Somewhat disappointed

So this is somewhat of a rant, and how I am kinda disappointed with things. I love Bitwarde, but I just want to see the project grow

So I moved to Bitwarden a while back, after the LastPass free tier ended. I knew they would no longer focus on security, and it was only time before the proverbial shit hit the fan. And it did.

Then, other password managers started being scrutinized.

Bitwarden did get a few things right, by ensuring all of the vault contents are encrypted. But really dropped the ball with server side derivation rounds. What is up with that?? I don’t have the security/programming skills to implement these very important and security sensitive features, so I do the next best thing. Premium subscription.

Serious question. Why aren’t more enc methods being added? People have been literally begging for them for years. I just noticed Argon was being tested by a community contributor. Why are encrypted exports “broken”? Why isn’t there a method that’s account independent, so that I can save it off somewhere else? Why is encrypted export using only 100,000 rounds of PBKFD2? I don’t mean to be rude to any of the employees or throw shade, but I genuinely don’t know how else to pose this question, and this is an honest question. Why isn’t more effort coming from the employees? Am I missing something? Have I not looked at the repos long enough to realize it’s “the company”?

I think it’s time Bitwarden stopped sitting on laurels and actually implemented more “modern” features, not through community effort, but through “the company”. It just feels like the roadmap is filled with more outcomes for business users (I mean, I get it, but something has to trickle down to individual users, right, right?). Also feels like “the company” is just selling the open-source effort to businesses

Is it just me that feels this way?

To put things into context: If you use a very bad password, no amounts of iterations, or even argon2 will save you. Upping from 100k to 600k iterations doesn’t add as much cracking resistance as just one random letter. Argon2 improves things by a few orders of magnitude, depending on configuration.

So while argon2 is a nice addition, and certainly brings more fairly bad passwords into the “prohibitively expensive to crack” range, PBKDF2 at 100k rounds is already enough to make most passwords prohibitively expensive to crack. At 600k iterations, it is 6x slower to crack, not even an order of magnitude. PBKDF2 at 100k rounds does not make Bitwarden Insecure. Bad master-passwords do.

Also, while I did write initial support for Argon2 as a community PR, the Bitwarden team has at this point also done a lot of work on the pull requests.

Anyways, for encrypted export I have a pull request open that adds support for more rounds and argon2, but in the meantime you can always encrypt your exports yourself using other tools. Might have to re-base it once argon2 support is merged. And them being “broken” only applies to if you select password protected export. If you export using your accounts encryption key (the default), then it doesn’t even use any KDF but your account’s encryption key.

7 Likes

This is really an overstatement (probably motivated by an overly sensationalistic blog post that has been making the rounds recently). Read this for a better perspective. They way I look at it is that the product was already strong, and by adding yet another layer or two of protection (which they were working on even before the blog drama), they have made it even stronger.

 

This is outdated information. Account-independent encrypted exports have been available since last October.

 

A big priority for the developers right now is working on compatibility with Manifest V3, likely involving a major rewrite of the entire code-base for the browser extensions.


P.S. FYI, I moved this topic from the Feature Request category to the Ask the Community category.

Whoops you’re right, missed it, my bad

My point was why weren’t the rounds done on the client? Why did the client let the server handle the rest of the rounds. I understand “number of rounds” is a bad metric, but that’s the only algo available on Bitwarden. I am not sure if you and I are referring to the same blog, but I have already read the post (toot? tweet?) that you linked.

As for a bad password won’t save you regardless of the algo, that’s true. I just expect much more from a product that is entrusted with keys to the proverbial castle - ALL of my other accounts. Surely that has to mean better security practices than “100K is good enough if you have a strong enough master password”.

While I get the onus is on the user to use passwords better than “[email protected]” as the master password, I sure as heck expect Bitwarden to not just follow the status quo of other websites-with-logins of using 100K rounds (for what its worth), since there is a lot more at stake, 1 account vs literally 100s, all at once

Thank you Quexten for your contributions! I hope you get paid for this lol. This was supposed to be Bitwarden’s “job”

I can only speak for my own experience, which has been head over heels better with Bitwarden than it was with my old password manager. My perception is that the folks at Bitwarden are very much on top of it and implement strategies that are truly valuable rather than the “chrome”.

YMMV of course, but I’m very pleased that I made the switch.

Don’t get me wrong, I am heckin pleased too, and am glad I switched to Bitwarden.

I don’t mean to say Bitwarden is bad, or that I don’t like it. I love it! I am really glad to use it too! Heck I pay for the thing!

It’s just, I expected more, tad more, than “we’re as good as other password managers”. I just wish to see the tool become the gold standard, and setting an example on how to do things right. That’s a tall request, I know, but things like better encryption, better safety are things that could be sorely improved.

Bitwarden’s main differentiators are that it offers cloud syncing, cross-platform compatibility, and an open-source model.

This misunderstands the open source model. It is the community’s role to contribute code and other support to the project. It is the company’s job to also contribute code and to pick up key code changes from the community. If the “company” does not, the community will fork the code. See devs developing Argon2, iterations being increased to 600k for new users, double-encrypting the vaults, plus the passwordless.dev acquisition.

It makes sense they would spend time developing the enterprise side of the business. Successful open source projects do this as this allows them to stay sustainable with retail customers.

It is the company’s job to sell the product and services built around the code. That’s the idea. See Fedora. If they don’t price it right for retail… the community forks the code. You’ll see that Bitwarden has a full-featured free plan that competitors can’t match and a dirt cheap premium plan for this reason.

One note: I came from LastPass. It cost a lot more. It’s a black box. Lots of features but now bloated. Bitwarden is actually a better product with more efficient workflow. My TOTP codes and attachments can sit in the login file, unlike LastPass. I can right click after autofill and paste the TOTP code. I can export an encrypted vault. No open source project and related product is perfect. But, this is a hell of a lot better and cheaper than LastPass.