The 2023 Bitwarden PBKDF2 Changes & Why Your Master Password Entropy Still Matters The Most 

I do not think that the yubikey is used to derive that encryption key

@@ejbevenour And if the Yubikey was used to derive the vault encryption key, I'd be too terrified to lose that Yubikey or just that it'd break in time

@@sacundim that's why you get a backup yubikey.

Yubikey isn't used for encryption (unfortunately) only for 2FA to log into bitwarden

Yubikey helps you against social engineering attacks (putting your password in a wrong site), but if bitwarden's servers were breached, it's the master password that's used to encrypt it, not yubikey.

Glad you enjoyed it

Personally, I have no intention of asking that website to tell me if my password is strong or not. How do you know if that website is keeping your password to later use in an effort to breaking into your account(s)?

Bitwarden now allows Argon2id as an alternative to PBKDF2. I don't login using my smartphone so it works for me. But it may slow down logging in with your phone.

@@vandrosia Yeah I’m not switching to Argon any time soon. It feels like they really rushed it out and I’m going to let the dust (and inevitable bugs) settle out first. Good to see them adding it though - DashLane has been running Argon quite awhile already.

@@curtispavlovec Bitwarden removed the cap on iterations. Now you can set 30,000,000+ rounds if you want to. Not that anyone would since your computer would slow down tremendously. But at least they give you the option.

arguably 2FA doesn't help you in the event that the vault itself is obtained, this is about decrypting the vault - not so much logging into it.

@rayjaymor well 2fa on your bank and other accounts help if vault is stolen

What if you lose access to that cloud service? Wouldn't your master password be gone forever?

​@@h2oish2olikely got an offshore untouched copy. Cloud service for regular use plus on the go onboarding of new devices

wtf?

You use a digitally stored PGP key & digitally stored master password..... that is absolutely the worst practice I've ever heard of.

@@permacultureecuador2925 what if the PGP is being done with a couple Yubikeys?

Yeah, by the time that's cracked, probably all of the services you've stored in your password manager get directly breached themselves anyway and many of them probably won't be around anymore... and that's just assuming it'll be cracked in our lifetime

This is what I recommend to my users for master passwords, difficulty to crack goes up exponentially with number of characters. A 24 character passphrase in lower case has higher entropy than a 16 one with all posible characters mixed. The first is easy to remember and type, the second usually ends up in a note somewhere.

Mine is 36 characters, symbols, upper and lower case and numbers, easy to remember, easy to type.

Isn't that just high complexity in the number of words instead of characters?

That's also NIST's advise (NIST SP 800-63b). Length is more important than crazy character set requirements. Passwords of up to 64 characters must be allowed. No requirements on specific characters being used (upper, low, number, special). Also, checking whether a chosen password has been discovered in password leaks before (HIBP provides a service for that). Leaked passwords end up in bruteforce lists and rainbow tables. And MFA! Even SMS-based 2FA is better than nothing.

The method I came up with was to take a number, break it up, and make an equation out of it. Take 1337for example. The password would be "Thirteen+ThirtySeven=50" Depending on the numbers you choose, it can get pretty long but remain easy to remember with a good mix of the typical required characters. Though I don't know if its the most secure method.

After checking Bitwarden's help it seems that you should do it, but make a backup just in case

Yes, iCloud will eventually get compromised.

Why not just use a completely random password? Harder to remember for sure, but say 16 completely random chars (upper case, lower case, numbers, special keys) should be pretty secure, and not THAT difficult to remember, concidering that going forward, it's the only password you'll need to remember. Took me maybe 3-4 days to learn my master password, typed it enough times to remember.

@@sagichdirdochnicht4653 You can certainly do that, definitely not AS easy to remember & not necessarily stronger. It was just an option that can help to remember more easily & still get a sufficiently strong password, whilst passwords remain a thing.

@@everyhandletaken Of course you are right. And I do completely agree; misspelling words (in a long passphrase) certainly adds complexity, even if shorter, as it makes dictionary attacks a lot harder, maybe even impossible. Tough I would most certainly say, that - given both are the same length - a completely random password would allways beat a passphrase, even when altered. However, all of that only counts for random things. Thinking up a Password or Passphrase wouldn't be a great Idea; this would make it easier for someone to social engineer it. Computers may be bad in random things, but we humans are much worse at it. Much more important then a few more or less digits in the Password tough is 2FA in my Opinion. Say somehow I got Malware on my phone (rather unlikely on my Linux Desktop) and someone could spy out my Master Password, good luck with that. Without my Yubikey(s) that Password is basically completely useless anyway.

@@sagichdirdochnicht4653 100% agree The goal is to do all you can to remain secure & the more complex you can make the situation the better, of course at the sacrifice of some convenience. I would certainly rather see someone that uses “password1234” go for something like “Caetching100fysh@6am” (catching 100 fish at 6am), even if there is only 1 special in there & a dictionary term. Definitely could be better, but a huge improvement ☺️ What I really hate are situations where a service mandates a minimum number of characters, but also a ridiculously small maximum. Also 2FA with SMS only too, no authenticator app or hardware key. Whilst on the topic of YubiKey, I have considered them a number of times- do you have any reasons against them, or are they as good as they seem?

​@@everyhandletaken Since I use my Password Manager to generate Passwords for any service, I really don't care (anymore) about minimum requirements, as I allways surpass them. Haven't encountered a problem with maximums tough; but that may be due to the fact, that I use "only" 12 char Pws for most services. Yubikeys are amazing. I use them for two years now. They do exactly what they are supposed to do. I'm not aware of any downsides, and pretty much only had good experiences. The only "downsides" I can imagine aren't really the fault of the Yubikey. s 1. You NEED at least two of them, and this is not for debate. If you lost your only key, you are f.... You need at least one Backup. And those keys ain't cheap. 2. You can not get any Data off your Yubikey. So you can't get a Backup of 2FA Tokens, GPG Keys or whatever you have thrown onto there. This however is by design and very much intended! Just thought I wanna add this, because I've heard people complain. But again, this is a Feautre, not a Bug! 3. It can be annoying to set up 2FA. Those tokens you would usually use with eg. Google Authenticator or whatever - they work with Yubikeys (which is great). And the credentials are stored on the Key. The "Issue" is, that you'll have to setup all your Keys at once, when you setup an account and place the same credential in any of them. You therefore also not revoke a single Key. Not an "issue" with any of the better authentication Methodes, like FIDO or FIDO2, however, this authentication Methode is still the most used and many services do not offer those better alternatives. (4. I've had some trouble getting the Linux App for Yubico Authenticator running on an Ubuntu LTS Release. You need this App in order to use 2FA with Tokens (the equivalent of eg Google Authenticator. Just that your codes are stored on the Key, which is much much more secure). Wasn't a real Issue tough, as the Snap Version runs fine there. ) Well, I really can't think of any more Downsides and I'm using them for over two years now. I 0% regret buying them and would 100% recommend - and that's saying something. If you wanna hear positive things - well, so far nobody has been able to break those things. So they do exactly what they are supposed to do and do it well. Tough when I rambled about in point 3 about how 2FA codes can suck - this is actually where the Keys add alot of convenience. Usually you'd use your Phone to store those Codes and use eg google Authenticator. Therefore everytime you login somewhere you'd need your phone to login and type in the 6 digit code every time. As I am a lazy Fuck, that would be to annoying. I just use the Yubico Authenticator app, click the right entry, touch the yubikey - code copied to clipboard. And nope, I'm not associated with Yubico in any way, shape or form. I'm just 100% satisfied and this only happens very, very rarely these days.

if you have a MAC, consider adding Foreign Language Special Characters to your password. FLSC are created requiring 2-3 keystrokes to add ONE character to your password.

Yup, that is why I did not even bring that up (but probably should have mentioned it)

@@LAWRENCESYSTEMS Good to know I can sleep easy, knowing it will take centuries to crack my master password. According to Bitwardens Password Strength Test Website.

Look up quantum computers. It's scary powerful that *CAN* crack those password fairly quickly when several of those computers are running at a server farm.

@@Darkk6969 But hackers aren't getting access to Quantum computers in the foreseeable future. I'm talking conventional PC hardware and multiple GPUs being used to attack a very strong master password.

Yes, I've been wondering that too! That 2013 post mentioned in the video was a good comparison for the time, but four 2013 GPUs don't hold much of a candle to a modern crypto farm running dozens of 3090s. @LawrenceSystems: do you have any contacts who could calculate an updated comparison with, say, 100k, 500k, and 1mil PBKDF and 30-200 bits of entropy?

master-password-master should be 24 years.

Bitwarden Password Strength Testing Tool bitwarden.com/password-strength/

@@CH-vo7fu No Bitwarden / Cloud based

Try blank password, may be you just forgot to enter new master password on same page where you change iterations?

@@user-ee9rd6je2w It won't even accept blank / no password. Based on what I am seeing in the forums I am not the only one this has happened to so let this be a lesson to all BACK UP YOUR VAULT before doing anything like this.

@@peterleblanc4727 Bitwarden recommends/warns/encourages everyone to BACKUP the vaults, B4 changing the iterations, just in case.

Haha, yup.

2FA only provides client access protection, i.e. someone trying to get in from the outside. It does absolutely nothing if the server is compromised, no matter which 2FA method used. I would love to see Yubikey become a part of the encryption process itself, but I'm not sure if that's possible, or even a good idea (how would you recover if the key failed?).

2fa on all your *non-vault accounts* most certainly adds protection. In fact it's the best line of defense against bad/cracked passwords, so everyone should be using it.

@@jm-lc3jp I stand by what I said, it's completely useless if the backend is compromised. I'm not saying don't do 2FA - absolutely 2FA the crap out of everything you can, but it means nothing if someone steals the database.

@Derryn Jones and if someone steals the database cracks your vault and gets your password and goes to your bank website puts it in and then....oops you enabled 2fa WITH THE BANK = stops the hacker. I think we are talking about different things. 2fa IN GENERAL helps even with valut breaches by protecting your assets downstream of the crack. 2fa with the vault provider doesn't stop a backend theft anymore than a strong (non-vault) website password prevents an attacker who is already on the backend side of authentication

@@jm-lc3jp yeah but it's not just vaults that can be compromised from the back end. Based on the last 12 months of attacks it seems more likely someone inside the bank will leak the credentials to some backend server and take your money from the inside, regardless of how many authentication methods you have. Bank isn't a good example, but it's still possible.

Hmmm, might want to go 56😀

KeePassXC for the win!!

It's called which does increase the entropy en.wikipedia.org/wiki/Key_stretching

Correct, it doesn't add entropy, the number of possible combinations, it adds to the length of time required per guess

@@LAWRENCESYSTEMS As it says in that article, it merely _mimics_ randomness and longer key length. I know that may seem like hair-splitting, but this can be confusing to people coming to this stuff for the first time. The article also mentions "If this added effort compares to a brute-force key search of all keys with a certain key length, then the input key may be described as _stretched_ by that same length", which is a reasonable metaphor, but that's for people who already understand what's going on

They don't save your secrets, so they can't recompute. They could potentially force you to do so on your next login or something, BUT changing the number of rounds also changes the results, which means your vault has to be re-encrypted with the new values and all of your sessions will be invalidated. While it is best practice to have more rounds, it really doesn't add a whole lot protection. Not worth bothering the customer.

Acronyms are hard

2FA is access control not encryption. It doesn't come into play if someone gets the encrypted vault file or the strength of key used to encrypt said vault. A high number of PKDF2 rounds slows down the speed at which an attacker with the encrypted vault can guess the key. 600k is better then 1. It costs almost nothing to increase. Unless you use a potato as a phone. go to 1 or 2 million. Just do it.

