What if an attacker knows the Master Password

If I’m a basic or premium user with 2FA enabled for login, can an attacker who knows my master password copy the local or latest sync’d password database to a device they control and use their own decryption software to open it. Do they need anything other than a copy of the local database and master password but don’t have the 2FA code? This is assuming they would be using their own tools and not going through the Bitwarden client app or browser extension.
If the Bitwarden server were inaccessible to sync with, would a 2FA code still be requested and required by the Bitwarden client app on a previously logged in device, to open the database?
Thanks ahead of time as I’m trying to compare a couple different password managers.

IF they have that much information, they probably don’t need a copy of your sync’ed database! They just log into Bitwarden as you and have full access as soon as they figure out how to bypass the 2FA method that you are using.

About two factor authentication. Many two factor authentication methods are not really that secure and you should be looking at those problems. Arguably, the Yubikey and FIDO solutions are the most secure IF you can secure the physical keys.

Rather than worrying about this problem, you should really be looking at protecting your Master Password. Just what way are you anticipating it becoming compromised? Cracking a crypt-logically secure Master Password (16+ characters with Caps, small, numbers, and symbols without a dictionary base) is not a trivial task and will take a few centuries with today’s computers. Using a pass phrase of five (or more) arbitrary words is another choice that is very secure from a security standpoint.

4 Likes

Also see here:

https://bitwarden.com/help/article/what-encryption-is-used/

Be sure to follow the links from this page for more details.

3 Likes

Thanks @frank1940 odd question I know. I’m completely confident with the encryption methods used to safeguard the password database and I don’t anticipate anyone obtaining my master password.

I understand that a copy of the database is stored on the local device and is updated during a sync upon login. Does 2FA do anything to prevent someone from getting into the local db since 2FA is typically used to validate access only such as logging in to perform the initial sync online. Does 2FA really protect the local db in any way or is the master password all that is needed to decrypt it?

For instance with a competitor product that offers 2FA, they also will tell you 2FA does nothing in the way of protecting your db, 2FA simply validates your access to the online site to sync and update the local copy of the db. Therefore 2FA does nothing in the way of validating access once the db is already in possession.

Use case: You’ve been using Bitwarden on your laptop and have 2FA enabled. Each time you login to Bitwarden you insert your master password and 2FA code and it all works. Attacker steals your laptop and knows your master password (sticky-note, malware, keylogger, whatever). Can the attacker decrypt the local copy of the db on your laptop knowing simply the master password? Does 2FA have anything to do with decrypting the database or is it only being used in protecting access to the website to sync?

As I understand it, with Bitwarden, you either lock your Database (in which case, it stays in memory) of you can logout (In which case the the database is erased). If you lock the database, the MP is all that is needed. If you log out, then the MP and the 2FA is required.

If the device in question is ‘portable’ and often accessible for possible theft, you should never lock Bitwarden but always logout. (I know that this can be a real pain for devices like Smartphones and tablets but that is simply a fact of life!) By the way, 2FA should not involve the use of the smartphone if that is the device it is being protected— think about it!

I, personally, consider that locking Bitwarden on my home computers is enough. I do use Yubikeys for 2FA for the login as a security backup in case that somehow, someway, my MP is compromised. I would assume that the intruder would be attempting to gain access to my BW account from a remote site on their computer.

Couple of more thoughts. First, I doubt if anyone is going to attempt to attack to Bitwarden to get your MP. What will happen is that they will hack your (say) Bank and get their login file with all user names and password hashes. They will attempt to recover the passwords to all of the accounts and do what they will to those that they do recover. Your protection is that you are using BW and you have made your password so secure that they never recover it before the Bank figures out what is going on and notifies you to change your password!

Second thought. Make a separate E-mail account that you only use for Bitwarden (or any other PW manager that you use). This is will be another hurtle that any cracker will have to discover before they can gain total access to your account.

Oh, an observation, I received a E-mail notification when I logged into my BW account from a new device the other day. So you will have notification of an intruder should that the worst happen.

@frank1940 When you logout, your master password is erased from memory. An encrypted copy of your password database remains on your device. This is how you are able to use Bitwarden offline as though the server were down or you did not have internet access but needed a password. It sounds like using 2FA with Bitwarden (and other password managers) is simply to validate your access to the server so your database can be updated/sync’d on your device, and provides no other protections to your database. Just trying to look at this more so than most think about it, considering what the database contains. So yes protecting and creating a good master password is vital compared to using 2FA.

2FA would play more of a protection role if the password database were online only (and not local), then you would need your master password and 2FA to access the database instead of simply the master password.

2FA is only used to authenticate a session. Once a session is setup, as long as you have the password 2FA is no longer needed.

That is not quite what I understand from reading this:

https://bitwarden.com/help/article/unlock-with-pin/#understanding-unlock-vs-log-in

https://bitwarden.com/help/article/data-storage/

I am wondering if we are talking around in circles. For example, read this from the link in your recent post:

Please note that it says “when you unlock your vault”. It does not mention what happens when you logout.

I do agree with your comment that the Master Password is far more important than 2FA. (In fact, I consider that many 2FA methods are actually fairly insecure.) I do use 2FA (Yubikeys) in my setup with the idea that it will provide my BW account with protection from any malcontent who might be attempting to gain access from a remote location and has obtained my Master Password through some sort of chicanery. Hopefully, the 2FA will delay him long enough that his attempt will be detected and the Master Password can be changed to stop him short of complete access.

I also recognize that I tend to use lock-out (not logout) of my BW accounts and use a PIN after the initial unlock. I recognize that this is a security risk but it is one that I can accept in my situation. I do require the use of the Master Password on the Desktop(s) startup to un-lock BW. When I use my Laptop on-the-go, I logout which will require 2FA.

If they have access to your computer, there is a good chance they can steal the session cookie and won’t even need to log into your account in order to access it.

The only real way to have any hope is if your OS supports proper app isolation.