@Aquakor I am the lead developer of Bitwarden and was intimately involved in the security audit mentioned. I can understand that those two paragraphs may seem a bit concerning out of context. To provide more context, there were several points discussed between the Bitwarden developers and the auditing team about how we could redesign specific features (ex. organization user confirmations) so that the crypto implementations would be stronger and more resilient against certain attack vectors. A consensus was reached and that is what is being referenced here about re-designing things.
The purpose of an audit like this is to find issues. When issues are found, that is a good thing. We want to find problems so that they can be fixed. What would be bad is if we found issues that could not be properly fixed, or an abnormally large number of issues, neither of which was the case with Bitwarden. What I can tell you is that all issues referenced in this audit have already been resolved in very short order (the audit was only completed just last week), with relatively simple fixes, and that Bitwarden is even safer to use today than it was before.
FYI: There is also a full history of generated passwords available in each Bitwarden client app. So if you manage to lose one during the onboarding process, it should still be available in the history log.
Great, thank you. Some more choices in that regard would be great (such as a native language wordlist) but I very much appreciate you added this basic functionality. Even in its current form it is an improvement over nothing or manually doing this (am a satisfied Premium subscriber).
The report doesn't close the issue. It just provides an explanation for the current state of the issue (along with a current workaround) and details the impact of how it affects users.
The audit was literally completed last week. Immediately pressing vulnerabilities were patched and shipped while plans were established for other long term fixes for the others. This report just provides disclosure of the issues.
All AES-CBC data is authenticated with HMAC SHA-256. This was highlighted in the BWN-01-011 issue (which was determined to be a false positive since it was deemed that authentication was properly done).
I haven't traced through the app's code to verify that is true.
Recommendation: If there is no HMAC tag with a ciphertext, immediately throw an exception. It makes it clearer that a decryption failure occurred (thus avoiding false positives).
It does do this [1], however, it is a little more complex since Bitwarden has to backwards-compat support old data that was AES-CBC encrypted from long ago before auth checks were implemented, while also combating against downgrade attacks. This same discussion was had back in January when you (I assume this is PIE Scott) reported the problem in issue 306171 on HackerOne which was closed out.
> Sometimes when launching bitwarden from an app, it will only show you the logins associated with the URI for your current page. But if you're launching it from an app you can't search for the right login.
This changed with the recent release of iOS 12 autofill in Bitwarden. If there is no credential found based on the app/website address you have the ability to search the vault for it.
> Especially with 1Password's ability to generate 2 factor tokens and put them in your pasteboard automatically so you don't ever have to pull up an Authenticator app!
> I still felt its sluggish performance on launch/search/sync was slowing me down a lot throughout the day.
I recently switched (maybe 5 weeks or so, ago, from 1Password to Bitwarden, after finding out about it on HN) I imported ~400 odd logins from 1Password, I honestly don't find it any slower than 1 Password.
I did notice that with Discord, both 1Password and Bitwarden now integrate with the new iOS password apis.
Maybe it's just my phone (6) but you may find that once you get 1000+ logins, Bitwarden falls apart pretty quickly. I've heard the same from people with 800+ logins. I remember it used to be very quick when I initially used it with a few plugins.
IIRC from their Github issue threads, Bitwarden is using Xamarin, and performant UI has been a consistent struggle with many login entries.
Bitwarden has had some performance issues in the past with managing larger (>~250) logins, but they've been greatly improved in the last few months and I no longer have an issue. My password database currently contains 870 logins.
Bitwarden's support via IRC/gitter was exceptional when I was experiencing issues with it. Not only did they fix the problem, but they provided a custom build for me with more verbose logging enabled and worked with me directly to figure out what the issue was. It was fixed in a couple of hours and I was able to run the patched build without issue until the fix had been merged and released.
how in God's name do you end up with _thousands_ of logins, or even 800? I work in a pretty large MSP in IT with tons of different programs, websites, and clients. Even if I added every single password (which I most surely would not do), I can't imagine there being more than two or three hundred. Conservatively, if every of two hundred clients has thirty passwords, that's still only 600.
Well, I don’t have 1000+ logins. Especially not among those I use frequently. However, I use password manager for far more than just logins.
Also, having combed through my entire catalog by having to manually import Bitwarden to 1Password, I’ve realized all those random startups I’ve made a login for or various sites for applications (job/school/etc) really add up quickly!
640kb ought to be enough for everyone, right? Because it's not your use case doesn't mean that it's the same for everyone.
I have over 1500 entries in my password manager. That's the result of using it for years and having every single account I signed up for registered in it. Including random forums I only ever posted once for support. So yes, people can have more than 100 entries in their password manager.
I switch from LP to bitwarden because I didn't trust LP anymore. It's fine but I find the autofill very dumb (will usually overwrote your password or random fields in various forms), and doesn't do subdomain matching well. Search or just opening the extension (on Firefox) is sluggish, and the android app is very slow (open and search). Automatically putting the 2FA in the clipboard has never worked for me either (Firefox on Linux). But I'll keep using it anyway because it's FOSS and not LP. You can even self host your instance if you like.
The purpose of an audit like this is to find issues. When issues are found, that is a good thing. We want to find problems so that they can be fixed. What would be bad is if we found issues that could not be properly fixed, or an abnormally large number of issues, neither of which was the case with Bitwarden. What I can tell you is that all issues referenced in this audit have already been resolved in very short order (the audit was only completed just last week), with relatively simple fixes, and that Bitwarden is even safer to use today than it was before.