Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Bitwarden responds to encryption design flaw criticism

UPDATED Password vault vendor Bitwarden has responded to renewed criticism of the encryption scheme it uses to protect users’ secret encryption keys by enhancing the mechanism’s default security configuration.

The issue centers on the number of PBKDF2 hash iterations used to compute the decryption key for a user’s password vault. In this scenario, OAWSP recommends using the PBKDF2 algorithm with random salts, SHA-256, and 600,000 iterations (a figure recently increased from the previous recommendation of 310,00 rounds).

Bitwarden said that its data is protected with 200,001 iterations – 100,001 iterations on the client side and a further 100,000 on the server side. But security researcher Wladimir Palant has warned that, while this might sound impressive, the server-side iterations are ineffective. And, much worse, older accounts were stuck with much lower security settings (unless they manually increased iterations on their settings).

Palant posted a technical blog post on the issue on Monday (January 23). In response to this blog post, a Bitwarden user claimed an account they started using in 2020 operated with just 5,000 iterations (adding that increasing the count to 200,000 failed to cause a “noticeable slowdown”).

Password vault data can only be decrypted using a key derived from a user’s master password. Hashing this password through an insufficient number of iterations leaves secrets at risk to potential brute-force attacks.

LastPass breach aftermath revisited

Failure to follow industry best practice on the number of hashing iterations becomes a live problem in the event of a password vault server breach, a calamity that recently befell LastPass.

LastPass was faulted for applying fewer than the recommended number of iterations in hashing users’ encryption keys, performing only 100,000 in the best-case scenario. Much worse yet, it had failed to migrate older accounts to even this suboptimal level, leaving them with just 5,000 rounds of protection.

The LastPass breach prompted Palant to investigate practices in this area among other password vault developers, uncovering shortcomings with Bitwarden’s approach in the process.

History repeating

The public disclosure of the issue this week prompted cryptographer Nadim Kobeissi to point out that he and a team of colleagues had uncovered and reported (PDF) the same problem five years ago.

The issue was downplayed in 2018 but its re-emergence this week, in the aftermath of the LastPass breach, has prompted Bitwarden to act.

The open source password management service has responded by increasing its default client-side iterations to 350,000 in a change that initially applies only to new accounts. This figure was later upped to 600,000 in response to revised guidance from OWASP. It’s still somewhat unclear whether or not existing accounts will automatically be updated.

post by BitWarden to Mastodon left some in the community scratching their heads.

“They [Bitwarden] give no indication on the timeline for this change and are vague about whether existing accounts will automatically be upgraded to the new, higher default,” a poster on Bitwarden’s community forum writes.

According to a subsequent post on the same forum, Bitwarden is treating this criticism as a feature request.

In response to queries from The Daily Swig, Bitwarden confirmed that “defaults are increasing”, adding that user had previously been able to “adjust and increase iterations [at] anytime”.

Advertisement. Scroll to continue reading.

This story was updated to correct the attribution of comments on the behavior of older Bitwarden account. These comments were made by a reader of Palant’s blog and not the security researcher themselves, as previously and incorrectly reported.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/bitwarden-responds-to-encryption-design-flaw-criticism

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word...

Cyber Security

A new form of communication on Twitter called the Encrypted Direct Message has been made available by Twitter. It will appear in your inbox...

Cyber Security

The agency continues its post-quantum cryptography push as it looks to create guidance for all sectors. The latest step in post-quantum cryptography guidance is...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO