The Most Important Bitwarden Setting You Never Heard Of

Подписаться 7 тыс.

Просмотров 47 тыс.

50% 1

Your online passwords can be safe against hackers. But it requires you to make specific changes to your Bitwarden settings.
Make these changes and you're passwords will become uncrackable.
With these settings, even the LastPass breach wouldn't have mattered.
📝 Sign up for my free weekly security newsletter: weekendbyte.teachmecyber.com/
Links
Bitwarden: bitwarden.com/
❤️ Leave a comment and hit the like button because it helps spread cyber security knowledge to more people.
Table of Contents
00:00 - Intro
00:24 - Why LastPass was bad
00:50 - Password cracking
01:48 - Best Defense #1 (Master Password)
02:59 - How Bitwarden logons work
04:32 - Backup Your Bitwarden Vault
05:16 - Best Defense #2 (KDF Settings)
05:36 - KDF default settings
06:05 - Argon2id overview
07:18 - Default Argon2id settings
08:14 - Better Argon2id settings
08:31 - Most Secure Argon2id settings
08:57 - Applying new KDF settings
09:47 - Increasing KDF settings
10:58 - Testing what works
11:36 - Closing
🔔If you found this helpful, subscribe to the channel!
www.youtube.com/@teachmecyber...
🚀 Connect with me on LinkedIn
/ jrebholz

Наука

Опубликовано:

20 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 130

@matthiasm7092 9 месяцев назад

If you use more than 64MB of memory, iOS autofill won’t work anymore. Bitwarden updated this information.

@teachmecyber 9 месяцев назад

Thanks for the info!

@sportbikejesus6297 17 дней назад

If you use autofill you can end sending your password to mean ole hacking guy

@miran289 10 месяцев назад

God bless your soul. Having had multiple email addresses for years and for different purposes it was a nightmare for me to figure out a way to keep track of all my passwords, so before, I used to have similar pws to use on all of them and that led all my accounts to get hacked earlier this year and it left me paranoid ever since. Now, I don't save any passwords anywhere and don't even trust the browsers with it, so coming across your Bitwarden videos was a true blessing and it gave me a much needed sense of cyber security. THANK YOU SO MUCH!

@teachmecyber 9 месяцев назад

Glad this was helpful for you!

@robertbishop7078 Год назад

Before Argon2id was available I had the iterations at 2 million. This took about 16 sec to decrypt on my Amazon Fire HD 10 Plus (2021). In May after I knew Bitwarden was updated across all my devices to support Argon2id. Late June I did my own digging on what these settings mean. I did not modify the settings as far as you showed. Default Argon2id was 4 sec to decrypt. After my changes to the iterations, it is about 10 sec to decrypt the vault. Thanks for describing these settings.

@teachmecyber Год назад

Nice! You were well ahead of the game before argon2id became available. The order of operations for increasing values would be memory and then iterations. Those are the two most important ones (and the ones that impact the amount of time to decrypt). If you haven't seen this, check it out for more testing. It was super helpful for me: antelle.net/argon2-browser/

@elleeden2024 Год назад

@@teachmecyber Jason, I have Agron2id with 6,128,8 Thoughts on that, strong enough? And is that stronger and harder to crack Vs PBDK..... 600000?

@FrederikWoellert 6 месяцев назад

Very good Video. Never heard of that Argon2id settings. Thanks

@teachmecyber 6 месяцев назад

Thanks, appreciate the feedback!

@ScriptureFirst 4 месяца назад

Excellent explanation 🙏🏼💎

@teachmecyber 4 месяца назад

Glad it was helpful!

@elleeden2024 Год назад

Thank you Jason, I really love your videos, very educational. As a result of your videos, I went to Bitwarden from Keepass. And may I ask your thoughts on Proton Pass? Worth looking into?

@teachmecyber Год назад

Glad to hear that! I haven't done a full deep dive yet on Proton Pass. I typically favor companies who focus on the password manager as their primary business. So things like 1password, Bitwarden, and Dashlane.

@coold501 11 месяцев назад

Explain more on bitwarden.... i am using it since 2 years and i was unaware of this... please make some detail in-depth exploration video on bitwarden

@teachmecyber 11 месяцев назад

Thanks for the feedback! If I get some more requests on this, I'll make a more in depth video on how it all works behind the hood.

@TheCynysterMind 15 дней назад

While 11 months late on this video.... You can also choose a password manager that does not store your password vault on the internet. Only a couple do this. Some create an encrypted password vault on your local computer so even if a site gets hacked... that site can ONLY get the one password that was passed through the web-extention. (if your whole vault is stored in a web extension like lastpass or one-pass you risk losing your whole vault to a nefarious website.)

@lajtilajti8687 Год назад

I never heard before Argon2id, thanks.

@teachmecyber Год назад

You got it!

@unmapped89361 11 месяцев назад

Good advice. But I think with a lot of iterations with PBKDF2 there is also a delay there. Your explanation sounded like the delay would be new with Argon2id...

@teachmecyber 11 месяцев назад

That's correct, with more iterations on PBKDF2 there will also be a delay.

@nethiyashwanth124 Год назад

Good content 👍

@teachmecyber Год назад

Thanks! Hope it was helpful in securing your passwords!

@jono2702 3 месяца назад

Thank You, Thank You, Thank You!!!

@teachmecyber 3 месяца назад

Thanks for watching!

@neuideas 9 месяцев назад

My Bitwarden password is 44 characters long, and my PBKDF2 iteration count is 1 million. I set this up before Argon was available. Unlocking my vault on my cheap Onn tablet takes a few seconds or so, so I figure I have hit the sweet spot for now. I'll consider Argon in the future, though.

@teachmecyber 9 месяцев назад

You've got a great set up with that combination. Argon will have some more security control against certain types of attacks, but they're not a huge concern for the majority of people.

@EdwardsNH 10 месяцев назад

You can (and should) change all your passwords stored in lastpass (then switch to something like bitwarden), but sadly, any notes will still be there for the hackers. Eventually, it WILL be cheap to crack all of the stolen collections, and your notes are theirs

@teachmecyber 10 месяцев назад

+1 for changing your passwords in lastpass. Even with the notes, it will be good to go through those notes and make sure there isn't anything sensitive that needs to be changed (e.g. like security questions and things of that nature).

@mike80808 7 месяцев назад

Changing the notes won't matter. The copies of the vaults that were stolen have the notes from when they were stolen last summer (2022).

@dannyl6507 7 месяцев назад

It doesnt matter what the algorithm is. For example lets say you have a really weak password of 1234, then the hash for 1234 will still be whatever that hash is. So entering 1234 will still unlock your vault regardless of what hashing algorithm is being used on the backend. The point is to use a strong passphrase.

@teachmecyber 7 месяцев назад

A strong master password is the first and most important step. The algorithm just adds a layer of security in the event someone does try to brute force it. It's added protection against a lastpass type scenario.

@1080pixel 7 месяцев назад

Hashing isn't the only thing beeing applied... salts and multiple iterations will harden even a simple password like 1234 - of course, it wouldn't widstand a brute-force attempt.

@seanmcmurphy4744 4 месяца назад

@@1080pixelThe point is a password like 1234 is going to be on every common password list and is going to be one of the first tried in a brute force attack

@1080pixel 4 месяца назад

@@seanmcmurphy4744 Do you know what salting does?

@robervaldo4633 Месяц назад

the point of the video is making it harder for your vault to be cracked in case bitwarden servers are hacked and the encrypted vaults themselves are stolen, which was what happened to lastpass

@rodneyhigginson323 7 месяцев назад

Great stuff man, thanks for the tip. So yeah, I been dealing with hacking for a minute. Would love to know if I could be hacked while a page is loading? I use the "copy and paste" method when inputting my username and password, which might not be the safest. So when I go back to the page I'm try to login to, could those hackers switch pages on me and have me logging in a phishing site?

@teachmecyber 7 месяцев назад

The biggest risk with copying / pasting is that you could be putting it into a phishing page. With autofill or passkeys, it will detect the URL and only put the password (or passkey) in if it recognizes the URL.

@rodneyhigginson323 7 месяцев назад

@@teachmecyber thanks man, just what I'd figured.

@Panicthescaredycat 3 месяца назад

Would the next best option be a Yubikey?

