is master password sent to bitwarden on import? about help HOT 4 CLOSED

I think you are misunderstanding how the application operates.

No matter if you are using the browser extension (via chrome://) or the web vault (via a remote site, https://), whenever you authenticate your master password is properly hashed and sent to the server to validate your credentials. This is a requirement to properly authenticate a user. This process is explained more on the help site here: https://help.bitwarden.com/security/password-salt-hash/

Your real master password (or encryption key) never leaves your local machine.

LastPass is intercepting the login attempt because it is also just detecting a local submission of the form.

from help.

Thanks Kyle,

I suspected that this is the case, but please allow me to try to clarify what's worrying me: I feel it would be nicer if the request to enter the master-password is always using a local resource & entry-method, just as you already do when first logging in to the extension. The way the login dialog appears in the browser currently looks as if the (master) password is entered on the remote site, so even though you are doing the perfect thing under the hood, users have to take your word for it (or inspect and understand the code, or sniff the network which is not a viable option for most non-technical users). The appearance here is no less important than the underlying implementation.

And regarding the doc at:
https://help.bitwarden.com/security/password-salt-hash/. A bit more detail on the exact formula used between what's entered by the user, and what's eventually sent over https, would additionally help to increase/establish trust. Instead of just saying "hashed with your email-address" it should say what sequence of which functions are used before sending the data over https: (Something like: which_crypto_hash(which_data_items..., howmany_rounds) server-side vs client-side, etc. just to try and illustrate what I mean)

Going over a prior PW manager project design can be very valuable. Here's a very relevant doc written by security experts I found. The exact details of the crypto and hashing are very important to get right because you don't want to have to change them later.

https://github.com/mitro-co/mitro/blob/master/PasswordManagerDesign.pdf

BTW Mitro designers are using Google's open-source keyczar library to do key hashing. Also see: https://www.mitro.co/security-faq.html

Hope you'll find these pointers valuable.
Thanks again for bitwarden!

from help.

Thanks for the response. Unfortunately I do not see a way for me to access any of the local resources (from the extension for example) in order to avoid having you enter your credentials on the web vault. If someone knows how to do this that would be great.

I certainly agree that the project is lacking great documentation at the moment. This is something I am hoping to correct as we move along and things mature.

from help.

This could possibly be addressed by allowing direct input of the hash from the login UI. It would need to be hidden by default to avoid confusing regular users but could be displayed after clicking an "advanced options" button. A separate (and immutable) local app could then be used to create the hash. It would provide a sub-optimal UX but would keep the security conscious amongst us happy.

from help.