Security is constantly evolving. Today, a new in-depth security report is available, continuing the Bitwarden commitment to transparency and trusted open source security. The audit, conducted by the prestigious Applied Cryptography Group at ETH Zurich, proactively tested Bitwarden core cryptography operations against the hypothetical event of a maliciously compromised server. All issues identified in the report have been addressed by the Bitwarden team and have been included in the attached cryptography report for full transparency.
Bitwarden was selected for analysis by ETH Zurich primarily due to its open source architecture, where code is available to the public on GitHub for inspection, auditing, and contribution. With this model, the world's leading academic researchers and professional minds, like the ETH Zurich Applied Cryptography Group, can stress-test Bitwarden infrastructure and code with penetration testing and security audits.
"No matter who you ask, the most important factor is length. Length is more important than complexity and randomness," Comparitech consumer privacy advocate Paul Bischoff told us in an email.
Of course, adding a random character into a long passphrase doesn't hurt either, Bischoff noted... //
Using gibberish passwords and relying on a password manager is still better than qwerty123, of course, and Bischoff says that goes for browser-based password management, too. You're still taking matters into your own hands, of course, as Chrome updates have been known to break Google Password Manager, and password manager apps aren't 100 percent secure either.
Whatever you do, don't let yourself be caught with a password on Comparitech's list, and if it's your responsibility to set password complexity rules, make sure you're setting good ones.
Welcome to the family! This course shows you how to use your Bitwarden account, access items shared by your Family Admin, and keep your personal passwords organized and secure.
"So one of the things that we're seeing is the whole movement away from passwords to passkeys – a certificate-based authentication wrapped in a usability shrink wrap," Forrester VP and analyst Andras Cser told The Register.
Passkeys are typically what security folks mean when they say "phishing-resistant MFA." They replace passwords, and instead use cryptographic key pairs with the public key stored on the server and the private key – such as the user's face, fingerprints, or PIN – stored on the user's device. higher bandwidth demands.
One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work.
KNP - a Northamptonshire transport company - is just one of tens of thousands of UK businesses that have been hit by such attacks.
In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems.
KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company.
"Would you want to know if it was you?" he asks.
- Airgapped raspberry pi computer with touch screen and camera
- Featuring LUKS full disk encryption
- For secure offline blockchain transactions and for secure encrypted messaging
- Move files across the airgap to other devices using QR-Codes
Feb. 1 is Change Your Password Day, and you may think that good cyber hygiene means creating new, robust passwords every few months. Not so fast.
There was a time that whenever I wrote something related to security passwords, I'd use these words: "Use password managers, as they make it very easy to change passwords, which you should do frequently." Because that's the advice everyone gives about passwords, along with making them strong and unique to every service and account you create.
I haven't done that in years, though, because one of our resident security experts, Neil. J. Rubenking, pointed out that the "should do frequently" part is now outdated advice.
When the National Institute of Standards and Technology (NIST) issued Digital Identity Guidelines in 2017, they used a lot of science-talk to discuss information security standards and "memorized secrets"—its term for passwords, passphrases, and personal identification numbers (PINs). Its conclusion: "Do not require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise."
The NIST report also included an appendix about the Strength of Memorized Secrets, which discusses how it's almost impossible for people to memorize passwords if they have forced "composition rules," such as including a symbol, an uppercase letter, a numeral, etc.
"The benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe," NIST said.
The length of a memorized secret is more important than complexity. Yet so many services reject extra-long passphrases. (NIST says people should be allowed up to 64 characters.)
Nothing beats memorization for security, but after a couple of years online, you could have hundreds of passwords to keep in your brain. That way lies madness. Ultimately, the best advice for anyone dealing with password security is to use a password manager so you only have to remember one master password/phrase.
Vaultwarden is an unofficial Bitwarden server implementation written in Rust. It is compatible with the official Bitwarden clients, and is ideal for self-hosted deployments where running the official resource-heavy service is undesirable.
Vaultwarden is targeted towards individuals, families, and smaller organizations. Development of features that are mainly useful to larger organizations (e.g., single sign-on, directory syncing, etc.) is not a priority, though high-quality PRs that implement such features would be welcome.
There have been several audits done on Vaultwarden of which some are publicly available, read more about it on our Vaultwarden Audits wiki page.
Supported features
End-to-end encryption for things that matter.
Keybase is secure messaging and file-sharing.
Backing up data
By default, vaultwarden stores all of its data under a directory called data (in the same directory as the vaultwarden executable). This location can be changed by setting the DATA_FOLDER environment variable. If you run vaultwarden with SQLite (this is the most common setup), then the SQL database is just a file in the data folder. If you run with MySQL or PostgreSQL, you will have to dump that data separately --
Ente Auth
Open source 2FA authenticator, with end-to-end encrypted backups
Secure Backups
Auth provides end-to-end encrypted cloud backups so you don't have to worry about losing your tokens. Our cryptography has been externally audited.
Cross platform sync
Auth has an app for every platform. Mobile, desktop and web. Your codes sync across all your devices, end-to-end encrypted.
Aegis Authenticator is a free, secure and open source app for Android to manage your 2-step verification tokens for your online services.
Secure, simple and actively developed.
Note: You can easily create a random password with the command:
cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 32 | head -n 1
On Tuesday, the US Federal Bureau of Investigation advised Americans to share a secret word or phrase with their family members to protect against AI-powered voice-cloning scams, as criminals increasingly use voice synthesis to impersonate loved ones in crisis.
