
Bitwarden Completes Third-Party Security Audit - drpfenderson
https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33
======
darkhelmet
We used LastPass for several years in our home, mostly because it was able to
fill Firefox http basic auth dialogs. When Firefox switched to the
webextension format, LastPass started using the Chrome version as the
foundation for Firefox. This was a huge step backwards and my wife HATED it.

The biggest problem she had was that it was that the standard workflow of it
capturing generated passwords became unreliable and it stopped automatically
tracking the random passwords it generated. Whatever it was that she was
doing, she kept losing passwords and getting locked out. It destroyed her
trust.

We tried Bitwarden. It doesn't require the same leap of faith to use a random
password. They're saved first before you use them. The usage flow isn't quite
as smooth as LastPass was, but she hasn't lost any passwords since the switch.

She's almost forgiven me for making her use a password manager. Almost... :)

~~~
e40
I moved from Lastpass to 1Password recently. Neither fill basic auth dialogs,
and both companies state this is a feature not a bug. It still pisses me off.

~~~
h1d
This is partially because browsers don't have decent API to handle basic auth.
Bitwarden will log you in via basic auth if you only have 1 matching entry for
the URL but surely things can be better than this...

~~~
jjoonathan
In the age of open source browsers that's only an excuse if they're being
blocked from contributing an API.

~~~
h1d
Are you suggesting password manager devs start sending patches to browsers?
Getting used to all browser API isn't exactly easy to begin with, let alone
there aren't many who has enough motivation to wait for that implementation to
become wide spread for it to finally solve a problem that is only used by a
few.

------
echanfsw
>On a less positive note, the assessment of the deployed cryptographic design
led to the discovery of certain issues that must be addressed in due course.
One was rated “Critical” because a malicious vault could obtain and modify
organization items. This approach relied on MitM attack described in
BWN-01-008. The overall code quality of the crypto implementations was deemed
to be overly complex and frequently misleading, which led to reporting a false
positive issue (see BWN-01-011). More generally, cryptographic libraries of
the Bitwarden compound have not yet been optimized. They particularly need to
be simplified as unnecessary complexity can lead to problems.

>To reiterate, the results of this autumn 2018 assessment are positive for the
client and code. Sadly, the same thing cannot be stated for the current
cryptographic scheme in use. Given the number and range of issues discovered,
it seems necessary that a re-design takes place. This needs to reassess how
certain features are implemented and ensure that the overall cryptography
stands strong against the attackers’ efforts.

Um. Is this not worrying to people?

~~~
xxkylexx
@Aquakor I am the lead developer of Bitwarden and was intimately involved in
the security audit mentioned. I can understand that those two paragraphs may
seem a bit concerning out of context. To provide more context, there were
several points discussed between the Bitwarden developers and the auditing
team about how we could redesign specific features (ex. organization user
confirmations) so that the crypto implementations would be stronger and more
resilient against certain attack vectors. A consensus was reached and that is
what is being referenced here about re-designing things.

The purpose of an audit like this is to find issues. When issues are found,
that is a good thing. We want to find problems so that they can be fixed. What
would be bad is if we found issues that could not be properly fixed, or an
abnormally large number of issues, neither of which was the case with
Bitwarden. What I can tell you is that all issues referenced in this audit
have already been resolved in very short order (the audit was only completed
just last week), with relatively simple fixes, and that Bitwarden is even
safer to use today than it was before.

------
dabeeeenster
There's a Rust implementation of the BitWarden server which is compatible with
the open source clients, that you can run really easily in Docker:

[https://github.com/mprasil/bitwarden_rs](https://github.com/mprasil/bitwarden_rs)

Im running it via Dokku and it has been rock solid. It's way lighter than
running their reference server implementation.

~~~
NickBusey
Yup, the Rust version is what I include with in HomelabOS
([https://gitlab.com/NickBusey/HomelabOS](https://gitlab.com/NickBusey/HomelabOS)).

It's been fantastic, really solid and generally pretty fast. Far, far easier
than trying to get the standard Bitwarden stack going. That said, the standard
stack is meant to support many users, where I have only tested the Rust
implementation with a handful of users.