@Damariobros Месяц назад

Question: If a password of mine is in one or more data breaches, but the password breach was only bcrypt hashes and my password is very secure and long, is it safe to use it on a website still?

@RBzee112 Месяц назад

What about 2FS with an authenticator app? That's what I have setup.

@Abdulrahman-my3tu 5 месяцев назад

thanks

@teachmecyber 5 месяцев назад

Thanks for watching!

@Damariobros Месяц назад

3:09 I always thought zero-knowledge encryption was just, the password was turned into a key and tested on its merits - if it successfully decrypted the vault, it must be the correct password. If it failed, then it wasn't correct. Interesting! Does that mean Bitwarden does have a database of hashes?

@elleeden2024 Год назад

Jason, what does it mean exactly to rotate my accounts encryption keys and do you support doing that?

@teachmecyber Год назад

The encryption key is used to encrypt the vault. So if you change your master password it doesn't change the encryption key. Typically you only rotate your encryption key if you have reason to suspect it has been compromised. For most users, they won't need to rotate their encryption key.

@elleeden2024 Год назад

@@teachmecyber Gotcha, thanks :)

@JulesE521 3 месяца назад

When backing up the Bitwarden vault, where is the safest place to store a .json file after exporting the vault?

@teachmecyber 3 месяца назад

If you're doing it as a backup, you can store it on an encrypted USB drive.

@chefmike8888 2 месяца назад

I trade with family members. 3 members have mine incase my sister lost mine, like usual. But i placed it on her computer where she doesn’t go. The external drive i get called over to update when she needs to. Im the family it guy so they don’t know that we all have the important backup files in the classic 3 place rule.

@elleeden2024 Год назад

Jason, so is my understanding correct...so whenever we create a database, our password is NEVER sent to Bitwarden, but the HASH, and if that is the case, how can Bitwarden verify our password is correct when opening the database if all they have is a copy of a "HASH" and not the Password? Thank you kindly :)

@teachmecyber Год назад

The only way to calculate the right hash is to have the right master password! It's a nice way to ensure that someone has the right password without needing the actual password.

@hugoanes1947 9 месяцев назад

if you use more security and if it takes long, I assume that you use the remember session? Or everytime you login to something you go, put your password, 2fa code, and wait for bitwarden to open?

@teachmecyber 9 месяцев назад

This depends on the site. I prefer to login each time if the site doesn't have any additional security protections. E.g. some mail clients like Google will force a more secure login if the device is not recognized. The main risk is that if you're not using a secure MFA method like passkeys or FIDO2 hardware, you could get phished. This could steal your session token which would give the attacker access to your account. Check out my video on 2FA for more info on that style of attack.

@americanswan 5 месяцев назад

@teachmecyber Good point about session keys. I have Yubikeys set for all my major accounts.

@WaseemM2 7 месяцев назад

Imagine entering a really long master password/phrase on a mobile device when you install bitwarden or when it times out. It is a pain specially with various virtual keyboard behaviors.

@teachmecyber 7 месяцев назад

You can configure it to use your fingerprint and not prompt for the password

@the-Gammaron 11 месяцев назад

Hello, can you please measure the time difference between argon2id, and the default one? Also, do you think my low-end Android could handle it?

@teachmecyber 11 месяцев назад

Here's a website you can use to test the different timings. You can also run this from your Android to test the difference and tune it to something that works best for you. antelle.net/argon2-browser/

@the-Gammaron 11 месяцев назад

@@teachmecyber is argon2id and argon2di the same?

@teachmecyber 11 месяцев назад

Yep, same thing!

@user-ri4ev3gd1s 4 месяца назад

What do you think about using YubiKey 5C with Bitwarden?

@teachmecyber 4 месяца назад

It's the most secure option!

@user-ri4ev3gd1s 4 месяца назад

That’s great! I JUST set mine up with one, along with your recommendation from this video, Argon2id. Thanks for all the info!!!!

@williamschlass6371 5 месяцев назад

Why would further encyrpting your master password matter? Wouldn't it be easier for the hacker to simply try to brute force your password either way? So why does it make any real difference whether you use SHA-256 or the Argon2id?