"Create a secret word or phrase with your family to verify their identity," wrote the FBI in an official public service announcement (I-120324-PSA).
For example, you could tell your parents, children, or spouse to ask for a word or phrase to verify your identity if something seems suspicious, such as "The sparrow flies at midnight," "Greg is the king of burritos," or simply "flibbertigibbet." (As fun as these sound, your password should be secret and not the same as these.)
The bureau also recommends that people listen carefully to the tone and word choices in unexpected calls claiming to be from family members. The FBI reports that criminals use AI-generated audio to create convincing voice clips of relatives pleading for emergency financial help or ransom payments. //
Of course, passwords have been used since ancient times to verify someone's identity, and it seems likely some science fiction story has dealt with the issue of passwords and robot clones in the past. It's interesting that, in this new age of high-tech AI identity fraud, this ancient invention—a special word or phrase known to few—can still prove so useful.
Open source tool chooses to become more open than ever
The move comes just weeks after we reported that it wasn't strictly FOSS any more. At the time, the company claimed that this was just a mistake in how it packaged up its software, saying on Twitter:
It seems like a packaging bug was misunderstood as something more, and the team plans to resolve it. Bitwarden remains committed to the open source licensing model in place for years, along with retaining a fully featured free version for individual users.
Steven P
October 30, 2024
I worked as a general IT guy for a behavioral health/addiction clinic. I started as a consultant but finally moved to part-time on call worker so I could be protected by their liability insurance rather than having to cover myself. Plus I was worried if there was a breach I would be inside the corporate wall rather than outside.
I had big problems with vendors. The first EMR company we had, I broke down and yelled at them for the first time in my career. I saw a note asking the receptionist to gather up everyone’s password so the vendor could update their client software. When I told them that was a violation of basic network security nevermind HIPAA regulations, they said “well it’s just easier that way”. I told my boss and I finally decided to quit when I realized the clinic needed that software more than they needed me. I wasn’t around enough to keep tabs on them and I didn’t want to deal with any fallout from their shoddy security practices. Other vendors were either asking to install software on our network or open ports in the firewall so they could remotely access their devices.
That was a small practice without even a full time IT person, these big companies that can afford good cybersecurity teams and equipment have no excuse.
NIST Recommends Some Common-Sense Password Rules
NIST’s second draft of its “SP 800-63-4“—its digital identify guidelines—finally contains some really good rules about passwords:
The following requirements apply to passwords:
- lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
- Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
- Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
- Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a signgle character when evaluating password length.
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
- Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
- Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
Verifiers SHALL verify the entire submitted password (i.e., not truncate it).
Hooray.
Password security and a comparison of Password Managers
There are two general approaches to password generation and management:
Password Managers which store passwords and have the flexibility to apply different complexity rules to each password or to store a pre-existing password - often required when a password needs to be shared between a team of people. The downside of the storage approach is that the password storage (file/database) needs to be managed carefully - secured, backed up and synchronised to all the devices where you will need to use the passwords. If the password store is lost or corrupted you will lose all the passwords! Destructive viruses such as CryptoLocker can also make a password store unreadable.
Password Generators which use a hash function, like the SS64 password generator, are easy to use and will repeatedly regenerate the same password when given the same inputs but they do have some limitations, the only way to change a password is to enter a different main password or a different salt value. All the generated passwords are the same length. //
NIST recommend 80 bits for the most secure passwords to resist a brute force attack. There is no definitive answer to the question of the minimum password strength required to avoid all types of attack; it is a moving target; over time we all need to use longer passwords.
Entropy Maximum Time to crack at 350 billion guesses/Sec
59 bits 457.50 Hours
65 bits 3.342 Years
71 bits 213.92 Years
77 bits 13,690 Years
80 bits 109,527.95 Years
89 bits 56078315.93 Years.
GPU computer clusters can cycle through as many as 350 billion guesses per second. [offline guesses against a stolen password database/file]
Kerckhoffs’s principle - A cryptosystem should be secure even if everything about the system, except the key, is public knowledge
A 2FA Mule is a mobile phone configured to forward SMS 2FA codes via email.
This divorces 2FA from the mobile phone you carry with you and makes it possible to perform 2FA without your phone, after having your phone lost or stolen, while on an airplane, or while roaming in a foreign place with an alternate SIM card.
In my case, the 2FA mule sits in my office lab connected to mains power.
It is an unlocked Google Pixel phone with no google account and no apps installed except for "SMS Forwarder".
It is configured to forward all SMS to an email address via encrypted SMTP. //
https://play.google.com/store/apps/details?id=com.frzinapps.smsforward&hl=en-US
jhollinger said:
Sounds like this may explain the large number of password reset requests I'm suddenly getting...
My sisters instagram account was taken over before, interesting strategy they use.
Basically they start chit chatting with you about your posts to look friendly, then they message you saying that someone is trying to hack their account and send you pics of the reset text that instagram sends out and ask if you received anything similar.
In the background they try to reset your account and then you receive the text from instagram to recover it, then you obviously tell them yes i'm receiving the same texts, they ask for a screenshot of it to compare with their own which has a link to recover the account. Then they simply type in the link, make a new password and have access to the account.
My sister didn't have 2fa on because she used some other app to see who follows/unfollows her and it didn't work with 2fa, she eventually got her account back and learned her lesson... i hope lol