Comment

Comment on 1Password discloses security incident linked to Okta breach

In theory yes because Bitwarden only uses your master password to unlock your password collection. If someone were to brute force the password and figure it out, or if bitwarden servers were hacked and the password acquired, they could access all your passwords.

With 1Password your vault (database with all your passwords) is encrypted on the server. To open it you must provide 2 things:

The master password
The decryption key

1Password do not have any record of the decryption key. They give it to you as a pdf when you create your account, and only you have it.

So even if someone cracked your master password, they still cannot decrypt the vault to get your info. They would have to come to your house and try find that pdf with decryption key. Which they don’t do.

So you are at significantly safer on 1Password

source

Sort:hotnew top

GigglyBobble@kbin.social ⁨8⁩ ⁨months⁩ ago
I hope they don't have your master password either. The decryption key sounds like just a longer password or salt with extra steps. What if the generation algo is cracked?

source
- qqq@lemmy.world ⁨8⁩ ⁨months⁩ ago
  They don’t have your password in any form. The random key is generated with a CSPRNG, we don’t know how to crack that. They aren’t hiding behind secrets it’s all documented right here 1passwordstatic.com/…/1password-white-paper.pdf
  
  1Password is quite good.
  
  source
  - dangblingus@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Not good enough clearly.
    
    source
    KairuByte@lemmy.dbzer0.com ⁨8⁩ ⁨months⁩ ago
    You clearly don’t understand what happened, nor what it would take to get into a users password store.
    
    source
    PoliticalAgitator@lemm.ee ⁨8⁩ ⁨months⁩ ago
    Not as clearly as you seem to think. You’ll struggle to find qualified people with criticism of their response.
    
    source
wols@lemm.ee ⁨8⁩ ⁨months⁩ ago
The main difference is that 1Password requires two pieces of information for decrypting your passwords while Bitwarden requires only one.

Requiring an additional secret in the form of a decryption key has both upsides and downsides:

if someone somehow gets access to your master password, they won’t be able to decrypt your passwords unless they also got access to your secret key (or one of your trusted devices)

a weak master password doesn’t automatically make you vulnerable

if you lose access to your secret key, your passwords are not recoverable

additional effort to properly secure your key

So whether you want both or only password protection is a trade-off between the additional protection the key offers and the increased complexity of adequately securing it. Your proposed scenarios of the master password being brute forced or the servers being hacked and your master password acquired when using Bitwarden are misleading.

Brute forcing the master password is not feasible, unless it is weak (too short, common, or part of a breach). By default, Bitwarden protects against brute force attacks on the password itself using PBKDF2 with 600k iterations. Brute forcing AES-256 (to get into the vault without finding the master password) is not possible according to current knowledge.

Your master password cannot be “acquired” if the Bitwarden servers are hacked.
They store the (encrypted) symmetric key used to decrypt your vault as well as your vault (where all your passwords are stored), AES256-encrypted using said symmetric key.
This symmetric key is itself AES256-encrypted using your master password (this is a simplification) before being sent to their servers.
Neither your master password nor the symmetric key used to decrypt your password vault is recoverable from Bitwarden servers by anyone who doesn’t know your master password and by extension neither are the passwords stored in your encrypted vault.

See bitwarden.com/…/bitwarden-security-white-paper/#o… for details.
source