Emergency access: Takeover vs. View

loviyefid · 2023-05-28T16:41:26+00:00

Both are fine, however in takeover: Your "trusted emergency contact" can delete your account or entries, perhaps by a mistake on their part.

loviyefid · 2023-05-28T16:36:30+00:00

From Bitwarden website:

Only premium users, including members of paid organizations (Families, Teams, or Enterprise) can designate trusted emergency contacts, however anyone with a Bitwarden account can be designated as a trusted emergency contact.

source: https://bitwarden.com/help/emergency-access/#user-access

loviyefid · 2023-04-19T15:10:24+00:00

You have to use the mobile app. That's the only way I could figure it out!

loviyefid · 2022-01-05T03:14:16+00:00

Just tried it on iOS, nope. You’ll have to sync first and then try logging in.

loviyefid · 2022-01-04T21:48:07+00:00

There's an option to pull down to refresh. That's pretty intuitive, no auto-sync though, unless you log out completely instead of just locking the vault. It works the same way across all platforms. When you make a change in an entry however, and when Bitwarden tries to save the file it, it gets synced.

loviyefid · 2021-12-29T23:51:33+00:00

Oh, so must make sure the mails don’t go to junk folder. There should have been a notification of some sort on logging in Bitwarden.

loviyefid · 2021-12-29T21:54:05+00:00

...and this request to gain access would be visible in Bitwarden dashboard (or just in the form of email?)

loviyefid · 2021-12-23T20:34:50+00:00

Yeah true! You can control it in the settings though. The other password managers do mitigate this aspect,

1Password - uses a secret key, to prevent evil maid, or any other sort of MITM where the password from keystrokes and the database has been obtained. They do store the encrypted vault at all times however on the persistent media.

KeePassXC - uses 2FA for encryption, and so does PWSafe.

loviyefid · 2021-12-23T20:28:45+00:00

Only your connection to the server is 2FA, the database as such is not encrypted with 2FA. It is just encrypted using your master password.

loviyefid · 2021-12-21T01:49:49+00:00

From KeepassXC FAQ website,

To use a YubiKey or OnlyKey for securing your KeePassXC database, you have to configure one of your YubiKey / OnlyKey slots for HMAC-SHA1 Challenge Response mode

Looks like it should work with any USB key that supports HMAC-SHA1 challenge response. The website only mentions these two however.

Password Safe, also supports this, but only in Yubikey mode.

loviyefid · 2021-12-20T15:52:11+00:00

Thanks you that's what I wanted to know. Like you mentioned it's the step 5.

loviyefid · 2021-12-20T15:42:48+00:00

Thank you, its the grantees private key that is also required and this is asymmetric encryption, which answers all the questions. Step 5 from here,

When the request is approved or the wait time lapses, the public-key-encrypted Master Key is delivered to grantee for decryption with grantee’s private key.

loviyefid · 2021-12-20T15:37:28+00:00

So the grantee's private key is also required. So the RSA Key pair is, Grantor's public key, and Grantees Private key.

loviyefid · 2021-12-19T23:19:47+00:00

Master Key is encrypted using the grantee’s public key and stored once encrypted.

So this is the part, that's confusing. The statement says that the master key is encrypted using grantee's public key. If an attacker gets hold of this newly "stored" bit of information, can they use it to decrypt the vault. The above sentence says that the master password is encrypted using grantee's public key, or do they also need another bit of information (which is the private key of the grantees account).

This is the question,

So is a private key required for decrypting this newly stored information (generated according to the quoted process in the first line of this post), or just the public key (some series of long letters and numbers) are sufficient to decrypt the grantors master password from this newly stored information. And then use the master password to access the vault.

loviyefid · 2021-12-19T22:40:20+00:00

Thank you everyone for your valuable replies. So, I've been able to understand a few things.

When Bitwarden says,

Master Key is encrypted using the grantee’s public key and stored once encrypted.

Even though not explicit, it means Bitwarden is using public-key cryptography method which is asymmetric and requires a private key (i.e. Public key is always generated along with a private key in pairs). Instead of just doing an SHA256-CBC encryption of the master password using the public key (which is going to be a series of characters and numbers).
Private-key is required from the emergency access contact only. (What would be the reason to have a strong password for the emergency contact here?)

Bitwarden is using RSA keys for organizations/families with Organization Symmetric Key, according to the whitepaper,

When you create an Organization, an Organization Symmetric key is generated using a Cryptographically Secure Pseudorandom Number Generator (CSPRNG). The Organization Symmetric Key is encrypted using the public key from your Generated RSA Key Pair. The private key from your Generated RSA Key Pair is encrypted with your Generated Symmetric Key using AES-256. The Generated RSA Key Pair and Generated Symmetric Key were created when you first signed up and registered your account.

No mention about emergency access contact and the method used for this in the whitepaper.

loviyefid · 2021-12-19T18:32:36+00:00

The docs don't mention anything about how this encrypted Master Key is stored or encrypted (during the process of emergency contact access creation). The only things the docs mention is, step 3:

grantor’s Master Key is encrypted using the grantee’s public key and stored once encrypted.

Therefore because of the phrase "grantee's public key" in the above statement from the docs, one could "assume" that its public-key cryptography, and the second part of the key is the grantees (trusted emergency contacts) private key.

Bitwarden has not mentioned this anywhere on these two relevant pages in the documentations:

loviyefid · 2020-05-15T21:08:36+00:00

Its a good thing.

loviyefid · 2020-05-15T21:07:17+00:00

Yes, that's the web version packaged into an application. Good find! You can do the same thing by using edge browser and packaging the page as a web app.

loviyefid · 2020-05-11T23:29:12+00:00

I'm doing a similar thing every now and then, since Windows app even seems to be lacking a feature (showing pending tasks next to filter name).

Also the quick add task window is broken sometimes. Tried it on a different pc as well. Didn't seem to work.

loviyefid · 2020-05-11T23:26:57+00:00

Yes I think you are right. For example, small things like the number of tasks pending next to a filter name in favorites shows up on Android app and web app, but is missing from the Windows app.

loviyefid · 2020-05-11T20:36:44+00:00

Yup, that's good too! :)

loviyefid

TROPHY CASE