------
tmikaeld
Since Bitwarden added sub-domain support and fixed the speed-issues on large
key-bases, I absolutely cannot live without Bitwarden it's been absolutely
flawless.

Previously used Lastpass for 8 years.

So glad to see that it's security taken seriously by the developers!

~~~
programbreeding
>Previously used Lastpass for 8 years.

As a longtime Lastpass user, this is the comment that made me go check it out.
Are there any big pros or cons you have run in to compared to Lastpass (aside
from the ones you listed)? I'm asking about actual functionality, not about
the it being open source and such.

~~~
neogodless
I used LastPass for roughly a year before making the switch. I also switched
from Chrome to Firefox at the same time, on Windows and Android. Desktop - no
issues!

Android is evolving, and their changes seem to have put Firefox in a slightly
behind position, which I think they're almost caught up on. Basically, there's
legacy and modern autofill capabilities in Android, and Firefox is working on
closing the gap. In the production release, I am unable to use the BitWarden
android app, but there's an add-on that mostly does the job.

I have two issues with the add-on. First, it tends to disappear from the menu.
There have been some bugs on BugZilla for this, including one I recently
submitted. Of course, quite fortunately, I haven't been able to reproduce the
issue since I submitted the bug and installed Nightly. And it's interesting -
Nightly seems to work with the app, so the need for the add-on should go away.
Second, the add-on is a little clunky. It opens a temporary tab, and then
closes that tab when you select your login. However, there's an issue there,
too, where sometimes it just does not work. It throws up an error message that
it's unable to autofill, and there's little you can do about it except close
the temporary tab and the original tab, and start again.

The Android app also has an issue that I've seen with Chrome, where it isn't
actually detecting the site you're browsing, but just the app you're using
(Chrome) and thus is unable to select your login. This is easy to get around -
usually going back to Chrome and then tapping the BitWarden toast will find
you your login.

Overall little nuisances that are mostly Android related issues more than
anything, and each of them seems to be getting worked out, so I expect the
user experience to only get better.

~~~
greythree
In Firefox, you can also open Bitwarden in a sidebar (which doesn't disappear
thankfully).

~~~
neogodless
Firefox for Android?

That's where my issues are. How do you open the sidebar?

------
pcx
I used Lastpass for about 5 years and moved to bitwarden a couple of years
back. I never had to turn back again. The browser addons are great, but the
mobile app is fantastic, simple, usable and lightweight. It's great to hear
that it's pretty secure too.

~~~
Someone1234
From your experiences is there any downside or drawbacks with switching? I've
been considering it, particularly as Lastpass's Firefox app has been flakey
and unreliable.

In general Lastpass has become less reliable since the LogMeIn take-over, and
they've now added ads to the vault which bug me from a security perspective
(even if I happily pay $2/month, it is the principle of putting profits over
security).

~~~
DontGiveTwoFlux
I'm a former last pass user as well. I made the switch about a year ago, and
haven't really looked back.

That being said, there are a few things that annoy me about bitwarden.

For some sites or apps in iOS, you can launch a password manager to retrieve
your credentials. This sometimes but does not always have bitwarden available.

Sometimes when launching bitwarden from an app, it will only show you the
logins associated with the URI for your current page. But if you're launching
it from an app you can't search for the right login.

These are small issues, which I usually mitigate by just launching a full on
session of the app and copying the password.

I had to break a habit (I guess I picked it up from last pass) with the
extensions as well. If you click away from the extension box, it will lose
your context, and you can't restore it. I have had to restart filling out the
credentials more than once because I didn't click save. Also, I think it takes
too many clicks to create a new login with a generated password and save it.

Overall, these issues are minor for a good free product, and I would recommend
it. I use bitwarden on FF, Chrome, and iOS, for context.

~~~
toyg
_> I think it takes too many clicks to create a new login_

As a very happy BW user, this is probably its weakest point at the moment. It
improves a bit if you click the "do you want Bitwarden to save these
credentials" banner, but still suboptimal (the captured URL is unnecessarily
precise).

I don't think they can solve this problem though, unless they get a sidebar -
which may not be possible with WebExtensions (I honestly can't recall).

------
udia
Currently using Bitwarden right now. Really good to see that the security
assessment is relatively positive:

> All in all, while the client and backend code are vulnerable to some issues,
> all of the problems can be easily fixed without a lot of effort. In that
> sense, Cure53 believes these items of the Bitwarden scope to be fully
> capable of reaching the desired standards of security in a rather short
> time. To reiterate, the results of this autumn 2018 assessment are positive
> for the client and code.

Wondering how they will address the current cryptographic scheme though.

~~~
CiPHPerCoder
> Wondering how they will address the current cryptographic scheme though.

The only cryptographic weakness Cure53 identified was that a malicious API
server could exfiltrate encryption keys.

Cure53 deemed it a hard problem to solve. I wrote a proposed strategy for
mitigating it:
[https://github.com/bitwarden/core/issues/392](https://github.com/bitwarden/core/issues/392)

Regarding Bitwarden's cryptographic security, a cursory read through their
code yields the following:

* It's using RSA-OAEP to encrypt AES keys (EDIT: formerly "some data") [https://github.com/bitwarden/jslib/blob/b4fad203b94da53d3369...](https://github.com/bitwarden/jslib/blob/b4fad203b94da53d33693f4283d7249e3a8f1afe/src/services/crypto.service.ts#L382-L399)

* It's using AES-256-CBC [https://github.com/bitwarden/jslib/blob/b4fad203b94da53d3369...](https://github.com/bitwarden/jslib/blob/b4fad203b94da53d33693f4283d7249e3a8f1afe/src/services/crypto.service.ts#L345-L380) \+ [https://github.com/bitwarden/jslib/blob/b4fad203b94da53d3369...](https://github.com/bitwarden/jslib/blob/b4fad203b94da53d33693f4283d7249e3a8f1afe/src/services/crypto.service.ts#L494-L508) \+ [https://github.com/bitwarden/jslib/blob/2045e7047a66599b2c8a...](https://github.com/bitwarden/jslib/blob/2045e7047a66599b2c8a92b88cd0d1b8bfc5186f/src/services/nodeCryptoFunction.service.ts#L71-L78)

It _doesn 't_ appear to be authenticating the AES-CBC-encrypted ciphertexts in
all cases, which makes me suspect padding oracles are still in-scope.

[https://robertheaton.com/2013/07/29/padding-oracle-
attack/](https://robertheaton.com/2013/07/29/padding-oracle-attack/)

RSA-OAEP is the better RSA mode. (You don't want PKCS1v1.5)

In closing: As long as you're not for some reason storing unauthenticated AES-
CBC ciphertexts in the server, the encryption is really boring.

(Boring is good for encryption.)

~~~
xxkylexx
All AES-CBC data is authenticated with HMAC SHA-256. This was highlighted in
the BWN-01-011 issue (which was determined to be a false positive since it was
deemed that authentication was properly done).

~~~
CiPHPerCoder
I haven't traced through the app's code to verify that is true.

Recommendation: If there is no HMAC tag with a ciphertext, immediately throw
an exception. It makes it clearer that a decryption failure occurred (thus
avoiding false positives).

~~~
xxkylexx
It does do this [1], however, it is a little more complex since Bitwarden has
to backwards-compat support old data that was AES-CBC encrypted from long ago
before auth checks were implemented, while also combating against downgrade
attacks. This same discussion was had back in January when you (I assume this
is PIE Scott) reported the problem in issue 306171 on HackerOne which was
closed out.

[1]:
[https://github.com/bitwarden/jslib/blob/master/src/services/...](https://github.com/bitwarden/jslib/blob/master/src/services/crypto.service.ts#L547)

~~~
CiPHPerCoder
Oh, this did seem familiar!

The AES-CBC thing is tied to the key, right? So the downgrade attack isn't
possible.

~~~
xxkylexx
Yes, new account keys are identified (presence of a mac key) and block the
downgrade (see code link above).

------
tilolebo
I have been using Keepass2, then KeepassXC for 5 years, with Dropbox to sync
the db between my devices.

Since Dropbox recently stopped to support ecryptfs, I started looking for
alternatives (KeepassXC + Google Drive/SpiderOak, Lastpass were some
candidates).

Looks like Bitwarden is worth testing too :-)

~~~
atoav
I use keepass and syncthing for the passt 4 years. This is peer to peer
syncing which means at least two of the devices have to be on. I solved that
by having a raspi always on which distributes the newest file if I don’t have
laptop or phone connected at the same time

------
lwyr
At the time of writing the link to actual report in the blog post does not
work. Here is the correct link:
[https://cdn.bitwarden.com/misc/Bitwarden%20Security%20Assess...](https://cdn.bitwarden.com/misc/Bitwarden%20Security%20Assessment%20Report%20-%20v1.pdf)

~~~
Someone1234
I don't like their response to BWN-01-010 (not rotating the encryption key and
re-encrypting the database on master password change).

Their justification boils down to "either the attacker has full access to a
compromised devices, or they don't." Meaning they could re-steal your master
password AND encrypted database, or neither.

I don't believe that is true. Let me give an example where their justification
breaks down:

Your master password is stolen, the attacker break into your DropBox account
and associate it with the attacker's device, DropBox is inadvertently sharing
your Bitwarden database.

You discover the break-in, change your Bitwarden master password, change your
DropBox password, but forget to un-trust existing devices from DropBox. So now
the attacker continues to receive your Bitwarden encrypted database via
DropBox.

But good news, you think... You've changed your master password! But nope, the
actual encryption key wasn't rotated, and the attacker continues to have
access to everything. You're rotating passwords on all of your compromised
services, only to provide the attacker with the new passwords, opps!

Their whole justification is: "But how would they get the new database?" And
frankly numerous ways. Plus their workaround is pretty embarrassing:

> If a user has a pressing need to rotate their account’s encryption keys it
> can be achieved today through a manual process of exporting all vault data,
> re-creating the Bitwarden user account (delete and register again), and then
> reimporting the vault data back in.

Wow really? And this makes them look really bad:

> Rotating an encryption key would require that a Bitwarden client application
> re-encrypt the user’s entire vault (including binary file attachments). This
> operation is both expensive and error prone and would pose a high risk for
> users to end up with corrupted vault data.

So you've written such great software that it cannot reliably decrypt and
encrypt without potentially corrupting the database? Awesome.

~~~
FredFS456
Maybe bring that issue to Bitwarden's attention on GitHub or other channels,
and not just a comment here on HN?

~~~
Someone1234
Cure53 just brought it to their attention, that's what this thread is about.

I'm simply questioning their justification/excuses for not fixing an issue
Cure53 quite correctly flagged. Me opening an issue on Github that mirrors one
from Cure53's audit report wouldn't be constructive.

~~~
xxkylexx
The report doesn't close the issue. It just provides an explanation for the
current state of the issue (along with a current workaround) and details the
impact of how it affects users.

------
coltonv
Bitwarden is the password manager that got my to finally start using a
password manager with it's combination of full open source and good UI. I love
that they are this security focused as well.

------
h1d
I just want to mention how insanely insecure browsers' native password
managers are. It asks you password only on export but never to fill on sites
and you can see which sites are saved with no authentication, you just need
access to the machine physically to access them all. Why do browsers never
implement something as easy as lock the vault with OS account pass after a
certain period after unlocking like any password managers do?

~~~
echanfsw
Convenience >> security for most people, unfortunately.

~~~
h1d
What's wrong with opt-in locking? Current security is a joke. Physical access
and you're owned.

------
hestefisk
5-6 vulnerabilities identified but ‘no action at this time’ identified as only
resolution for all of them. Worrying or is this common practice?

~~~
xxkylexx
The audit was literally completed last week. Immediately pressing
vulnerabilities were patched and shipped while plans were established for
other long term fixes for the others. This report just provides disclosure of
the issues.

------
ecesena
Would it be possible to know, ballpark, how much a similar security assessment
can cost? I understand it's hard to say in general, but given this output I
assume it's possible to "get a quote".

In an ideal world, all security-related OS project should have periodic scans
like this, but clearly the cost may be prohibitive. Maybe there are ways to
get funds, or to form groups of projects that get analyzed together, for
example I'm thinking that while Cure53 is analyzing Bitwarden, they could do a
similar work for other password managers that buy in.

Independently, a big thank you to Bitwarden for sharing this, knowing which
were their vulnerabilities will help a lot everyone in the space. I'm
personally very sensitive to these problems, I'm working on open source
security products too.

