Security: end-to-end encryption, but master password entered in web form

Hi,

I wonder how I can be sure that BitWarden lives up to the following promise when I use th epricing plan “free organisation”:

“Bitwarden uses end-to-end encryption for all vault data. Only your email and master password can decrypt your vault. Bitwarden does not have the ability to see any data in your vault.
Since your data is fully encrypted before ever leaving your local device…”

I have to send my master password to the bitwarden server for creating an account – as I can not know what’s running on that server, I have to assume that the password would be available to the server.

Keepass e.g. is running purely offline (i.e. no cloud, no server to login), and even syncing databases happens locally. That way I can be sure nobody has access to my master password.

Bitwarden 's advantage is obviously with cloud storage and syncing, but at the same time, if I don’t host the server myself, I don’t know what’s going on there.

Where did you hear/read that? I’m pretty sure your master password doesn’t leave your device.

Well, I have to fill in the master password on Bitwarden’s web interface when creating a free account:

https://vault.bitwarden.com/#/register?org=free

Don’t worry. Your password doesn’t go anywhere. It is only used to encrypt/decrypt your vault.

Thanks for the fast responses.

So this implies that I have to trust a third party to handle a sensitive password properly.
Security should rather not depend on trusting a third party.
But even if I trusted the third party, servers can get compromised.

Using a master password online unfortunately is a dealbreaker for me – it’s the one password I’m not gonna send anywhere.

Bitwarden’s source code is free to inspect. If you still have any doubts, you are free to download the software and host it on your own infrastructure.

I understand the issue with trusting third parties but I don’t think Bitwarden could be any more open. Even if their server was compromised, all your data is still encrypted and unreadable.

Perhaps this helps: Compliance, Audits, and Certifications | Bitwarden Help & Support

@stsc I think you misunderstood me. For you and other newcomers here I want to clarify some things. While I myself am very far from being an expert, I see that you quite don’t understand how password managers with online syncing work.

There is always a little bit of trust. You trust that Microsoft doesn’t spy on you through Windows, right? Or Facebook. Despite being a relatively new company, Bitwarden has proven itself in many ways. It’s open source with active community, active dev team (which you won’t find on many other places), has been proven secure by third party and more…

If the servers get compromised, literally nothing will happen (unless your master password is 123456), as anything there is encrypted .

I will repeat myself. Your master password doesn’t go anywhere. You are NOT sending it anywhere. It stays on your computer.

While every online password manager does things a little different, here is the general idea explained by an actual expert:

Bitwarden’s source code is free to inspect.

Which is why I would trust the client-side software, but I won’t be running a Bitwarden server (maybe our IT will be willing to do so).

Even if their server was compromised, all your data is still encrypted and unreadable.

Well, the server can at some point see my password (at least once, when I create the account via Bitwarden’s website, I send the master password it encrypted via https, which implies that the server can see the plaintext).

Maybe my thoughts get clearer when comparing with Keepass, which is w/o server infrastructure and only encrypts/decrypts locally.

I use a SFTP connection to download a cloud hosted Keepass database and to sync it with the local database.
A master password (which is never used on a website) is used for encrypting the database.
A separate password is used to login to the SFTP server.
The encrypted database is downloaded, then decrypted, synced & encrypted locally, and uploaded as encrypted database again.

Of course my local system could get compromised, but a) that’s my responsibility and b) I still rule out some possible security issues when not using the master password on a website.

@stsc It may help to explain that the web client isn’t a web page, it’s an entire javascript application that is displayed in the context of a browser, so it is effectively the same as using a desktop or mobile client, ensuring that we don’t ever get your Master Password.

The code for the web vault can be seen here: GitHub - bitwarden/web: The website vault (vault.bitwarden.com).

Here’s a broadcast we did to talk about how this works:

If your threat model and risk appetite are most compatible with KeePass, then perhaps that is the right tool for you. Do get a full understanding of Bitwarden first, though - as has been stated by @Nik1, Bitwarden does not have access to your master password.

Also, bear in mind that Bitwarden has been audited by an independent third party. In terms of trust, there isn’t a great deal more Bitwarden can do!

To add to what the others have said.

It is possible to monitor what Bitwarden sends to and from cloud storage. I have done it myself and others (who are much better at IT then me) have done it too. It does what the documentation says it does.

thanks guys for the answers – I think we’re on the right track Basically I’m looking for an alternative for Keepass2 which is more convenient. Some of my requirements are platform independency and syncing.

Keepass2 (which has a “limited” sync feature) is only running via wine/Mono on Linux and has some other limitations reg. syncing.

A solution like Enpass (dealbreaker: not open source) or Bitwarden would be exactly what I need, and I’m just trying to understand the concept and implications before using sth. new.

@Nik1
thanks for the consideration, but actually the video does not contain any news for me. While I’m not very familiar with many protocols, you can assume that I have some understanding of crypto concepts and algorithms.