Anytime somebody brags that their password has some absurd amount of entropy like "157.3 bits" I suspect that they don't understand what they're talking about. If they understood entropy well enough to say that with true confidence they would generate a much shorter, easier password; note that the 1Password blog table in the video demonstrates that an 80 bit password-which can be half as long as your (supposed) "157.3 bits"-is very strong already. And all that in turn makes me skeptical that their passwords actually have "157.3 bits" of entropy. If you don't understand that you gain nothing from it... how can I trust that your entropy estimate is accurate in the first place?

The encryption algorithm only provides 128bits of strength. Your password is half a billion times stronger than the encryption. You can make it shorter and not lose any protection. In fact you might gain protection because the more time the password is being entered in, the longer it can be scraped. More in principle than practice.

hang on, 157.3 --- how do you get a fraction of a bit??

@rayjaymor charsets aren't binary so they don't marry up perfectly with the log2 of entropy calculations which is why one lowercase letter adds log2(26) = 4.7 bits of entropy

Depends on the attack dictionary size. Every word adds log2(dict size) bits of entropy. So dictionary with a size of 2^13=8192 gives an additional log2(2^13)= 13 bits of entropy. You can convince yourself of the power of words by just calculating keyspace.

@@jm-lc3jp Since the whole word theme is for convenience, than you wouldn't expect average user to use anything other that common obvious words, otherwise they might end up having problems recalling correct spelling let alone meanings associated with passphrase. And average active vocabulary of English speaking person is even smaller than your example. Partly because English is very good at reusing words compared to other languages, not even persons fault. So these dictionaries are probably already compiled long ago, and are easily updated nowadays with modern tricks like huge readily available leaked real password databases and(or) ML combined with good old techniques like web scrapping and generators.

The evaluation is assuming that the words were chosen at random. Which of course in this case was not.

@Leeroy and that's the great thing about xkcd-style passports generation. I could GIVE you the dictionary, the dictionary could ONLY be the size 10000 simple words (rockyou is 14 million) AND I could tell you "it's 5 dictionary words in a row, have at it" and you STILL have to search a keyspace of 10000^5 10^25. At 80 kH/s for 4090RTX you could assume 10000x increase in GPU power 30 years, and 100GPUs attacking at once and it would still take you 6 months to find my pass. Word-space just grows so much faster than character-space--yes even for the most common 10k words in the dictionary (as long as they are not so small as to reduce to character attacks)

KeePass is great for personal use. But it's substantially less practical if you're managing passwords for an organization; especially for people that aren't super tech literate and manging access for more than one person (ie at work my team all use the same login for some apps) But otherwise I agree. If you are only using passwords for you - KeePass is awesome.

I use KeepassXC with password and keyfile to protect the database. It gets sync'd with in house Nextcloud server. Don't forget to increase the default rounds to something higher.

@@Darkk6969 There is also a plugin for KeePass2 to allow encrypting the database with two cyphers. This allows you to have two passphrases, and it even lets you use two Yubikey challenge-responses, in case you're extra paranoid. This doubles the amount of information you'd have to crack, and means you'd have to break more than one algo. Overkill much? Also, KeePass2 uses Argon2, which is probably better than PBKDF2.

@@TheChadXperience909 Cool to see it can do double ciphers via the plugin. Currently my database is using Argon2d.

You can't limit how many times an hour an attacker gets to guess your password if he has a copy of your encrypted data, as in the case of the lastpass hack

Yes, I mispoke

It's a common term in cryptography and defined by NIST as: "A measure of the amount of uncertainty an attacker faces to determine the value of a secret. Entropy is usually stated in bits. A value having bits of entropy has the same degree of uncertainty as a uniformly distributedn-bit random value."

Key Stretching is the term en.wikipedia.org/wiki/Key_stretching

@@LAWRENCESYSTEMS The linked page manages not to misuse the term "entropy," which is my point. In fact the one place they mention it is this: "This process does not alter the original key-space entropy." I mean, anybody can understand that increasing the number of iterations makes the password cracking proportionately slower. Bringing the word "entropy" into this doesn't make it any clearer.

To see if you are paying attention and to see if you are paying attention.

That will not help if the vault is stolen like the Lastpass incident. The best defense is a strong master password.