
Bitwarden second security audit report - Santosh83
https://bitwarden.com/blog/post/bitwarden-network-security-assessment-2020/
======
raesene9
It's good to see companies making reports public to provide some confidence
that they're having reviews done, but in this case the scoping of this job
seems a little odd, not sure if that's a bad reporting template or something
else.

Last page of the PDF indicates that they just did an external VA and pentest,
but looking at their product set , I'd have expected (at least) a review of
the web, desktop and mobile apps and the browser plugins for it to be a
"thorough security assessment and penetration test" (as quoted in the blog).

Not to say external reviews have no value, but they're only part of what's
needed.

~~~
raziel2p
The only PDF linked in the blogpost is "Bitwarden Network Security Assessment
Report", and it does indeed only cover network related topics. Their earlier
report from 2018 covers lots of web/desktop application assessments:
[https://cdn.bitwarden.com/misc/Bitwarden%20Security%20Assess...](https://cdn.bitwarden.com/misc/Bitwarden%20Security%20Assessment%20Report.pdf)

So I wonder if they just forgot to mention that this second audit report
doesn't cover that, or if there are more reports coming.

~~~
hendersoon
They did a code audit in 2018, and this is a network/pentest audit. They're
two different things, that's all, and both are valuable.

------
gentleman11
What does it cost to hire somebody reputable to perform an audit like this?
Its something I want to look into for one of my own projects, but I have no
frame of reference for what is a reasonable price for a simple full stack app
(way simpler than bitwarden for sure)

~~~
morrbo
Pentester for 10 odd years: usually for an external test you would scope it at
X days depending on the number of IPs etc. And it should note that an external
test really doesn't find much. External is usually £750/day for 1-2 days
testing and one reporting. Internal testing (ie. Auditing a domain and all
computers attached) is about the same price, maybe a bit more, and takes a bit
longer usually. A build review is hardening the server itself, takes about a
day and a day reporting. App testing is totally dependent on the app itself
(this is where people have a crack at an actual installed web application
usually using user accounts etc. And runs a bit more - £800+ per day usually.
Specialist stuff (hardware testing, code review (what I used to do), social
engineering, hardcore app testing (stuff like auditing bespoke network
devices, high frequency trading apps, etc. Etc.)) is typically 1-1.2k a day.

You can get it cheaper but a lot of it - for better or for worse - really
comes down to the skill of the individual consultant. You can pretty much
halve these prices, but then you'd end up getting stuff outsourced to India
and it wouldn't be any good. Depends if you care about the security of your
product or just want a box ticked for some arbitrary compliance and want it
done as cheap as possible.

I haven't been a tester/consultant for a few years now, but the prices hold
up. That being said one development which has happened since I've left the
industry is the advent of crowd sourced pentesting. I know a lot of friends
who moonlight with these things and are very good at their jobs, and the rates
are lower. The name crowd strike comes to mind, but I'm not 100% sure if that
was the company or not. I know a lot of good UK based companies (if it's a web
app/remote then the physical testers location doesn't matter) if you needed.

~~~
starfallg
Your comment really surprised me as I didn't expect that this was just a pen-
test, but after visiting the link, indeed it was!

I think it's a bit sneaky as for a product like this, people expect this to be
a code and crypto audit. The "network" part should be emphasised and in the
title of the page, instead of just the PDF.

~~~
user5994461
In this business the title "External Penetration Test and Vulnerability
Assessment" means the auditing company has run qualys/nessus* against
bitwarden.com.

* expensive commercial vulnerability scanning tools.

~~~
starfallg
Yes, but the title of the page/blog post is "Security Audit Complete".

------
sawaruna
Good to see. Aside from the Apple ecosystem's password management, Bitwarden
is what I've been using.

~~~
colordrops
Same. They are one of the few open source products with decent support across
multiple platforms.

~~~
_def
And finally pretty usable on mobile, too! I have waited for this and just
migrated from 1password (which was very easy, despite I lost my structure... I
wish there were an open password database standard which password managers
would use)

~~~
inquisitiveio
Enpass is another alternative with good cross device and platform support.
Under the covers they use SQLCipher[1] which I’m guessing you could build your
own interface for.

[1] [https://www.zetetic.net/sqlcipher/](https://www.zetetic.net/sqlcipher/)

------
sneak
[https://github.com/bitwarden/jslib/issues/52](https://github.com/bitwarden/jslib/issues/52)

I am astounded to see this missing from the report. Apparently the report was
just their external API configuration or something?

~~~
FabHK
It wasn't in the scope of this audit, but it's still somewhat concerning...
PBKDF2 with SHA-256 (a super fast hash with hardware support) as a key
derivation function (which should be slow and difficult and hard to do in
hardware)? That doesn't sound right. The answer provided (cross platform
compatibility) doesn't sound satisfying.

Was this discussed with the prior audit?

EDIT to add: Here's the 2018 "cryptographically right answer" on password
hashing ( [https://latacora.singles/2018/04/03/cryptographic-right-
answ...](https://latacora.singles/2018/04/03/cryptographic-right-answers.html)
):

Password handling

Percival, 2009: scrypt or PBKDF2.

Ptacek, 2015: In order of preference, use scrypt, bcrypt, and then if nothing
else is available PBKDF2.

Latacora, 2018: In order of preference, use scrypt, argon2, bcrypt, and then
if nothing else is available PBKDF2.