~~~
xfitm3
It varies widely, but a code review I was party to came in at around 60k.

------
jopsen
isn't there still a lot more hardening things to do, like moving payment out
from vault.bitwarden.com, so that this domain can have a stronger CSP policy?

In other news: my todo list now features an item to migrate lastpass ->
bitwarden.

(I really love the effort here)

~~~
neogodless
I mostly don't regret switching from LastPass to BitWarden. Migration of
logins was pretty painless. My only issue is with Android/Firefox. (Desktop
Firefox + BitWarden is excellent!) The current Firefox doesn't play well with
the Android BitWarden app, so you have to use the Add-on. (At least, this has
been my experience.) I've also frequently encountered an issue where the menu
item in Firefox for BitWarden vanishes and I have to toggle the add-on to re-
add it. Over the past four days, I haven't had the issue, so I'm hoping that
it's resolved for good. I believe these issues will be resolved, and they are
largely not the fault of the BitWarden team; more like the Android platform
and the Firefox team getting caught up with the latest best practices. (I
believe Firefox Nightly actually plays well with the app, and should not
require the clunkier add-on.)

~~~
eih
My only problem was ampersands. LastPass encoded them as &amp; and I wasn't
aware of this at first. After receiving errors for some passwords, I found out
that was the problem. I had to find and replace all. Bitwarden was aware of
this though, they have a warning for this on their migration guide.

------
dyukqu
I've never used a password manager, I memorize them - dozens of them. And
almost all of them are uniqe and _" strong"_ passwords. Now I have a feeling
that this situation is a real burden for my mind/brain and I consider using
one; just trying to convince* myself. Up until this time, I was thinking that
"it's a good mental exercise!", not any more. Maybe the reason is now I have
too many things to ponder upon.

I'd like to hear (well, read) if any of you have ever been in the same
situation and how was the transition like? :-)

*it's a little complicated...for me

~~~
linsomniac
Memorizing your passwords seems impossible to me. The passwords I've put in my
new password vault over the last year probably number in the mid 3 digits, and
I don't really think I have THAT big an online footprint. So either: You share
passwords among sites (which I never do) or you have a WAY better memory than
I do. Or, I guess, you just use the password reset a lot?

Here are some things that make it really hard to remember all the passwords I
need to:

\- One bank requires me to change my password every month that I login. Don't
even get me started.

\- Many sites require 3-5 "security questions", which I consider to be
effectively passwords and generate/manage them as such.

\- Different sites have different allowed formulas of what they require for
passwords

Memorizing passwords seems like a recipe for reuse of the same passwords on
multiple sites, which is terrible.

------
h1d
Bitwarden has a clean interface and I like it except when you think about it,
keeping your entire vault of passwords online also means, 1 single leak of
your master login ID / password (which can even be something easier to
remember for the sake of not forgetting, which defeats the purpose of the
entire existence of it) can put an end to your online self and I stopped using
anything online and having 2FA just feels the convenience has flew out the
window just to login to some site and offline password managers can just work
fine without that massive flaw.

~~~
loteck
The same massive flaw exists with your offline password manager. The gambit of
this argument is that you (or more generally the public) are more capable of
properly securing and storing secrets, instead of a company of experts hired
to create, configure, update and audit a service to do so.

