Could they do anything with it? BW doesn’t allow remote login AFAIK, so w/o access to my device(s) BW credentials are of no value to hackers. Am I missing something?
1 Like
Unless you are self-hosting and restrict access, your Bitwarden vault can be accessed on the cloud by anyone who has your login credentials. That is why it is so important to enable two-step logins to protect your account.
See more here:
1 Like
So it’s not secure enough that the BW Pswd Strength Testing Tool says it would take 31 years to crack my pswd, I have it memorized and enter it to access anything in my BW vault?
I believe your question was suppose a hacker had my credentials? That’s a different question than is my password secure enough? 
I thought, “it wouldn’t do a hacker any good to have my BW credentials”, as I was not aware your BW vault can be accessed on the cloud by anyone who has your login credentials.
Is it a fair follow-up to ask, "how COULD someone gain access to my BW login? The only way I can think of is a hacker running a brute strength algorithm seeking to exploit a weak pswd.
Ah, OK. I understand.
If you are using a strong, unique password, brute force algorithms won’t work, even if the attacker were able to download your encrypted vault somehow.
The more plausible attack vectors are malware on your computer that record keystrokes or someone looking over your shoulder and observing your login. Neither are particular likely, but plausible.
Regardless, two-step authentication will help to mitigate these attacks because it requires that anyone logging in to your account must be on a trusted device that passed the two-step authentication. For two-step methods, I suggest either an authentication app (free) or a security device (Premium feature) because those authentication methods require access to a specific device.
1 Like
FYI, unauthorized access to the encrypted vault this is not such a remote possibility. At least for users of the Chrome browser extension, the encrypted vault data (including all cipher strings, as well as copies of the protected symmetric encryption key and of the master key hash) resides more or less permanently on disk, even when the user has logged out of the browser extension and exited the browser. Thus, someone with physical access to your device (e.g., an “evil maid”) could grab a copy of your vault for off-line cracking of the master password. So it is critically important to always use a cryptographically strong master password.
1 Like
Thanks for sharing your opinion, @grb. It is good to have a diversity of viewpoints represented.
Regardless, as I said above, Iif you are using a strong, unique password, brute force algorithms won’t work.
1 Like
This just happened to someone I know. But I think good antivirus is the solution to this threat, not 2FA.
a way to help against this is to to get 2 factor authentication of totp authentication as well as a physical hardware key such as yubikey by yubico which during login it requires user/pw then the physical yubikey to login no matter if they knew the credentials.
what i do is several high level security features:
- a pw that is 100 characters long (i wouldnt recomend unless you know how to remember it)
- change my pw every 3 months
- yubkey hardware authentication
- totp authentication
- encrypted export in an encrypted file for local use only in case needs to be restored.
if you decided to buy yubikey i recommend you buy 2 of them and carry one everywhere with you like a car key and the other you store in a secure place.
With 1, 3 and 4 isn’t that awfully cumbersome to traverse everytime you want to access something in your vault, or am I missing something?
You are right, 2FA won’t protect against keylogging. But it will always mitigate the consequences, no matter how an attacker is able to get your credentials.
Imagine your antivirus doesn’t (yet) detect the malware used. Imagine a sophisticated attacker uses legitimate remote administration tools to compromise your device. Imagine somebody is successfully watching you enter your password, e.g. using video surveillance.
In every scenario, the attacker only needs one thing to access all your passwords: your static credentials.
2FA adds a dynamic and separate component into this. Even if an attacker is able to login, he won’t get access to your account since he is missing the 2nd factor. Additionally, Bitwarden will send an email stating that somebody tried to access your vault from an unknown device, so you know you have been compromised.
Personally, I’m just using an OTP generator on my smartphone for new logins. If somebody tried to access my Bitwarden vault, both knowledge of my (long and secure, but easily remembered) password and access to my smartphone would be necessary.
1 Like
@dh024 The fact that users of the Chrome browser extension are currently vulnerable to vault exfiltration by an evil maid attack is an objective reality, not an “opinion”. Anybody can simulate such an attack on their own vault by following the simple steps described in Bug Report #3124 posted on Bitwarden’s Github repository. Bitwarden has responded that they are in the process of looking into the issue, so hopefully they will have a fix soon.
