top | item 35221178

(no title)

FfejL | 2 years ago

"Let's now assume that the user enables the PIN unlock and configures Bitwarden so that it doesn't require the master password on restart."

If the user has setup Bitwarden so the master password is not required, then the user gets what they asked for, namely a password database secured by a 4 digit PIN. Not clear to me why this is a problem Bitwarden needs to fix.

discuss

nabakin|2 years ago

You're assuming the average user understands security when that is definitely not the case. The job of Bitwarden is to help all users (even ones ignorant of security) to secure their data. If Bitwarden has no warning explaining that pins are unsecure, then the fault 100% lies with Bitwarden.

beachy|2 years ago

Some things fall into the "obvious" category, users should just know them, and it's not 100% on Bitwarden to make the world a safe place.

Is it a good idea to leave your password on a piece of paper under your keyboard? No, and you shouldn't need Bitwarden to tell you that.

Is it a good idea to use your name and date of birth as a password? No, and this should be obvious, not something Bitwarden needs to educate you about.

Is it safe to rely on a 4 digit PIN? Obviously not, when there are only 10000 possible combinations. You shouldn't need Bitwarden to tell you that though.

Are there people out there who do need this education? Of course. But that's a job for someone with infinite patience and understanding. Not some words on a web page from a supplier.

Case in point, my step dad belonged to a "computers for elders" group and one day he learned about antivirus software. Next time I watched him, he was googling for anti virus software and downloading any he could find, from anywhere on the internet. He ended up with 6 different AV packages, some very dubious looking indeed. I tried to explain the dangers but he couldn't understand how antivirus could actually harm his computer. And he was a practicing doctor of medicine before retirement. It really highlighted the challenges of protecting some people in the brave new digital world.

halayli|2 years ago

It's a bit of a stretch to label Bitwarden users as average user. Average users don't know about password managers beyond whatever their browser supports.

e12e|2 years ago

With a secure enclave of some kind, there could conceivably be a three attempt limit before the temporary key associated with the pin is deleted, and full pass phrase is required. In such a setup pin might make sense.

As it is - I'm not sure if pin makes sense even if there's user demand? Then again I do use biometric unlock - and that's not really great either.

At least the bitwarden installs are behind fde (macOS) - and possibly (?) file based encryption (Android 13+).

Eisenstein|2 years ago

If the user setup the PIN and uses it every time the chances that they know the master password is about 50/50.

ambiso|2 years ago

> the user gets what they asked for, namely a password database secured by a 4 digit PIN.

A 4 digit PIN would be safe if Bitwarden securely enforced an attempt limit on the PIN. There's several options to implement this securely (see e.g. other comments about Windows Hello or use of a TPM).

eviks|2 years ago

Why did you jump to a 4 digit PIN instead of a 10 letter word? (which is still faster than the full 20 letter master password with many special symbols)

Is it because of the name PIN? So there is your simple answer of what problem Bitwarden needs to fix

Aeolun|2 years ago

Why would you think the master password has many special symbols and 20 characters? You can just have the 4 digit pin as your master password.

SV_BubbleTime|2 years ago

They could make the pin process intentionally slow… maybe with some number of iterations… and as computers get faster they can just update the number of iterations required…

morpheuskafka|2 years ago

If the PIN is local, only a secure element type of chip could meaningfully enforce this restriction. Otherwise, whatever memory or disk stores the secret encrypted only by the 4-digit PIN could still be brute forced. Just disabling entering a PIN in the UI would not be enough for security.

nebulous1|2 years ago

It already is intentionally "slow". However, for a 4 digit pin there are only 10 thousand combinations. It is not practical for it to be so slow that 10000x it is an infeasible amount of time. Not only would the user have to way too long on each entry, the attacker could just use faster hardware.

8ytecoder|2 years ago

And add other defensive mechanisms like lockout after n retries.