@teachmecyber 5 месяцев назад

Argon2id slows down the bruteforcing process. It basically just takes longer for it to calculate whether the password is right or not, which slows down the attacker's ability to guess passwords. It's helpful in the LastPass scenario where attacks stole the vault.

@williamschlass6371 5 месяцев назад

@@teachmecyberI see, thank you for the clarification!

@ScottElblein 3 месяца назад

@@teachmecyber So then really the entire purpose of this is specifically to add in that login delay time?

@robervaldo4633 Месяц назад

@@ScottElblein yes, assuming you have a good password, adding delay makes it take too long to try enough times to find the password

@Hawk_112 4 месяца назад

I tried the 2nd method of Argon2id ( 500mb one) and on my pc its slower than mobile , but still fine about ( 7 sec on mobile and about 12 on pc )

@teachmecyber 4 месяца назад

Wow, I would not have expected that!

@Hawk_112 4 месяца назад

@@teachmecyber yeah kinda weird lol , btw I have 6th gen i7 and 16gb ram on pc and my mobile got qualcomm 732G with 6gb ram so that desktop cpu should be alot better in term of power 😅

@dex4sure361 2 месяца назад

@@Hawk_112 not really. the qualcomm chip is lot newer and for this kind of stuff it probably is better than the dated i7.

@gablen23 11 месяцев назад

After setting it up as suggested the first time(Argon2id, 500 MB, KDF 6 and 8), I was able to log back into the web safe without any problems, but the mobile keeps giving me errors: "username or password is incorrect. Try again." Does this mean that this setup is too strong for my mobile? I tried lower values, but that didn't work either, so I had to reset it to PBKDF2 SHA-256 and 600.000 KDF to be able to log in on my mobile.

@teachmecyber 11 месяцев назад

No, it would just go super slow on mobile but wouldn't throw this type of error. Double check your master password you're typing in

@gablen23 11 месяцев назад

@@teachmecyber Well, I figured out what the problem was, wrote to support, they replied very quickly, and it turned out that the region setting was wrong because I had chosen EU instead of US. As they wrote, it doesn't depend on the physical location, but where it was initially established. Very useful video by the way, thank you!

@teachmecyber 11 месяцев назад

Ahh okay, that's makes sense. It's likely because they're not storing the vaults in both regions, so you need to make sure you're connecting to the right one. Thanks for letting me know!

@terranova45074 5 месяцев назад

Can the same be done with my RoboForm??

@teachmecyber 4 месяца назад

You're likely okay!

@Meowski_2 3 месяца назад

I love the tinfoil hat cats with the sound & all the little video game things you put in your videos. This is boring stuff but youre the 7th grade teacher I wish I had!

@Gorky25 5 месяцев назад

How much is ok to put for KDF?

@teachmecyber 5 месяцев назад

The current minimum recommended amount is 600,000. I would go higher if your devices support it.

@OtisNJay Месяц назад

I like to ask... I already have security keys setup on my account. Does it then matters if someone cracked my password? Am I still okay?

@robervaldo4633 Месяц назад

I haven't looked deep into this, but as I understand it, the security keys are used only as a barrier to login and get to the password vault, so they don't add security to the vault encryption itself, if someone finds your password they woudln't be able to access your bitwarden account without yor security keys, but if a hacker gets into bitwarden servers and obtains your password vault (what happened to lastpass and the point of this video), the security keys don't matter

@OtisNJay Месяц назад

@@robervaldo4633 I did not realize that... thank you for taking the time to explain it.

@maxmustermann9858 11 месяцев назад

Please don’t say uncrackable, nothing is uncrackable. Even when it takes Mathematically 200 Mio years to guess a Password there are always ways to shorten this time. Especially when you take algorithms like AES or hashing Algorithms like Sha256 or Argon2 there is always the possibility that there is a security flaw in the algorithm itself. A truly uncrackable algorithm would be the onetime pad but everything which is mathematically calculated can be cracked especially with quantum technology.

@teachmecyber 11 месяцев назад

Yes, everything is going to be crackable with limitless time or the advancement of quantum computing. But for 99.9% of people, this setup will keep their vaults in a position that won't be crackable given their risk profile.

