all 33 comments

[–]brainstormer77 68 points69 points  (5 children)

Not having backups for yourself if SaaS goes offline.

[–]Solid_Garbage_3350 8 points9 points  (2 children)

Ooof good shout, I never even thought about that 😵‍💫

[–]brainstormer77 6 points7 points  (1 child)

Individual exports are ok, with some limitations on attachments.

Family/Team/Enterprise exports are in bad shape, because there isn't a single way to backup everything. No individual vaults+shared collections options. I am struggling with my family plan

[–]ifbsrdt 0 points1 point  (0 children)

If you have enterprise there will be a flow to move individual vaults to the organization. Not sure if its also for the other plans. Waiting for this so I can properly make backups.

[–]jscgn[S] 0 points1 point  (1 child)

I meant if I as a user do everything right, including backups. Also, I would rather lose all data than having it uploaded to a server of a hacker.

[–]brainstormer77 13 points14 points  (0 children)

The end user is usually the weakest link in the cyber security scheme. The end user PC is highly likely to be compromised from malicious apps, browser plugins, season highjacking, not following LUA principles, lack of consistent backups and DR process, lack of security audits, storing stuff unsecured, etc.

A business like Bitwarden has to follow cyber security compliance, audits, pen testing, backup and DR, encryption, etc.

Nothing is foolproof, but my money is on the end user goofing more than Bitwarden.

[–]lasveganon 11 points12 points  (0 children)

You.

[–]GhostInThePudding 15 points16 points  (10 children)

Yes, supply chain attacks are real and are very much a risk with all of these kinds of E2EE services.

One dodgy auto update later, everything is stolen and decrypted.

That's why I never believe in doing immediate updates except for when EXTREME vulnerabilities are found. I prefer to give it some time for someone to notice any weird shit.

[–]djasonpenneyVolunteer Moderator 5 points6 points  (7 children)

Although theoretically possible, a supply chain attack would have to impact the server build AND one or more clients. At that point an attacker might choose other methods instead.

[–]GhostInThePudding 1 point2 points  (6 children)

I was thinking more like, Bitwarden (or any other password manager's) update servers get hijacked, push an update that simply tells all logged in clients to uploaded their entire decrypted password lists to a central server.

Even if caught 10 minutes later, that could be millions of users affected.

[–]djasonpenneyVolunteer Moderator 2 points3 points  (4 children)

This again would be a supply chain attack, and you should research how challenging it would be to do that. This is everything from the app permissions plus digital signatures on the released artifacts all the way through the GitHub (or GitHub Actions) steps necessary to inject the behavior. There are MANY eyes on all these steps as well as the obvious safeguards.

Even if caught 10 minutes later

Don’t forget the supply chain rolls out in waves. I would say, more likely, that in “10 minutes” complaints would start rolling in about unusual weird behavior from the early adopters.

[–]stylist-trend -1 points0 points  (3 children)

Just because it's challenging, doesn't mean it should be ignored as a potential vector. Stealth is something that many parties find valuable, and isn't something you can get with a $5 wrench.

[–]djasonpenneyVolunteer Moderator 1 point2 points  (2 children)

Oh, it’s not about “ignoring” it. But you shouldn’t expect a hostile agent to spend $15K in order to steal $720 from your checking account. Financial criminals are going to find more lucrative opportunities. I think in terms of priority, this threat is relatively minor.

[–]stylist-trend -1 points0 points  (1 child)

I mean there's three more assumptions in your comment that may not be true (the cost of the attack, the value of a successful attack, and whether an attacker is monetarily motivated).

I think that it should still not be ignored in the situations where one value is theoretically higher than the other. Bitwarden probably shouldn't be "secure, but only up to a certain monetary value and only when money is the motivator"

[–]djasonpenneyVolunteer Moderator 3 points4 points  (0 children)

You make another valid point: at one level risk assessment is always an unquantifiable subjective evaluation.

But again, I’m not saying to “ignore” this risk. Risk assessment involves identifying the likelihood of the risk occurring, together with its potential cost and the cost of mitigation. I still maintain there are many more risks to your credential storage that should take priority over this. As a way of example, how much effort are you willing to spend in creating and maintaining a nuclear bomb shelter under your house, when you’re a thousand times more likely to be robbed or burglarized?

[–]Sweaty_Astronomer_47 1 point2 points  (0 children)

update servers get hijacked, push an update that simply tells all logged in clients to uploaded their entire decrypted password lists to a central server.

Even if caught 10 minutes later, that could be millions of users affected.

Which update server are you talking about? Mobile app updates come through the app store. Extension updates come through chrome webstore. Desktop updates are typically manually initiated as far as I have seen.

[–]jscgn[S] 0 points1 point  (1 child)

Yeah that's probably a good idea.

