Threat models and how to improve Master Key strength?

New to BW and password managers. To help me set up my account with the right balance of security/usability, it would help to better understand how BW security features (such as the master password and login email) relate to threat models. To start, I would like some advice regarding the choice of a master password/passphrase and my login email account:

(1) I’ve read that the login email is used as a salt when “stretching” the master password. Does this mean that security can be improved by making certain choices for one’s login email address? Or would an attacker who has access to the encrypted vault also automatically have access to the login email (in which case the login email choices wouldn’t matter)? As far as ideas I was wondering about: Would it be safer to use a long/hard to guess email address than a short one? Would there be a benefit in using a unique email address never publicly disclosed (and if so, would the benefit diminish if the domain name was publicly available – e.g., previously used on the internet)? The algorithm for creating the symmetric key is known and therefore reproducible during an attack, so if the attacker knows the email address, they only need to brute force the master password. So I guess my question amounts to: is it possible to force an attacker to also have to brute-force the email address (and if so, how can I make this more difficult to accomplish)?

(2) I know this question must be asked frequently, but I’m still struggling to find a rational basis for deciding on the strength (entropy) required for my master password. I also know that the answer is probably “it depends”, which is why my topic is really a query about threat models. In terms of my value as a target for attack, I’m a garden-variety user (not of interest to the government, not a celebrity, not wealthy). Furthermore, I’d like to think I have a reasonably high level of technological literacy and internet security hygiene (and thus hopefully at lower risk for attacks based on malware and key loggers). Thus, what might be the main threat that my master password is supposed to protect against? I may be mistaken, but I think that a data breach at Bitwarden that results in the capture of my encrypted vault (and my email address login ID??) may be the largest threat. So how strong should my master password be to prevent such a leaked vault from being cracked using brute force, dictionary attacks, and other sophisticated cracking strategies? How much time would be required per attempt, given the 200,000 PBKDF2 iterations that would have to be performed for each candidate?

(3) Have I missed anything obvious in my threat assessment? For example, does my unlocked vault ever live in an unencrypted state on my computer harddrive – in which case a stolen laptop or a stolen backup file may be an issue.

I’m sure I will have follow-up questions, but I’ll stop here for now. Thank you for any guidance you can provide.

Hello @grb - welcome to the Bitwarden community!

I can try to answer your major questions, based on my experiences using Bitwarden and my opinion:

(1) I wouldn’t worry too much about your email address for login - the real security lies in your Bitwarden master password and two-step login (see below). Just don’t ever forget the email address you used to login, or else one day you will be shut out of your vault. And the same goes for the password to your email address - if it is only stored in Bitwarden, that could be problematic.

(2) You questions about master password security are good ones - the strength of that password determines how likely it would be for someone to hack your secrets if they were able to obtain your encrypted vault (e.g., data breach at Bitwarden or someone hacks your computer and finds an encrypted backup). My personal opinion is that you must have a unique and un-guessable password so that a hacker would need to use brute-force methods to find your password. If you make that password at least 13 characters long using a combination of upper & lower-case letters, numbers, and special characters, it is highly unlikely that a hacker could brute-force it in your lifetime. Below is a good chart that illustrates this:

image

(3) I can strongly recommend two things:

First, be sure to enable two-step authentication on your Bitwarden account. Basic two-step login (e.g., authenticator app to generate one-time pin codes) is free for everyone, and more convenient/secure methods are available to premium users. I prepared a video on this for the recent Bitwarden Community Forum, which I have linked below:

Second, you don’t want to leave your vault unlocked on your computer because anyone with physical access can read its contents. The best strategy is to always lock your vault/Bitwarden client when not in use. There are various options to unlock the vault, but I suggest using biometrics or a PIN to avoid the hassle and potential exposure of repeatedly typing in your master password to unlock your vault.

Feel free to post follow-up questions - there is a great community here that is willing to share their thoughts.

[Edited to add that the post below was composed and posted before I saw David’s response above…which I will now read!]

Following up to clarify this part of my second question (and to try answering it myself):

The discussion of passphrase length in Reinhold’s Diceware FAQ suggests that I should use a 6-word passphrase (77 bits entropy), based on the fact that I “need or want strong security, but take no special precautions to protect your computer from unauthorized physical access, beyond locking the front door of your house or office”.

However, the table in this 1password blog post suggests that with 1,000 PBKDF2 iterations, using a GPU-based cracking tool, a 77-bit passphrase would require 3.5 billion years to crack. Since Bitwarden uses 200,000 iterations, this is equivalent to a 7-bit increase in entropy (log2200 = 7.6) compared to cracking the same passphrase iterated only 1,000 times. Thus, a 6-word passphrase seems like overkill.

Unless I have completely misunderstood my reading, I think that for a target like me, attackers would not bother if the mean time to crack was on the order of a decade – which would be the case for a 49-bit passphrase when only 1,000 PBKDF2 iterations are required (per the table linked above). For Bitwarden’s 200,000 iterations, it seems only 41 bits of entropy would be required – which can be achieved with 16 dice rolls. Thus, shouldn’t it be sufficient to use, say, 3 Diceware words plus one randomly chosen special character/number (or 4 words from one of the EFF short lists)?

@dh024 - Thank you for your response to my OP. I have a few follow-up questions/comments:

If it is not too much trouble, I would still like an answer to my question about whether there is any benefit to using an obscure email, or an email that is long/complex? I’ve read elsewhere on the forum, that some BW users prefer to keep their login email address obscured, and I would like to understand why (in the context of the email being used as a salt for computing the Master Key).

Since I have the ability to create a dedicated email address just for by Bitwarden login, I would like some information to help me decide what form of an email address to use.

Edited to Add:

In response to my second question, you wrote:

The chart that you posted is for MD5 hashing. The source article at HiveSystems also contains the following version that is more relevant to PBKDF2-hashed passwords (although it’s unclear from the footnotes whether they have assumed 103 or 105 iterations, nor is it stated whether the values are upper bounds or means):

image

One point I was trying to make is that in real life (e.g., see the Ars Technica article I linked in OP), I doubt that any password cracker is going to spend years to try to brute-force my vault password – when their resources would be better spent going after lower-hanging fruit, or targets with higher value. Thus, in my opinion (which I am open to changing if presented with a well-reasoned counter-argument), a mean cracking time larger than around 10 years would be overkill. Thus, per the HiveSystems table for PBKDF2 hashing, using your recommended password format of mixing numbers/symbols with upper/lowercase letters, I should be safe with only 8 characters. The HiveSystems predictions seem significantly more conservative than the predictions made in the 1password blog linked previously, but I’m not sure what the methodological differences are that would account for this.

To achieve an optimal balance between password usability and strength, I’m trying to estimate the minimum required entropy that is likely to protect me sufficiently from real-life hacking scenarios.

Hi again @grb - I’ll take a stab at your follow-up questions.

I don’t exactly understand why some perceive an obscure email address as a significant benefit. Perhaps there is one, but honestly, if you use a decent master password, that should be enough. And if that is the case, adding additional entropy really won’t matter at all (e.g., if it takes 2 billion years to crack a longer password, is that actually better than a shorter password that takes 4.5 million years to crack?).

Ah, thanks for catching that. I knew the chart I posted didn’t look right. I have updated my post above with the correct chart. :+1:

I don’t know how they generated those estimates, either, but I suspect it is 50% of the predicted time it takes to iterate through all possible combinations of each scenario. Regardless, these numbers should be considered as relative magnitude indicators only, as you compare between each scenario (i.e., number of characters and types of characters).

I believe that’s a determination everyone has to make based on their personal situation and risk tolerance, and there is no right or wrong answer here. I only suggested 13 characters or more because that’s the point at which a password (consisting of all character types) is considered ‘safe’ in the HiveSystems analysis. I agree it is overkill for most people, and personally I use less than that for my master password.

The email must be known to the attacker in order to generate the hash, so if it can remain hidden (by using that email address for a single purpose only – logging in to BW – and never disclosing it except on the BW login prompts), then it follows that the attacker must brute-force not only the master password, but also the email used as a salt.

Well, that goes to my other point, that any cracking times estimated in the billions of years are complete overkill, and therefore needlessly lengthens/complicates the requirements for the master password. Since I am trying to use the minimum password entropy required to reasonably protect against a realistic threat (not some hypothetical immortal supervillain who must break into Grb’s vault at all costs), the added entropy afforded by salt obfuscation can in fact matter.

Now, if Bitwarden’s servers or local AppData contents stores my login email address in plaintext alongside my encrypted vault, then obviously it would be completely pointless for me to try to make a complex email address that I keep hidden from third parties. If anybody here has any knowledge of whether this is the case or not, then I would greatly appreciate that information.

The color coding (red/yellow/green – green being considered “safe”) implies that the values are also to be interpreted as absolute (e.g, HiveSystems apparently considers 10 billion years as the minimum cracking time for a password to be considered safe).

Thanks!

I’ve finally found some good, authoritative resources for aiding rational decision-making about master password strength (taking into account PBKDF2 stretching):

Using the calculator, should I put the number of PBKDF2 iterations as 100,000 or 200,000 (and does it depend on if the attack is against data leaked from BW servers or from my local PC)?

For 100k iterations, if my net worth is $50k, I can safely assume an attacker will give up on cracking if the cost of success is going to be $100k – so the calculator would indicate 47 bits of entropy are sufficient (e.g., 10 lowercase letters, or 7 characters if also including uppercase, numbers, and special characters).


With regards to my first question in the OP, I’m still interested to find out whether my email address salt is hidden (by BW) and thus can be used to make an attack more costly (by choosing a unique, dedicated email address as the BW login). Paging @michabbb , who had posted about the issue of email address secrecy in the past – do you have any info about this?