PIN, from any computer.

Thus, the attacker can take the USB to any other computer, and try to crack the PIN at their leisure. If doing this manually (by trying the obvious 1111, 1234, birthdates, etc.), you can get an unlimited number of unlock attempts simply by closing and restarting the app after each fourth attempt. There may be a hash stored in the data.json file that would make a more automated cracking attempt possible, but I have not explored this yet.

@rpaulson If you are worried about a memory attack, then you are going to be disappointed. Despite what is said in the Bitwarden documentation and whitepaper, whether the vault is unlocked, locked, or logged out, the actual master password is stored in unencrypted plaintext in memory until you shut down the app process completely!

bw-admin · July 20, 2022, 4:13pm

Thanks @grb, the team will be investigating the Github issue. For context, below outlines expected behaviour:

On your Local Machine

Data that is stored on your computer/device is encrypted and only decrypted when you unlock your Vault. Decrypted data is stored in memory only and is never written to persistent storage.

We also reload the application’s renderer process after 10 seconds of inactivity on the lock screen to make sure any managed memory addresses which have not yet been garbage collected are purged. We do our best to ensure that any data that may be in memory for the application to function is only held in memory for as long as you need it and that memory is cleaned up whenever the application is locked. We consider the application’s encrypted data to be completely safe while the application is in a locked state.

grb · July 20, 2022, 7:07pm

Thanks for escalating this. To clarify for other readers, the “Github issue” mentioned by dwbit refers to an issue different from the two raised in my post above — the referenced issue is related to the failure of the Chrome extension to purge the local vault when logging out, and is documented here:

github.com/bitwarden/clients

Chrome extension saves vault in persistent local storage after logging out and exiting Chrome

opened 11:44PM - 15 Jul 22 UTC

bwbug

bug browser

### Steps To Reproduce 1. Log into vault using Chrome extension 2. Log out o…f vault on Chrome extension 3. Exit Chrome 4. Navigate to %LocalAppData%\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb 5. Open the most recent *.log file using Notepad 6. Optionally, use Edit/Find to search for terms such as "keyHash", "email", "login", "password", etc. ### Expected Result If the user has logged out, the vault should be expunged from persistent storage. [Bitwarden documentation](https://bitwarden.com/help/vault-timeout/#vault-timeout-action) makes the claim: **"Logging out of your vault completely removes all vault data from your device."** Thus, the *.log file (which contains vault data for the Chrome extension) should be deleted, or contain only a skeleton template structure with non-existent entries for "email", "keyHash", "login", "password", etc., or (at worst) empty values for all fields that hold secret/sensitive information. ### Actual Result The stored *.log file contains one or more copies of the encrypted vault, which persists even after logging out of the vault, exiting Chrome, and rebooting the computer, By scanning through the file, or by using search terms such as those suggested above, the full contents of the vault are revealed, including the email account in plaintext, the hashed version of the Master Key, as well as encrypted cipher strings containing all secrets. In effect, there appears to be no practical security difference between the locked state and the logged out state. ### Screenshots or Videos _No response_ ### Additional Context The vault data can be easily be exfiltrated by anybody who has physical access to the computer for a short time, whether the computer is on or off. Using copied values of the fields "email", "kdfIterations", and "keyHash", the master password can be brute-forced if it is sufficiently weak, which would then allow a bad actor to access the web vault. Whether such a threat model is widely applicable or not, users have the expectation that decrypted vault data is removed from persistent storage upon logout; this expectation is not met for the Chrome extension. I have not tested other browser extensions. ### Operating System Windows ### Operating System Version Windows 10 ### Web Browser Chrome ### Browser Version Version 103.0.5060.114 ### Build Version 2022.6.1

I will return in the near future with documentation of the claimed memory vulnerabilities (a preview of which I’ve shared with dwbit in Direct Message).

grb · July 23, 2022, 9:33pm

dwbit - archived (previous employee):

Thanks @grb, the team will be investigating the Github issue. For context, below outlines expected behaviour:

On your Local Machine

Data that is stored on your computer/device is encrypted and only decrypted when you unlock your Vault. Decrypted data is stored in memory only and is never written to persistent storage.

We also reload the application’s renderer process after 10 seconds of inactivity on the lock screen to make sure any managed memory addresses which have not yet been garbage collected are purged. We do our best to ensure that any data that may be in memory for the application to function is only held in memory for as long as you need it and that memory is cleaned up whenever the application is locked. We consider the application’s encrypted data to be completely safe while the application is in a locked state.

@bw-admin I agree that the expected behavior is as described in the documentation cited above. Unfortunately, the actual behavior is different. The failure to purge the clear-text master password and decrypted vault information from memory after locking and/or logging out (even after 4 hours of inactivity) has now been documented on Github:

github.com/bitwarden/clients

Vulnerability: Sensitive information is not purged from process memory on app lock or logout

opened 09:18PM - 23 Jul 22 UTC

bwbug

bug desktop

### Steps To Reproduce 1. Ensure that the vault contains secret items (e.g., …logins, secure notes, etc.), and that "Close to Tray icon" is enabled; to minimize known risks, also ensure that vault timeout is not set to "Never", and that PIN locking is disabled. 2. Log out from vault on Bitwarden client app, then close the app. 3. Launch a memory inspector/editor utility. I used [HxD](https://mh-nexus.de/en/hxd/). 4. Launch Bitwarden client app. My results shown below are for the Desktop app, but I have confirmed that the same vulnerability exists in the Chrome browser extension, as well as in the web vault. 5. In the memory inspector utility, open the process memory for the Bitwarden client app. (In HxD, go to **Tools > Open main memory**). The Bitwarden desktop app has four processes, but only one of those will contain the decrypted vault and master password; you may need to repeat the memory searches described below in all four memory regions to find the correct process, but in my experience it is typically the process at the top of the list that contains the information we are looking for. 6. In the Bitwarden client app, perform the various actions described in the results section below (e.g., type master password on login screen, log in, lock, log out); after each action, click the "X" in the top right corner of the Bitwarden app to "close" the app to the systray, then bring another app into focus (e.g., the memory inspector app), and **wait 10 seconds** or longer (up to 4 hours in my tests) before proceeding with the memory search described in Steps 7-8 below. 7. In the memory inspector utility, refresh the view of the process memory. (In HxD, go to **View > Refresh**). 8. In the memory inspector utility, search the process memory for strings of interest, such as the master password, or contents of known vault items. (In HxD, go to **Search > Find > Text-string**, enter the search string, set the search direction to "All", and click **Search All**). Inspect the search results. 9. Repeat Steps 6-8 for various states of the vault. ### Expected Result Based on Bitwarden documentation cited below, I expect the master password to either _never_ be stored in process memory (_"We do not keep the Master Password stored locally or in memory on the Bitwarden Client"_ [2][3]), or at worst, be stored only temporarily until it is no longer needed (_"The Master Password is cleared from memory after usage"_ [1])-- i.e., after calculation of the _Master Key_ and _Master Password Hash_. Furthermore, I expect all vault data (i.e., decrypted secrets) to be to be cleared from process memory either immediately upon locking the vault (_"memory is cleaned up whenever the application is locked"_ [2],[3]), or at worst, within 10 seconds after locking the vault (_"We also reload the application's renderer process after 10 seconds of inactivity on the lock screen to make sure any managed memory addresses which have not yet been garbage collected are purged"_ [3]). Obviously, the same expectations would also hold when one has **logged** out of an account, which is supposed to be even more safe than locking the vault (_"Logging out of your vault completely removes all vault data from your device"_ [4]). **Sources:** [1] From the [Bitwarden Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/#user-data-protection): >The Master Password is cleared from memory after usage [2] From the [Bitwarden Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/#overview-of-the-master-password-hashing,-key-derivation,-and-encryption-process): >We do not keep the Master Password stored locally or in memory on the Bitwarden Client. Your encryption key (Symmetric Key) is kept in memory while the app is unlocked. This is needed to decrypt data in your Vault. When the Vault is locked, this data is purged from memory. After a certain time frame of inactivity on lock screen, we reload the application processes to make sure that any leftover managed memory addresses are also purged. We do our best to ensure that any data that may be in memory for the application to function is only held in memory for as long as you need it and that memory is cleaned up whenever the application is locked. We consider the application to be completely safe while in a locked state. [3] From Bitwarden's [Security FAQ](https://bitwarden.com/help/security-faqs/#q-is-my-bitwarden-master-password-stored-locally): >**Q: Is my Bitwarden master password stored locally?** >**A: No.** >We do not keep the master password stored locally or in memory. Your encryption key (derived from the master password) is kept in memory only while the app is unlocked, which is required to decrypt data in your vault. When the vault is locked, this data is purged from memory. > >We also reload the application's renderer process after 10 seconds of inactivity on the lock screen to make sure any managed memory addresses which have not yet been garbage collected are purged. We do our best to ensure that any data that may be in memory for the application to function is only held in memory for as long as you need it and that memory is cleaned up whenever the application is locked. We consider the application's encrypted data to be completely safe while the application is in a locked state. [4] From [Bitwarden Online Help](https://bitwarden.com/help/vault-timeout/#vault-timeout-action): >**Log Out** >Logging out of your vault completely removes all vault data from your device. ### Actual Result - Multiple instances of the clear-text master password are preserved in the process memory after locking the vault and even after logging out. In the two accounts that I have tested, one can find the master password even if it is _not_ known in advance, by searching for all instances of the string `{"nbf":`, and examing the 120 bytes (give or take) than precede each occurrence of the `{"nbf":` string. - Decrypted vault secrets are preserved in clear-text in process memory after locking the vault and even after logging out. - The only way for the user to ensure that sensitive information is cleared from local memory is to manually terminate the Bitwarden process. Arguably, quitting the app while the vault is _unlocked_ is safer than leaving the app running in the background while the vault is _logged out_. ### Screenshots or Videos The vault that was used in the tests below had a master password `CorrectHorseBatteryStaple!