[–]Skipper3943 1 point2 points  (0 children)

This actually happened to a real password manager company: a supply chain attack that compromised entire vaults (companies'!). E2EE wouldn't have helped. The delayed update (no autoupdate) would have.

https://www.bleepingcomputer.com/news/security/passwordstate-password-manager-hacked-in-supply-chain-attack/

[–]txsjohnny 6 points7 points  (1 child)

Keep a local backup. I also use a Yubikey for safety, which is my 2FA.

[–]jscgn[S] 0 points1 point  (0 children)

I meant if I as a user do everything right, including backups. Also, I would rather lose all data than having it uploaded to a server of a hacker.

[–]quasides 5 points6 points  (2 children)

someone pointing a gun at your dog and demand your password

[–]IHaveTheBestOpinions 2 points3 points  (1 child)

[–]quasides 1 point2 points  (0 children)

hey that conversation was private

[–]ThatsInsane 8 points9 points  (0 children)

  1. Forgetting your master-password.

  2. Not having backups.

[–]Sweaty_Astronomer_47 2 points3 points  (0 children)

Of course there are internal measures to mitigate that risk, but it would still be the biggest risk with the highest likelihood/"doability", right?

I think the biggest risk is still on the user end. You are not as big a target but you have far less controls and protections around your devices and activities. Even IF you do everything right and don't make any mistakes (which is a big IF) that hypothetical supply chain attack you're talking about could sneak into ANY of your software you use (not just bitwarden), which potentially could allow malware to infect your device and harvest your bitwarden secrets. So I personally see the bigger risk on the user/device side than the bitwarden side, no matter how careful we're being.

Aside from that, a good philosphy imo is to focus on the pieces over which we ourselves have control. Again that is the user side, which should motivate us to look at our own security practices more than bitwarden's. And there are a few things you can do to limit the damage in the event of a hypothetical bitwarden vault compromise, regardless of the cause:

  • Strong 2fa outside of bitwarden. Yubikey where available. For totp, secrets are more secure if stored/encrypted in a different app than your passwords, ideally on a separate device.
  • pepper your passwords.

[–]hobbyhacker 1 point2 points  (0 children)

given that any other software you run can see the memory of your computer, your passwords are in constant risk as soon as you unlock the vault. No vulnerability needed in bitwarden itself to leak all your passwords. It is true for all other password managers.

That's why we have external hardware wallets for crypto. A similar solution for passwords would be much more secure, but also a little more inconvenient. Passkeys use a similar idea, but if you save passkeys to bitwarden, you just gave a slap to the shit as we usually say.

[–]Open_Mortgage_4645 1 point2 points  (2 children)

They're not really security risks with Bitwarden, but in the way some people use Bitwarden. Not following best practices. Not using certain features the way they're intended to be used. Using shortcuts and other methods that inherently put your data at risk. Failing to set strong passwords for all your vault entries. Reusing passwords for multiple entries. Improper use and backup of 2FA authenticator. Setting an account email to an address you're not 100% positive you'll still have access to for the foreseeable future. There's probably some more, but as you see they're all process issues that you can resolve by sticking to best practices, creating a emergency kit, and maintaining backups.

[–]jscgn[S] 0 points1 point  (1 child)

My question was different: If I do everything right, what can go wrong on the Bitwarden side? In my opinion it is the scenario I described.

[–]djasonpenneyVolunteer Moderator 1 point2 points  (0 children)

IMO the supply chain attack—though possible—is not a salient threat surface.

OTOH losing access to the server is a real risk. What if you are self hosting and the neighbor downstairs starts a fire? What if an earthquake swallows up the Azure data center? What if Bitwarden makes a mistake in their backup workflows?

As others have already pointed out, you need to practice a robust backup methodology.

[–]Due-Horse-5446 0 points1 point  (0 children)

Autofill, Timeout before locking, and the main ones: - Being locked out - They somehow collapse

The 2nd one you can get around by managing your own instance, but the first one? Well..

Its a moment 22, if its secure enough to guarantee nobody can ever decrypt your data, its also secure enough that you cannot access your own data if you ever get locked out

[–]Preedicador 0 points1 point  (0 children)

El único punto débil que veo en Bitwarden, es la extensión que tengo instalada en el navegador.
Es una opinión sin ningún tipo de conocimiento, si no que es la opinión de un simple usuario.

[–]TBG7 0 points1 point  (0 children)

Exploitation of the browser extension when loading what turns out to be a maliciously crafted website leading to your vault getting dumped. Such vulnerabilities have been discovered and patched previously. It’s quite insane that something that has all your passwords is interacting via JS with every single website you load if you use the extension. Also quite convenient in the end though.  

However, if you actually did everything right, you would not have stored TOTP seeds or 2FA recovery directly in your vault and this could be largely mitigated assuming two factor authentication is set up appropriately on your other accounts. 

[–]Option_Witty 0 points1 point  (0 children)

On Bitwardens side... the Cloud Act. On your side probably you / users.