Bitwarden Completes Third-Party Security Audit

Yeah, I noticed the change in LastPass' behavior. It turns out that it actually DOES save the random passwords it generates... it's just very well hidden. If you generate a random password for a site, register your account, and LastPass does not catch it and doesn't prompt you to save the account info, it's not lost. If you open the 'Generate secure password' page by itself from the context menu extension, you'll get a new random password. BUT, if you click the down arrow to the right of it, it will drop down a list of the prior generated random passwords for at least that browser session.

Utter madness, but it saved me a couple times.

Very similar for me but with 1Password instead of LastPass.

My only complaint about Bitwarden is that the desktop app on macOS does not have support for Touch ID which is a shame. It has been a requested feature for a long time but no progress seems to have been made.

The desktop Bitwarden app is Electron based so I don't know if that is an issue or not.

Overall for £10/year for Premium or legitimately free if you don't need the Premium features you are a fool to not use it imho.

Switched to Lastpass half a year ago and it's been a rocky move (I didn't have a password manager before). It's consistently been painful to use. For example, my work email transfers between different domains for log in versus viewing and I think even a third. Lastpass never manages to suggest the password at the right time because of this and I always forget where to find it. The mobile app routinely makes me type my long passphrase in twice in a row which is painful because it's easy to typo it. I also don't trust it saving randomized passwords it generates so I always have to copy them to clipboard and confirm that the account was added properly. I have had problems where data did not sync; I could see it in Mobile but not desktop or vice versa. It had been in my account for weeks at that point. Maybe I should try bitwarden.

I moved from Lastpass to 1Password recently. Neither fill basic auth dialogs, and both companies state this is a feature not a bug. It still pisses me off.

Also: it has a 50% (and decreasing) success rate at actually filling in passwords and no quick menu to copy/paste them.

Lastpass has been on my "replace at next opportunity" list for a while now. No time like the present.

Last Pass still saves generated passwords, it's just become a hidden feature for some reason...

Each generated password is visible in the triangle drop-down to the right of the generated password. This list resets on restarts

>When Firefox switched to the webextension format, LastPass started using the Chrome version as the foundation for Firefox.

The backward change started after logmein bought lastpass.

Yes, I use KeePass and Kee for Firefox. Before WebExtensions it was perfect. Now, it has a dialog that tries to intercept basic/negotiate auth, but it never works.

Luckily, keepass has a very nice auto-type functionality that works perfectly with basic auth dialogs. Now if I could just disable the Kee dialog that doesn't actually do anything...

Ahh that explains it. I've definitely sen a deterioration in performance by the last pass extension.

FYI: There is also a full history of generated passwords available in each Bitwarden client app. So if you manage to lose one during the onboarding process, it should still be available in the history log.

Ironically, this describes the exact problem I've been running into with Bitwarden on Safari.

Still less buggy than Lastpass's Safari extension though...

@Aquakor I am the lead developer of Bitwarden and was intimately involved in the security audit mentioned. I can understand that those two paragraphs may seem a bit concerning out of context. To provide more context, there were several points discussed between the Bitwarden developers and the auditing team about how we could redesign specific features (ex. organization user confirmations) so that the crypto implementations would be stronger and more resilient against certain attack vectors. A consensus was reached and that is what is being referenced here about re-designing things.

The purpose of an audit like this is to find issues. When issues are found, that is a good thing. We want to find problems so that they can be fixed. What would be bad is if we found issues that could not be properly fixed, or an abnormally large number of issues, neither of which was the case with Bitwarden. What I can tell you is that all issues referenced in this audit have already been resolved in very short order (the audit was only completed just last week), with relatively simple fixes, and that Bitwarden is even safer to use today than it was before.

Can anyone knowledgeable comment on this. Right now I'm using enpass and trying to wonder if BitWarden would be better. Enpass has some issues when if sync fails it doesn't really report that (for me at least). I also have had some issues when I'm in a trusted machine (at work) but not my own when having a web-vault access might be good.

On the other hand I do love the no cloud mode of enpass which potentially of makes it slightly more secure (a cloud for password storage would be a juicy target). It also means I have a local backup of all my password in my devices in case of some issue including bitwarden web vault being down.

yeah, that seems like the sort of thing you would never want to hear from an audit. the only thing worse would be known breaches.

Is it good to release this audit so soon? Wouldn't it have been better to release it in 1-3 months after they fixed the issues so that they don't alert attackers that there's an opportunity? Actually curious what the best practice is and why it is so.

Yup, the Rust version is what I include with in HomelabOS (https://gitlab.com/NickBusey/HomelabOS).

It's been fantastic, really solid and generally pretty fast. Far, far easier than trying to get the standard Bitwarden stack going. That said, the standard stack is meant to support many users, where I have only tested the Rust implementation with a handful of users.

For reference, the official implementation uses MSSQL, and it's asking for 2GB memory instances, so I can see people liking alternatives.

https://help.bitwarden.com/article/install-on-premise/

And there are also other third party implementations too,

Go : https://github.com/VictorNine/bitwarden-go

Ruby : https://github.com/jcs/rubywarden

Personally, I don't recommend anyone without much knowledge in security to use "personal servers" to reduce threats. Even if it's in a private network, a server/container/whatever without recent security patches/proper configuration is no way more secure than well-managed public ones.

Six months or so ago, I switched from KeePassX with manual file synchronisation, to using bitwarden_rs on my own server, which runs Arch Linux, via a package on AUR. I haven’t had any trouble with it so far. The current version has been running for almost a month, and its resident memory is currently just over 11MB, viz. low and stable. That’s also roughly the size of the package and its data on disk.

I do also have the optional web interface, which isn’t Rust; it uses inordinately much memory while building (https://github.com/bitwarden/web/issues/250) but is fine after that.

I look forward to testing it.

I was using the ruby version, but I didn't know a rust one existed as well.

https://github.com/jcs/rubywarden

>Previously used Lastpass for 8 years.

As a longtime Lastpass user, this is the comment that made me go check it out. Are there any big pros or cons you have run in to compared to Lastpass (aside from the ones you listed)? I'm asking about actual functionality, not about the it being open source and such.

How is the form fill for information besides username and password (e.g. credit cards, personal contact info) compared to LastPass?

From your experiences is there any downside or drawbacks with switching? I've been considering it, particularly as Lastpass's Firefox app has been flakey and unreliable.

In general Lastpass has become less reliable since the LogMeIn take-over, and they've now added ads to the vault which bug me from a security perspective (even if I happily pay $2/month, it is the principle of putting profits over security).

Great browser addon? The one I'm using (the official one) could definitely use some improvements in UX and security

- when I open it my master password is prefilled and you can just unmask it - either don't prefill it and have me enter it or log me in immediately

- when creating new credentials it defaults to master password again that you can just unmask. And the URL is empty instead of the current URL

- everytime: I open a site in bitwarden, copy the username, paste in the form field in browser, open bitwarden and it's on the login page again - why can't it remember where I left of so that I could copy the password too?

EDIT: in Firefox

> Wondering how they will address the current cryptographic scheme though.

The only cryptographic weakness Cure53 identified was that a malicious API server could exfiltrate encryption keys.

Cure53 deemed it a hard problem to solve. I wrote a proposed strategy for mitigating it: https://github.com/bitwarden/core/issues/392

Regarding Bitwarden's cryptographic security, a cursory read through their code yields the following:

* It's using RSA-OAEP to encrypt AES keys (EDIT: formerly "some data") https://github.com/bitwarden/jslib/blob/b4fad203b94da53d3369...

* It's using AES-256-CBC https://github.com/bitwarden/jslib/blob/b4fad203b94da53d3369... + https://github.com/bitwarden/jslib/blob/b4fad203b94da53d3369... + https://github.com/bitwarden/jslib/blob/2045e7047a66599b2c8a...

It doesn't appear to be authenticating the AES-CBC-encrypted ciphertexts in all cases, which makes me suspect padding oracles are still in-scope.

https://robertheaton.com/2013/07/29/padding-oracle-attack/

RSA-OAEP is the better RSA mode. (You don't want PKCS1v1.5)

In closing: As long as you're not for some reason storing unauthenticated AES-CBC ciphertexts in the server, the encryption is really boring.

(Boring is good for encryption.)

I use keepass and syncthing for the passt 4 years. This is peer to peer syncing which means at least two of the devices have to be on. I solved that by having a raspi always on which distributes the newest file if I don’t have laptop or phone connected at the same time

I've used Keepass since 2012 (Keepass2 on Linux, KeepassXC on Mac, Keepass2Android) synced with Dropbox but (experimentally) switched to Bitwarden this summer as a reaction to some HN thread, I've been very pleased! Haven't used it on Linux yet but am using the Chrome extension on Mac and the native Android & iOS apps and they work very well.

I've also been using Lastpass at work since 2015 so have experience of those three and if I had to start over and pick one it would definitely be Bitwarden. Highly recommended!

I use Keepass2, with my password database stored on a cloud server, accessible by SFTP - both the Windows client (with an extension) and Keepass2android support SFTP. Keepass2android syncs automatically when you start it, and it's just 2 clicks from the Windows client.