@maxmustermann9858 11 месяцев назад

@@teachmecyber Yes that’s true, I’m cyber security you only need to run faster then your friends to not get chased. But I think it’s wrong to say that anything is uncrackable. I understand what you mean but for someone who doesn’t know a lot or anything of that, it implements that it’s really uncrackable. When you explain it like you now did it would bring the people more to the reality without underestimating the risk. But anything else is great. It would be great to see videos for advanced or more tech savvy people in the future. Keep going!

@teachmecyber 11 месяцев назад

Any advanced topics in particular you'd like to see?

@maxmustermann9858 11 месяцев назад

@@teachmecyber Maybe something like how to handle a digital will in a secure way (government proof) that I would still consider basic, but some IOT stuff with things like MDNS and Firewall. Or things like Ransomeware protection. All your videos are fine but what I’ve missing is that you go really deep and explain the details. It’s not a must and can be boring or not necessary for the average viewer, it would be just some input you can maybe use for orientation.

@teachmecyber 11 месяцев назад

Thanks for the feedback!

@marijnable 11 месяцев назад

I dont think the bottleneck is the encryption at this point. If your password is indeed 16+ chars with some punctuation people are not going to try and crack it. If they really wanted access they would do so by other means, like phishing or social engineering. Uncrackable sure, but impossible to get unauthorized access, no.

@teachmecyber 11 месяцев назад

100% agree with you. That's why the use of a strong master password and MFA will help secure your account. These settings are useful in dealing with a LastPass scenario where the vault is stolen.

@rajmerchant3178 10 месяцев назад

😊

@rajmerchant3178 10 месяцев назад

😊😊😊

@notreallyme425 9 месяцев назад

How does someone trying to crack your password know how many characters long your password is and if you’re using punctuation?

@teachmecyber 9 месяцев назад

They won't know how long or complicated your password is. The weaker the password though, the easier it will be for them to have a match. They typically will start with less complex passwords because it's quicker to check.

@loki76 11 месяцев назад

2:05 that chart doesn't show special characters/symbols. If it had that in the chart the "strong" section wouldn't be measured in "centuries" but millions/Billions of years. At least with conventional computing power.

@teachmecyber 11 месяцев назад

I think you'll appreciate this: specopssoft.com/blog/best-password-practices-to-defend-against-modern-cracking-attacks/ Not the most direct comparison as it focuses on cracking MD5 hashes for passwords, but it shows the addition of special characters and how that can support the strength of your passwords.

@Eric-jb1ym 22 дня назад

With 2FA tho is this even necessary?

@beejereeno2 2 месяца назад

PASHWORD HASHING

@merlinsreturn 10 месяцев назад

What does "make sure it's not sitting in your system" mean in the context of the masterword? It's annoying and frustrating when you assume your audience knows what specific you are referring to like the clipboard or some other place. I don't want the back forth questioning to understand your words. I should get it from the video.

@teachmecyber 10 месяцев назад

That was in reference to the password export when you are migrating to bitwarden. You don't want to have the password export sitting on your computer because someone can get your passwords in cleartext in that file.

@sublim3princ371 Месяц назад

@@teachmecyberso where do you store that file?!

@robervaldo4633 Месяц назад

@@sublim3princ371 as shown in the video, that backup was just to make sure you could recover your passwords if changing the encryption parameters gave you some problem and "broke" it, after everything went well, it's better to just remove the backup file (because it has all your passwords unencrypted) or, if you want to keep such a backup, store it in an encrypted backup device (or also bitwarden allows you to get an encrypted json file, instead of an unencrypted one)

@ActuallyAwesomeName 11 месяцев назад

6:12 LOL Paschword Hasching Competischion

@teachmecyber 11 месяцев назад

They have competitions for everything!

@JessindoPrakarsa 7 месяцев назад

Uhh me migrate from lastpass to bitwarden with csv file ugg sexure +62 mana paham Indonesia 🤣🤣

@teachmecyber 7 месяцев назад

Did you run into issues?

@dex4sure361 2 месяца назад

Just use defaults. No point for almost anyone to go beyond that.

@mvevitsis 19 дней назад

This advice is straight up wrong. You want to set parallelism to 1. Higher than 1 will make it faster to crack your vault, and will offer you no speed benefits for unlocking your vault if you are using bitwarden on desktop (which currently doesn't support multiple threads for argon).