@#`; for privacy reasons, screenshots that reveal the account email have been retouched to obfuscate the email address (so that it is displayed here as `[email protected]`). The vault stored a login item named _My Bank_ that contained the username `mybankaccount` and password `Password82Brut3F0rc3`, as well as a secure note titled _Important Info_ with the text `Secret PIN is 42`. The screenshot in **Fig. 1** below shows 4 instances of the master password kept in memory after the password has been entered on the app login screen, but before completing the login process (by hitting the "Enter" key or clicking the "Log In" button). It seems that it would be unavoidable to keep one copy of the text entered into the keyboard buffer, at least until the login process has been completed, so this observation is mentioned primarily for completeness. ![bw02_pre_masterpw](https://user-images.githubusercontent.com/109386143/180622769-3cedeafb-4640-4f41-9031-a45c09720f83.jpg) **Fig. 1. Stored master password prior to login.** **Fig. 2** shows 11 instances of the full master password found after the login process had completed, including the original 4 instances (from **Fig. 1**), augmented by 7 additional copies of the master password. Thus, not only does the master password persist in memory past the point when its plain-text value is needed (because the _Master Key_ and _Master Password Hash_ have been already computed during login), but the number of instances of the plain-text master password has almost tripled. At least one of the copies of the master password is stored in close vicinity to a memory location holding the account email address. ![bw03_login_masterpw](https://user-images.githubusercontent.com/109386143/180622937-ef2c63eb-af21-4caa-9d93-20befbf0fb1d.jpg) **Fig. 2. Stored master password (and account email) after login.** The more concerning findings begin after locking the vault. As shown in **Fig. 3**, as many as 5 copies of the plain-text master password are still discoverable in process memory after the vault has been locked (even if inactive for more than 10 seconds). Again, the account email is found juxtaposed to at least one instance of the stored master password. Furthermore, the decrypted vault secrets (including item names, login usernames, login passwords, and secure notes) are also still present in memory in clear-text, even though the vault has been locked (see **Figs. 4-6**). ![bw04_lock_masterpw](https://user-images.githubusercontent.com/109386143/180622947-8a76d58c-9e03-44b5-9865-14795a868d1d.jpg) **Fig. 3. Stored master password (and account email), visible in memory after the vault has been locked and inactive for 10 seconds or more.** ![bw06_lock_itemusername](https://user-images.githubusercontent.com/109386143/180622956-b8e17bf8-950a-435f-97a7-0bce4ceead63.jpg) **Fig. 4. Decrypted login username, visible in memory after the vault has been locked and inactive for 10 seconds or more.** ![bw05_lock_itempw](https://user-images.githubusercontent.com/109386143/180622967-7b1911a9-4c80-4f9d-a5db-88ae171eaab0.jpg) **Fig. 5. Decrypted login password, visible in memory after the vault has been locked and inactive for 10 seconds or more.** ![bw07_lock_note](https://user-images.githubusercontent.com/109386143/180622982-09968352-6e5f-444c-80de-8893509b6104.jpg) **Fig. 6. Decrypted secure note, visible in memory after the vault has been locked and inactive for 10 seconds or more.** After logging out of the locked `[email protected]` account (and allowing for a further 10 seconds or more of inactivity), it appears that the Bitwarden client app does not make any further attempts to purge sensitive information from memory. As shown in **Figs. 7-10**, the memory locations that had contained sensitive information in the locked state of the vault (**Figs. 3-6**) still contain the same information after logging out of the vault. ![bw08_logout_masterpw](https://user-images.githubusercontent.com/109386143/180622988-c50a7108-156a-48da-b954-b7b55cba8bd1.jpg) **Fig. 7. Stored master password (and account email), visible in memory after the vault has been logged out and inactive for 10 seconds or more.** ![bw10_logout_itemusername](https://user-images.githubusercontent.com/109386143/180622996-a5dd56cc-c3e4-4521-ae86-fcbce8c44ca1.jpg) **Fig. 8. Decrypted login username, visible in memory after the vault has been logged out and inactive for 10 seconds or more.** ![bw09_logout_itempw](https://user-images.githubusercontent.com/109386143/180623000-fec02480-7b0f-4660-9bcb-c7716a78c978.jpg) **Fig. 9. Decrypted login password, visible in memory after the vault has been logged out and inactive for 10 seconds or more.** ![bw11_logout_note](https://user-images.githubusercontent.com/109386143/180623009-c0307c6d-000b-48eb-8b8c-33dfb5091f4f.jpg) **Fig. 10. Decrypted secure note, visible in memory after the vault has been logged out and inactive for 10 seconds or more.** In some tests, the Bitwarden client app has been left inactive for up to 4 hours after logging out, and the memory has still not been purged. It appears that the only method to ensure the plain-text master password and decrypted vault are cleared from memory is to terminate the app's process. ### Additional Context This is basically a demonstration that the vulnerabilities described in the 2019 ISE report [Password Managers: Under the Hood of Secrets Management](https://www.ise.io/casestudies/password-manager-hacking/) still exist in Bitwarden in 2022. Interestingly, a 2019 [Reddit post](https://www.reddit.com/r/Bitwarden/comments/au87od/bitwarden_memory_test/) claims that the memory _is_ in fact cleared by the Bitwarden desktop app, but this claim is contradicted by the findings I have reported above. Perhaps the code base has changed since 2019. The issues I have reported for the desktop client app also exist for the Chrome browser extension and for the web vault. If the ability to scrub memory is limited due to programming language or framework, then at least the official Bitwarden documentation should not be making misleading statements about the memory management capabilities. I would suggest an interim work-around of providing an option to have the vault timeout action include automatic termination of the running Bitwarden process. In addition, I recommend that the option "Close to Tray icon" be accompanied by a security warning. ### Operating System Windows ### Operating System Version Windows 10 (20H2 Build 19042.1826) ### Installation method Direct Download (from bitwarden.com) ### Build Version 2022.6.2

