This is not true.
This statistic seems made up. Please provide a source for this claim.
You should review the Community Guidelines, specifically the rule that about misinformation on the forum.
here most cyber attack are based on cracking the user password
this is mostly done by the outsider sir
so if a outside got crack the bitwarden password also he cannot able to login the bitwarden if we have whitelisted ip protection
Function of Whitelist ip protections is to allow only whitelisted ip and whitelisted dynamic dns url to login bitwarden (so if a person cracked the password and if he try to login the bitwarden mean he cannot able to login sir because he is not using whitelisted ip the whitelisted ip will of a bitwarden user will be his home static ip of this broadband or his home dynamic dns
so the attacker need that ip or dynamic dns for login the bitwarden that is impossible for the attacker because the attacker need the access of the internet used by the bitwarden user
Other 5% risk is now is one from user own family in his home because user family can bypass this protection by their are using the bitwarden user internet
Next final chance is directly attacking bitwarden server to get the user password so user side share 2.5% risk and bitwarden side as 2.5 % risk
Sir I am working as a cyber security advisor for some companies In my work experience we gather these information sir
You can also r&d this ip whitelist security and check how effective is it sir if you not satisfied you can drop it of
@rajagopalan181 @grb I moved this discussion into this Feature Request, to where I moved your @rajagopalan181’s corresponding request from a few days ago already - and as this discussion is not directly related to the new device verification thread, where it was located before.
PS:
I guess, you @rajagopalan181 meant that as a hypothetical and/or “request” - in the sense of “if Bitwarden had that, then…”?! (I deduct or rather speculate that from your expression “it will be”… and - as written above - as you requested the same thing a few days ago…)
The proper solution to this is to strengthen the credential. By generating a long, strong, random password and enabling MFA (TOTP, Yubikey, Passkeys, etc.).
Whitelisting might have its place, but it is not a substitute for strong credentials.
Herein lies a problem. The second, often ignored, risk is losing access to one’s own vault. What happens when the home’s IP address changes? How does the user login to add the new address?
In a separate thread you indicated you are self-hosting. In that case, your home firewall is a much better location for the whitelist because it can be updated via physical access to the console.
If you have evidence that Bitwarden servers are at 2.5% risk of compromise, please urgently share the exploit with Bitwarden, so that they can fix the flaw. There may be a reward in it for you.
1 Like
For dynamic dns users
Every dynamic dns have a url that dynamic dns url will be whitelisted in bitwarden so when personal try to login bitwarden his ip will be resolved to check for the url if the url matches means it will be allowed or else it will be blocked
For static ip users
It is very simple for static ip user their own ip will be entered in the bitwarden ip whitelist area
In the world of cyber security we cannot make 100% secure but we can try some methods to make attack much difficult of the attacker
so this ip whitelist is one of the better solutions
this ip whitelist concept is a zero trust security concept only trusted ip and url is allowed
So my security idea so purely from zero trust method so this effectively against most attacks and this concept used by many governments organization and big enterprises companies
This ip whitelist security feature should be given as a optional security feature to the user if the user need it he will enable this security feature
My house is an exception to this, as are those for all my friends and family. My ISP provides an IP address via DHCP, but it does not register it with any if the ddns providers.
Incidentally, Bitwarden already maintains a white/blacklist, complete with an email-based method to authorize a new device. The only real difference is that theirs uses a per-device unique identifier instead of relying upon IP address stability.
Any isp will not be registered to any dynamic dns as a user we have to register dynamic like ClouDNS
Giving a additional optional security feature like ip and dynamic white list for the user to protect their account for both personal and business give a extra add on for the user to protect their account
Giving a additional optional security feature is not wrong things
Zoho vault and lass pass already user this ip whitelist security feature on personal and business user plan
Zoho vault showing the demo of its security in the provided link
I like the idea , big range of protection, but what about if someone travels a lot?
They will use their home vpn to access bitwarden