Salted password bruteforce scenario


#1

Hello,

Something is bothering me with this entry:

https://help.bitwarden.com/article/password-salt-hash/

If I’m right, it’s like this:

Crypto(masterpass,email) —> bitwarden.com/#vault

Giving that for a targeted attack, attacker just have to bruteforce the masterpass by replaying X times the crypto function since my email and the crypto function are not secret.

Attacker need to get the hash, but with mitm or server dump it’s still possible, since the hash is sent to the server.

And an offline attack is possible, since the database is replied back, attacker (or hotspot/proxy owner) can retain the hash and the database for offline hack.

I hope i’m wrong, but I like facts :slight_smile:

Thanks in advance,
SD


#2
  1. You’re right.
  2. All online password managers are like this. Bitwarden lets you select the iteration count for pbkdf2, so if you are so worried you should set it high.
  3. Your master password should be high entropy anyways.

If your threat model includes people that are actively tapping all of your communications, consider using something offline like keepass.


#3
  1. Thanks for confirmation (even if it’s a little bit too simple to looks true :grin:)

  2. Source? 1password seems to use something more geeky for this feature (1password security design whitepaper)

2.1 Cure53 audit result recommended using scrypt instead of pkbdf2, I’ve found no remediation informations on the forums

  1. Of course, but who knows how far GPU cracking will go in 2019

#4

The best solutions are often the simplest ones! Complexity opens up room for mistakes.

The security of cryptography lies in the key, i.e. your password. It is expected that the attacker knows how the algorithm works and how the salt is built.

The salt does not have to be complex, only relatively unique. Its purpose is to prevent the use of rainbow tables to crack your password.

Scrypt is a more memory-intensive algorithm, designed to counteract things like cracking using GPUs.

That does not mean that pkbdf2 is any less secure, however. All of this is really only a concern if you use a weak password in the first place.

Not that far :grin:

And if it ever gets that far, I’m certain we’ll have switched to stronger algorithms by that point in time.