I've been using this setup for years, and it works well for me. Now I think about it, the only minor pain point is not syncing over some kind of HTTPS mechanism (for getting through corporate proxies).

Same here. It's the only thing that looked close enough like an open and secure platform, very much unlike LastPass and 1Password, which I can't believe so many tech-savvy people keep trusting.

KeePass would be perfect if I had an easy platform to share the file on. A VPS isn't reliable enough for me, and Dropbox 's proprietary Linux client did suspicious stuff.

I don't like their response to BWN-01-010 (not rotating the encryption key and re-encrypting the database on master password change).

Their justification boils down to "either the attacker has full access to a compromised devices, or they don't." Meaning they could re-steal your master password AND encrypted database, or neither.

I don't believe that is true. Let me give an example where their justification breaks down:

Your master password is stolen, the attacker break into your DropBox account and associate it with the attacker's device, DropBox is inadvertently sharing your Bitwarden database.

You discover the break-in, change your Bitwarden master password, change your DropBox password, but forget to un-trust existing devices from DropBox. So now the attacker continues to receive your Bitwarden encrypted database via DropBox.

But good news, you think... You've changed your master password! But nope, the actual encryption key wasn't rotated, and the attacker continues to have access to everything. You're rotating passwords on all of your compromised services, only to provide the attacker with the new passwords, opps!

Their whole justification is: "But how would they get the new database?" And frankly numerous ways. Plus their workaround is pretty embarrassing:

> If a user has a pressing need to rotate their account’s encryption keys it can be achieved today through a manual process of exporting all vault data, re-creating the Bitwarden user account (delete and register again), and then reimporting the vault data back in.

Wow really? And this makes them look really bad:

> Rotating an encryption key would require that a Bitwarden client application re-encrypt the user’s entire vault (including binary file attachments). This operation is both expensive and error prone and would pose a high risk for users to end up with corrupted vault data.

So you've written such great software that it cannot reliably decrypt and encrypt without potentially corrupting the database? Awesome.

> Why do browsers never implement something as easy as lock the vault with OS account pass after a certain period after unlocking like any password managers do?

You must lock your workstation, it's not enough to just lock the password manager. If you leave your workstation unlocked then an attacker could install a keylogger that captures the password to unlock your password manager.

Convenience >> security for most people, unfortunately.

The audit was literally completed last week. Immediately pressing vulnerabilities were patched and shipped while plans were established for other long term fixes for the others. This report just provides disclosure of the issues.

Very worrying to me.

It varies widely, but a code review I was party to came in at around 60k.

I mostly don't regret switching from LastPass to BitWarden. Migration of logins was pretty painless. My only issue is with Android/Firefox. (Desktop Firefox + BitWarden is excellent!) The current Firefox doesn't play well with the Android BitWarden app, so you have to use the Add-on. (At least, this has been my experience.) I've also frequently encountered an issue where the menu item in Firefox for BitWarden vanishes and I have to toggle the add-on to re-add it. Over the past four days, I haven't had the issue, so I'm hoping that it's resolved for good. I believe these issues will be resolved, and they are largely not the fault of the BitWarden team; more like the Android platform and the Firefox team getting caught up with the latest best practices. (I believe Firefox Nightly actually plays well with the app, and should not require the clunkier add-on.)

The migration process is very painless [0]; it will take longer to switch your installed extensions on all your devices than to migrate your vault.

[0]: https://help.bitwarden.com/article/import-from-lastpass/

Memorizing your passwords seems impossible to me. The passwords I've put in my new password vault over the last year probably number in the mid 3 digits, and I don't really think I have THAT big an online footprint. So either: You share passwords among sites (which I never do) or you have a WAY better memory than I do. Or, I guess, you just use the password reset a lot?

Here are some things that make it really hard to remember all the passwords I need to:

- One bank requires me to change my password every month that I login. Don't even get me started.

- Many sites require 3-5 "security questions", which I consider to be effectively passwords and generate/manage them as such.

- Different sites have different allowed formulas of what they require for passwords

Memorizing passwords seems like a recipe for reuse of the same passwords on multiple sites, which is terrible.

I can't say I was quite as good about unique and strong passwords, but up until maybe a year ago, I just memorized all of my passwords. I had a few that I re-used a bit, especially for non-critical web sites.

Finally, I started out with LastPass. (Now I use BitWarden but the experience should be very similar.) What I knew I needed was something to work with my desktop browser, and something to work on my phone with any apps with logins, and with my mobile browser. A year ago, LastPass worked great with desktop and mobile Chrome, and Android. (BitWarden is a little trickier to integrate with mobile Firefox, as I outlined elsewhere in this thread, but it's constantly improving.)