You care about this if: you accept passwords from users or, anywhere in your
system, have human-intelligible secret keys.

But, seriously: you can throw a dart at a wall to pick one of these.
Technically, argon2 and scrypt are materially better than bcrypt, which is
much better than PBKDF2. In practice, it mostly matters that you use a real
secure password hash, and not as much which one you use.

Don’t build elaborate password-hash-agility schemes.

Avoid: SHA-3, naked SHA-2, SHA-1, MD5.

EDIT to UPDATE:

Bitwarden has commented (about an hour ago) that they'll fix this! Cool.

[https://community.bitwarden.com/t/switch-to-
argon2/350/23](https://community.bitwarden.com/t/switch-to-argon2/350/23)

[https://github.com/bitwarden/jslib/issues/52](https://github.com/bitwarden/jslib/issues/52)

------
austhrow743
Can someone with security industry knowledge comment on how much weight we
should give this? Are these sorts of things something you can just buy and
they'll go out of their way to give you a favourable report because you're the
client? Is Insight Risk Consulting known and credible?

~~~
morrbo
This was an external infrastructure test which carries no real weight for the
app itself. It just makes sure that stupid stuff like ssh open to the
internet, no public CMS available etc. Hasn't happened. That being said
bitwarden do do more in depth security audits but this _particular_ audit
doesn't really mean too much.

~~~
user5994461
The report itself was automatically generated by one of the popular scanning
tools. It's 1 hour to run the automated scan and 1 day to format the PDF
nicely for the customer.

The thing is half worthless, verifying that the CDN has TLS and raising
warnings about obscure HTTP/CORS headers.

But occasionally it can find some really bad misconfiguration or library with
a critical vulnerability in dire need of an upgrade. (Of course they would
never publish a report finding issues like that).

------
jszymborski
These audits are reassuring, but I'm hoping someone can speak to a question I
have...

I know that encryption primitives are almost never the breaking point in
systems like this, but I wonder in situations like this where breaches would
allow adversaries to attempt offline attacks whether they are particularly
pertinent.

Specifically, while the number of iterations on the PBKDF2 SHA-256 function
are high (100,001 on the client), PBKDF2 always felt to me like a footgun when
compared to scrypt or argon2 which don't have as many (any?) insecure modes of
operation.

The website states that AES is used, but is it in an authenticated mode (e.g.
GCM ?)

Finally, their website states that they use "popular and reputable crypto
libraries" and that they don't roll their own crypto, but the libraries they
use are awfully low-level. Something like libsodium or FilSottile's age would
be something I'd be more comfortable with when considering a hosted method.

In the meantime, I think I'll keep using KeePass2 (w/ Argon2 and ChaCha20) and
synch'd with SyncThing to minimise my attack surface.

~~~
codysc
I don't see PBKDF2 as a full footgun, but maybe as the minimally still-
acceptable method. When I was building my system for E2E messaging
(pritact.com) I started out with PBKDF2 but kept mentally revisiting the
iteration count before biting the bullet and switching to Argon2.

Actually it looks like Argon2 is being discussed as of just a couple hours ago
[https://community.bitwarden.com/t/switch-to-
argon2/350/24](https://community.bitwarden.com/t/switch-to-argon2/350/24)

~~~
jszymborski
Great to see it! It certainly speaks to the positive nature of BitWarden being
open-source.

------
codeknight11
Tangential question: What password manager do you guys use?

~~~
uallo
Bitwarden. Works well and the integration with 2FA/TOTP is amazing. I highly
recommend to _not_ rely on a single (mobile) device for 2FA. Loosing or
breaking it might shut you out of certain accounts forever.

~~~
HumblyTossed
> Loosing or breaking it might shut you out of certain accounts forever.

But isn't this what the backup codes are for?

~~~
ViViDboarder
Yea, I used to keep my passwords and backup codes in two separate KeePass
vaults. Now I use Bitwarden for passwords but still use KeePass for my backup
codes.

I use the notes for each entry in Bitwarden to indicate what kind of 2FA I
have enabled and whether I have a backup code already stored in the other
vault.

------
louisstow
I love the concept of making this public but I feel like the audit wasn't very
thorough if all it suggested was two security headers that a free online
scanner could have picked up.

------
Ciantic
I'd like to see a Open Source password vault which relies on open hardware
storage for passwords. Clients only get rate-limited amount of passwords when
the hardware is prompted to give, e.g. from physical button confirmation on
the hardware, finger print. Point being that clients don't hold the passwords,
just the usernames.

Problem with Bitwarden etc. is that if your computer or one of the devices
gets compromised, then all of your passwords are lost at the same time. With
hardware based vault you can mitigate this somewhat, with rate-limiting,
physical prompt etc.

I have 1600 passwords, I use perhaps 10 different per week. If I get
compromised I loose 1600 passwords, but with hardware based system I
potentially loose just the 10 I used within the last week.

~~~
indolering
Throw enough money at Bitwarden and I am sure they would be happy to build out
those capabilities. They really don't have extra funds for cool R&D like that.

------
developuh
Which password manager(s) would you guys suggest for a team of 10-15?

~~~
mikece
If you don't need to share passwords: KeePassXC.

If you _do_ need to have shared passwords (dev/stage/prod servers and
services) why not Bitwarden for Business?
[https://bitwarden.com/#organizations](https://bitwarden.com/#organizations)

~~~
developuh
I certainly need shared passwords. I will look at Bitwarden for Business.
Thanks.