Now, this is an opinion. 
I completely agree with the sentiment, but that saying “won’t work” is too strong of a claim, since password “strength” is not unambiguously defined, and since we know nothing of the user’s value as a target or the capabilities of the adversary. The point of my previous post, though, was that if you do not currently have a “strong”, randomly generated master password, you probably should not be using the Chrome browser extension (and you should generate a more secure password or passphrase a.s.a.p.).
I really dislike having to validate logins on one device from another – where the hell is my phone? I need to look into desktop apps e.g. Authy. That said, ,and I do agree on the value of 2FA, I still have concerns about workflow. I was hoping typing a complex, memorized pswd everytime I access something in my vault would be sufficient. I guess you can mitigate the pain by setting a timeout, but that’s a security hole isn’t it? As long as my vault’s open it’s vulnerable to attack.
1- isnt for the average or even higher than avg person unless they have methods to remember or method to obtain a longer pw.
3 - not necessarily i carry mines like car keys, and having it with nfc capabilities i can use it even on my iphone, its mainly used to unlock the vault if you are not logged in after login set a long pin number
4- totp authentication can be tedious but also you can’t have both convenience and security. the more convenient something is the less secure, the more secure it is the less convenience it is. hell i dont even save pw in my web browswer so me logging in every single time is tedious and not convient but its more secure since i travel with it and in the case its stolen or lost even if they some how were able to get past several security measures still wouldn’t have anything logged in for them.
When your vault is locked, it is by definition not “open”.
Vulnerabilities exist in both cases, but they are limited. If your vault is locked, then someone with physical access to your device could in principle get a copy of your encrypted vault, from which they could in theory extract your master password and all stored secrets by brute force. In my opinion, you should accept this possibility, and ensure that your master password is sufficiently strong that the probability of a brute force attack succeeding becomes vanishingly small.
If your vault is unlocked (“open”), then the decrypted secrets (account logins, etc.) and probably also your master password are stored in plaintext in your computer’s memory. Again, the main vulnerability is from someone with physical access to your device. If you’ve left your device unattended with the vault unlocked, then anybody could simply open your Bitwarden client app and browse all of your stored items. A more sophisticated attacker could use a memory dump or hex editor tool to extract the unencrypted contents of your entire vault (and probably also your master password) by directly reading the memory associated with the Bitwarden process. The lesson here is to never leave your device unattended with your vault unlocked.
1 Like
@pdsec what kind of threat model do you have that would anticipate your master password being leaked without you finding out for 3 months, despite your use of 2FA?
One of the stated benefits of password managers is that by using unique passwords everywhere (including, and especially for your master password), there is no need to change passwords unless there has been a password leak.
1 Like
Agreed… I see that Authy requires QR code scanning with a phone. Ugh. Is there any good authenticator s/w that will send the code to email or directly to the running app?
@grb i typically just do it for my preference. my pw are all unique and with it 100 char long i moved it more to 6 months, but in security, it’s good practice to change it, maybe not as much as me. my threat model is pretty intensive. i typically go over and actually attempt to break in my own vault and see even down to recovery methods if i were locked out.
my general standard for pw is 35 char minimum even for the basic login and randomly generated username typically and a privacy email address for each account. ppl realize a pw manager is used for you to create long complex and random pw for each account, not to remember. you remember your master pw for bitwarden thats it, also waiting for a pw leak to change a pw is like waiting to buy a gun for self-defense until you had a home invasion. the goal should be to prevent not respond after something has already been done.
Authenticator Apps typically only a need a QR Code scan to setup the App, not to use the App each time. (Actually, you may not need to scan the code in, copy-&-paste usually works as well.)
Once the Authenticator App is setup, your phone provides access the TOTP (the 6-digit code) to complete the 2FA.
Authy also offers a Desktop App so, once the App is setup, the 2FA process (accessing the TOTP when needed) can be completed on your PC instead of your phone.