This memory vulnerability is distinct from the Chrome extension issue mentioned above (Github Issue #3124), and is also distinct from the issue raised by @Jmac in the OP of this thread (which I have reproduced in my post above).

I hope that some of these vulnerabilities will be addressed in the near future.

bw-admin · July 23, 2022, 9:34pm

@grb this claim is with the team to investigate

grb · July 23, 2022, 9:45pm

@bw-admin Just so there is no misunderstanding: You had previously indicated that you notified the team of Github Issue #3124. I had promised (in my previous post) to document a different issue (sensitive information not purged from memory), and I have now done so — as Github Issue #3166. Therefore, I posted here again, to close the loop. I hope that both issues will be brought to the attention of the devs. In addition, the entirely separate (third) issue described by @Jmac in the OP of this thread is also worthy of discussion and mitigation.

bw-admin · July 23, 2022, 9:59pm

Rest assured, all information has been passed along to the team for review.

Mycenius · December 26, 2022, 8:06pm

As an aside to this discussion: Yes, it would be nice if mobile apps had the same PIN functionality as the Windows PC/MacOS apps/extensions. I’d use alphanumeric in my 6-digit PIN, but as I have 4 devices its not that practical as 2 are iOS - so I don’t believe I can do alpha-numeric there (is this an iOS/Android constraint or just a BW app one?). I am looking to have different PINs for each device, just haven’t implemented it yet as still getting BW bedded down - and my BW knowledge up (as I migrate from 1PW) and would prefer to have consistent numeric only or alpha-numeric for all.

Possibly an argument in favour of a universal sync’d PIN across all devices by vault - or does this potentially introduce a weakness that partially recreates something similar to @Jmac’s OP issue, since same PIN would work on multiple devices?

Mycenius · December 26, 2022, 10:20pm

P.S. Was there any outcome of the investigation? Correct or Incorrect behaviour as reported by @grb? Bug, Known/Not Known or Intentional? If bug or unintentional any fix?

grb · December 26, 2022, 10:42pm

This thread discusses/mentions three separate issues. The first is the behavior reported by @Jmac, which is really a feature request and not a bug. The second and third are bugs that have been reported on Github. You can follow the links to the corresponding bug reports (#3124 and #3166) to check the current status. Both of these are still open issues, but some partial fixes have been released to address #3166. I have not had time to do further investigations into these issues since I posted the above information in July, but the bug reports on Github contain detailed instructions for how to reproduce these two bugs — thus, feel free to do some testing on your own and report back here.

Mycenius · December 26, 2022, 10:52pm

Cheers - and yes was referring mainly to your items and sorry my bad - was aware of the GitHub entries for them and didn’t think to review any updates there! I’d vote for the unique identifier appended to PIN @Jmac suggested - but isn’t that already present (was sure I read another thread that talked about it)?