So, you set up your new account, you choose a really amazing, unique, strong password like the world has never seen, and that's the only one you need to know. But there is that transition.

Install the password manager app and add-on(s) as needed on each place. Each will want to know your login and super amazing password, so you'll get to exercise your memory.

You probably want to go to each site and app that you infrequently use, log on in, add it to your password manager - or just do so directly, but you want to make sure the URLs and app references are correct - and move on to your everyday activities. (You can revisit later if you want to update it to something randomly generated.) Then go about your daily business, and if you get to apps and web sites you haven't added to your manager, no big deal - just let the manager remember it.

It's all really simple. Now, if you really want to do your due diligence, go back and update the password, especially for mission critical accounts, so that only your password manager knows the password, and it's as strong as possible.

The same massive flaw exists with your offline password manager. The gambit of this argument is that you (or more generally the public) are more capable of properly securing and storing secrets, instead of a company of experts hired to create, configure, update and audit a service to do so.

That's a call each person can make for themselves, but if I'm advising the normals on how to handle it, there's little doubt which direction I'm pointing.

2FA is only required for logins on new / unrecognized devices. If someone else had my master password, they still could not login.

I am only required to enter my 2FA on the installation of each client, so there is no really loss of convenience.

I use Enpass and I like it, though I don't love it. I have a few pain points that make me consider looking elsewhere.

I like: No recurring price just buy once per platform and off you go, no hosted component it just uses my Google drive, ability to add additional items to the things it tracks like the places that insist on 5 "security questions", Android app with fingerprint is nice.

Things I don't like about Enpass:

- No ability to have multiple databases. I would really like to have the ability to have a database shared with my spouse, and one shared with my work.

- I never was able to get the Chrome integration to work on ChromeOS and that is my primary personal OS these days.

Generally it works well, but I'd love to get my wife using one, would like to have one I can share with my wife, and would like to replace our ancient work password vault that is Windows-only.

I use Enpass exclusively. Having switched from Lastpass a couple years ago. I neglected to pay the premium, and was unable to access some really needed data in the middle of a situation, but couldn't because the premium expired. After that situation, I said fuck you to paid services. While I get the benefits of them, it's not useful if you run into a situation like this where you are locked out of your own data for failure to pay on time.

Enpass was worth the cost for mobile access. But that's all I had to pay. I can now use it on every Win/Lin/Mac/Phone system available to me. Sync seamlessly in the background with my preferred cloud provider, which also requires 2FA to access. So I feel reasonably secure.

They’re probably ok, but you’re locking yourself in/out should you ever want/need to use a non-Apple device.

1Password: OSX/Windows

Bitwarden: OSX/Windows/Linux

Open source, free sync?

It's a mature product that hasn't had any major security issues. When I checked a few years ago, no other product ticked both boxes. Nowadays there might be another such product, but I'm not going to switch to find out at this point.

When I last tried it, it didn't support generating passwords with English words ie. A 4 work Random password: hack-flipper-jump-london.

Edit: looks like it does support this now.

I'm interested in this as well. I semi-recently paid for a year of 1password family so I'm reluctant to switch so soon.

It's one guy (currently) Kyle.

The fact that I can't easily use a Yubikey for 2FA with KeePass has always made it a nonstarter for me. After experiencing the comfort and peace of mind I get with "master password PLUS Yubikey" in Bitwarden and LastPass, I could never go back to just having a master password that could be keylogged.

Yes, you can have a static "keyfile" on a USB stick that you use for 2FA, but that could be easily copied. "But if they have physical access it's already game over!" The scenario I am concerned about is unlocking my master database on a computer I don't own, like at work. I can do that with Bitwarden.

Bitwarden is closer to a LastPass competitor in the sense that it combines the encrypted database management with cloud storage, so that you can trivially share the database across devices.

Keepass is only the encrypted database management component. If you want to share that database across multiple devices you have to combine it with a cloud storage service (DropBox, Google Drive, OneDrive, iCloud, etc).

The major advantage of Keepass is that hypothetically it could be a completely off-line system, you could manually copy the database via e.g. USB Stick to every device if you so wished.

Keepass2 does not perform any syncing between devices (as far as I know), it's "just" a password safe that stores data in an XML file.

Personally I sync my Keepass files using a secure file sync app (not Dropbox), which is sufficient for me. I don't log into account on my phone so I don't need the passwords there, I guess it can be a reason for people to use Bitwarden.