Comments (4)
I think you are misunderstanding how the application operates.
No matter if you are using the browser extension (via chrome://
) or the web vault (via a remote site, https://
), whenever you authenticate your master password is properly hashed and sent to the server to validate your credentials. This is a requirement to properly authenticate a user. This process is explained more on the help site here: https://help.bitwarden.com/security/password-salt-hash/
Your real master password (or encryption key) never leaves your local machine.
LastPass is intercepting the login attempt because it is also just detecting a local submission of the form.
from help.
Thanks Kyle,
I suspected that this is the case, but please allow me to try to clarify what's worrying me: I feel it would be nicer if the request to enter the master-password is always using a local resource & entry-method, just as you already do when first logging in to the extension. The way the login dialog appears in the browser currently looks as if the (master) password is entered on the remote site, so even though you are doing the perfect thing under the hood, users have to take your word for it (or inspect and understand the code, or sniff the network which is not a viable option for most non-technical users). The appearance here is no less important than the underlying implementation.
And regarding the doc at:
https://help.bitwarden.com/security/password-salt-hash/. A bit more detail on the exact formula used between what's entered by the user, and what's eventually sent over https, would additionally help to increase/establish trust. Instead of just saying "hashed with your email-address" it should say what sequence of which functions are used before sending the data over https: (Something like: which_crypto_hash(which_data_items..., howmany_rounds) server-side vs client-side, etc. just to try and illustrate what I mean)
Going over a prior PW manager project design can be very valuable. Here's a very relevant doc written by security experts I found. The exact details of the crypto and hashing are very important to get right because you don't want to have to change them later.
https://github.com/mitro-co/mitro/blob/master/PasswordManagerDesign.pdf
BTW Mitro designers are using Google's open-source keyczar library to do key hashing. Also see: https://www.mitro.co/security-faq.html
Hope you'll find these pointers valuable.
Thanks again for bitwarden!
from help.
Thanks for the response. Unfortunately I do not see a way for me to access any of the local resources (from the extension for example) in order to avoid having you enter your credentials on the web vault. If someone knows how to do this that would be great.
I certainly agree that the project is lacking great documentation at the moment. This is something I am hoping to correct as we move along and things mature.
from help.
This could possibly be addressed by allowing direct input of the hash from the login UI. It would need to be hidden by default to avoid confusing regular users but could be displayed after clicking an "advanced options" button. A separate (and immutable) local app could then be used to create the hash. It would provide a sub-optimal UX but would keep the security conscious amongst us happy.
from help.
Related Issues (20)
- Suggestion to Correct Typo
- Okta OIDC & Bitwarden - use Okta org auth server instead of custom auth server
- Suggested changes to https://bitwarden.com/help/article/condition-bitwarden-import/
- Make the help section available in .pdf therefore available to read offline HOT 1
- For mobile consider moving the search button to the bottom where it's easier to press or have it be a popup bubble at the bottom. HOT 4
- Add note about re-adding NFC keys to WebAuthn article HOT 2
- Disable the web extension asking to save when not logged HOT 2
- Italian language incorrect translation HOT 1
- Collections help page missing how to move login items to a collection HOT 3
- No need to confirm accepted invitations anymore HOT 1
- Edit for the "Two-step Login via Duo" documentation page HOT 1
- 1password version 8 is missing HOT 2
- Discurage Yubikey OTP HOT 3
- Shared ids lacking in exports HOT 1
- Safari 15 extension HOT 1
- Getting Started with Mobile HOT 1
- Finding App's URI Easily HOT 1
- Add Bank Accounts Field Please HOT 2
- Clarity around username2 and username3 modifications
- confusing content
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from help.