That's a call each person can make for themselves, but if I'm advising the
normals on how to handle it, there's little doubt which direction I'm
pointing.

~~~
h1d
I'm not talking about the security of the machine that holds the data. I'm
saying any online password managers (without 2fa) can be unlocked with a
single login, where offline password managers don't have such a severe
problem.

------
kevingrahl
I use and like Bitwarden but their iOS app feels a bit slow especially when I
need to search the Vault. After tapping the search icon it takes somewhere
around five seconds (sometimes even longer) of loading time until I can enter
my query. Has anyone else experienced this or is it just me?

------
HaHa31
I just want to pop in and say that I am planning on moving from lastpass to
bitwarden. I have significant problems with the lastpass android app, the
biggest being my CORRECT password being rejected; also the app is just really
buggy in general. I hope bitwarden is an improvement.

------
brodsky
has anyone here used Enpass? I use it and like it very much, because the UX is
decent, and there is no "cloud" component whatsoever - it simply has a local
DB which can be synced using Google Drive or Dropbox across all my devices.
However, I am a concerned with their lack of a 3rd-party audit. So I've been
eyeing BitWarden for that reason, but the need to run a server turns me off
(especially since I'm not clear how that helps me sync the mobile clients).
Those who host their own BitWarden instance: how do you approach the problems
of backup and mobile sync?

~~~
linsomniac
I use Enpass and I like it, though I don't love it. I have a few pain points
that make me consider looking elsewhere.

I like: No recurring price just buy once per platform and off you go, no
hosted component it just uses my Google drive, ability to add additional items
to the things it tracks like the places that insist on 5 "security questions",
Android app with fingerprint is nice.

Things I don't like about Enpass:

\- No ability to have multiple databases. I would really like to have the
ability to have a database shared with my spouse, and one shared with my work.

\- I never was able to get the Chrome integration to work on ChromeOS and that
is my primary personal OS these days.

Generally it works well, but I'd love to get my wife using one, would like to
have one I can share with my wife, and would like to replace our ancient work
password vault that is Windows-only.

------
occamrazor
I use Safari on macOS and iOS. with its native password manager.Am I exposing
myself to higher risks than by using a standalone password management app?

~~~
btgeekboy
They’re probably ok, but you’re locking yourself in/out should you ever
want/need to use a non-Apple device.

------
jdhorwitz
Love Bitwarden!

------
newaccoutnas
What are the pro/cons vs 1password?

~~~
steve19
When I last tried it, it didn't support generating passwords with English
words ie. A 4 work Random password: hack-flipper-jump-london.

Edit: looks like it does support this now.

~~~
Luc
Not sure I understand you correctly, but Bitwarden can do this (it's the
'passphrase' option).

~~~
Fnoord
They recently added that:

"Oct 9 - This is in the next release for various apps." [1] the PR is from Oct
6 [2].

It is a very basic implementation as of now. The wordlist is English-only, and
it doesn't have a minimum character account so it contains 'words' such as
'aa' and 'aaa'.

[1] [https://community.bitwarden.com/t/add-an-ability-to-
generate...](https://community.bitwarden.com/t/add-an-ability-to-generate-
diceware-passphrases/229/9)

[2]
[https://github.com/bitwarden/jslib/pull/12](https://github.com/bitwarden/jslib/pull/12)

~~~
xxkylexx
> it doesn't have a minimum character account so it contains 'words' such as
> 'aa' and 'aaa'.

The PR discusses how the original word list that was referenced was changed
out to the better long word list from
[https://www.eff.org/dice](https://www.eff.org/dice) .

~~~
Fnoord
Great, thank you. Some more choices in that regard would be great (such as a
native language wordlist) but I very much appreciate you added this basic
functionality. Even in its current form it is an improvement over nothing or
manually doing this (am a satisfied Premium subscriber).

------
h1d
With such a security sensitive project, I can barely find any information on
what 8bit solutions is about.

~~~
zie
It's one guy (currently) Kyle.

------
Apocryphon
Has anyone ever migrated away from Keychain Access to an OS-independent
password protection program?

------
adobeeee
Can I get a quick vote on keepass2 vs bitwarden, and a feature comparison?

~~~
redwards510
The fact that I can't easily use a Yubikey for 2FA with KeePass has always
made it a nonstarter for me. After experiencing the comfort and peace of mind
I get with "master password PLUS Yubikey" in Bitwarden and LastPass, I could
never go back to just having a master password that could be keylogged.

Yes, you can have a static "keyfile" on a USB stick that you use for 2FA, but
that could be easily copied. "But if they have physical access it's already
game over!" The scenario I am concerned about is unlocking my master database
on a computer I don't own, like at work. I can do that with Bitwarden.

~~~
noja
Doesn't KeepassXC support 2FA?

