People have been asking me about #Bitwarden ever since #LastPass has been breached. While I never took an in-depth look, I now at least evaluated the claims regarding their encryption:
https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/
While the password manager being completely open-source with the option to self-host is great, otherwise I’m not too impressed. The issues in particular:
· Server-side iterations mechanism does not provide any security value. They should have known about it at least since 2020 when @dchest wrote about it, probably even since 2018 when I discussed the same flaw in LastPass. Yet they are still using it for their PR claims.
· 100,000 PBKDF2 iterations on the client side is too low, with the current OWASP recommendation being 310,000. They updated this setting (hopefully upgrading existing accounts as well) in 2018 seemingly to match LastPass and failed to adjust ever since.
· Bitwarden allows users to configure 5,000 iterations without even warning them. Not only is this value dangerously low, supporting it also allows a compromised production server to ask the client for a password hashed with 5,000 iterations – regardless of the actual setting.
· Bitwarden users have been pointing out the key derivation parameters being inadequate since at least 2018. Development of Argon2 support only started two weeks ago, and it isn’t coming from the core developers.
On the bright side, vault data is completely encrypted. No unencrypted URLs and such.