I should have the wits to understand Bitwarden’s concept with your help, so please bear with me for a little more.

And yes, I need some trust, but I can try to reduce it by not using proprietary SW and e.g. using Tails Linux for highly security critical tasks.
And of course I’m also happy to rely on security audits and code reviews for crypto SW, because neither I’m capable nor do I have the time to review and understand it all on my own.

@tgreer, Davidz, @Nik1

I will repeat myself. Your master password doesn’t go anywhere. You are NOT sending it anywhere. It stays on your computer.

It may help to explain that the web client isn’t a web page, it’s an entire javascript application that is displayed in the context of a browser,

I think we’re getting closer to me understanding Bitwarden’s concept.

I know that the Bitwarden browser extensions are no web applications – I’m not concerned about those.

But when I create my account, I’m not necessarily having the browser extensions installed – I’m using Bitwarden’s website and a form where I have to enter my master password.
Here (and I may be wrong) I implicitly assume that the data entered there is sent to the web server (and the master password and email probably are the only sources for the KDF – I don’t see another offline-only “secret key” being used as in the video suggested by @Nik1).

This is the one issue which deterred me when checking Bitwarden.
(With Keepass2, it’s easy to realize that the password never has to leave the local system.)

@tgreer , Davidz

So you’re saying that with Bitwarden, the master password is not even once sent to the server while registering for an account via website and form, but that the Javascript already uses the KDF and only sends the derived value (and that JavaScript code can obviously be reviewed, and the traffic checked, as Davidz did)?

Or did you only refer to the browser extensions that are used later on?

Basically this thread boils down to this question…

Yes, the master password never leaves your device, including the registration process.

@stsc If you don’t trust a cloud-based password manager, you can use KeepassXC, which is open-source and pretty user friendly. You can also backup the KBDX file to a USB, or sync it to Onedrive, iCloud, or Sync, which is end-to-end encrypted.

@Nat

yes, I’m using KeepassXC in the moment, as well as Keepass2. But for KeepassXC…

• the clients for different platforms are not one-stop
• syncing is not provided, i.e. I need to download/sync/upload via WebDav or sth. similar
• syncing does not result in two “binary-equal” databases (locally and remote) (as it – in my head – should be)

The sync feature of Keepass2 is better in that regard, but Keepass2 has other limitations (not available with sync feature for all platforms; Mono; limited protocols like FTP).

Bitwarden possibly provides all those features.

To add to what has been said https://bitwarden.com/help/article/what-encryption-is-used/ may help.

*PBKDF2 *
PBKDF2 SHA-256 is used to derive the encryption key from your master password. Bitwarden salts and hashes your master password with your email address locally, before transmission to our servers. Once a Bitwarden server receives the hashed password, it is salted again with a cryptographically secure random value, hashed again, and stored in our database.

The default iteration count used with PBKDF2 is 100,001 iterations on the client (client-side iteration count is configurable from your account settings), and then an additional 100,000 iterations when stored on our servers (for a total of 200,001 iterations by default). The Organization key is shared via RSA-2048.

In other words, the first stage happens on your device. The hashed password is then transmitted to Bitwarden (where it is hashed further, but that is irrelevant to your point). The chances of Bitwarden being unable to undo the hashing are small, even if they wanted to.

Yes, by now it’s understood from my side.

My (wrong) assumption was that data from the website’s form is sent as is to the server.
I didn’t think that (as I roughly understand it now) a (verifiable) JavaScript program, prior to sending data to the server, derives an auth. key which is sent to the server, and derives yet another key which also stays offline and is used to en-/decrypt the vault.

I’m not very familiar with web development, but I guess that this should almost be a default behaviour for websites’s password forms, although we regularly see it’s not when servers are compromised and passwords are leaked in plaintext form.

I’ll be happy to try Bitwarden.

What’s missing (acc. to some posts) is an offline/sync feature.

I’ve seen some posts where they ask for this feature, because editing the vault seems to be possible only while online, and while offline, the latest state of the vault is available read-only.
I think Keepass2 just uses timestamps to sync – which of course could lead to undesired behaviour in some scenarios.

Anyway, offline read-only access should mostly suffice my requirements.

Thanks for the helpful responses!

Proper password software should work in a similar way, or something equally secure, though as most are not open source we don’t know.

Web browsers’ storage of passwords is full of holes and that is one or the reasons why they are not suitable places to store passwords.

Websites’ storage of passwords is probably fairly useless, given the number of leaks you typed about. That is why it is sensible to use a password manager to generate a unique password for every site. That way compromise of one does not compromise all. Bitwarden can report compromises.

It wouldn’t even matter if the master password was entered into a webpage, as if that webpage (running in your browser) was then encrypting the MP before sending it to BW, and discarding the unencrypted version. Its all still running on your computer.

Further reading that should blow your mind…