Bitwarden design flaw: Server side iterations

[sschueller]

There was just an article posted on HN regarding this server side iteration being too low in bitwarden: https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/

What are the server side iterations set too in vaultwarden? The client default appears to be 100k which I guess should be higher as well since OWASP just changed the recommendation to 600k

HN: discussion: https://news.ycombinator.com/item?id=34497898

[NeoLizzard]

In vaultwarden you can find your current settings (server side) under "/admin" or you can check the config.json for it's current value and change it there (it is actually the same place /admin == config.json). Or you can set it in the .env (https://github.com/dani-garcia/vaultwarden/blob/main/.env.template) However my question would be - how can we tackle the user settings? Is there a way in vaultwarden to manipulate the default user creation skelleton and set the value to let's say 600k (and yes - I know about the compatibility issues with old devices)

[BlackDex]

The client-side iterations are defined in the client. So, that would be the web-vault, or any other client which is able to create an account.
At the moment this is still set to 100000 with the web-vault provided with the Vaultwarden images (Same btw for the Bitwarden Self-Hosted)

[NeoLizzard]

I know, that the client-side iterations are defined in the client. But when we generate them with vaultwarden, we are in control of the predefined value that is set at some point (e.g. in web-wault, where no external client has initial control over) - therefore we should be able to hook into the account creation process and raise the default value - the only question in place is ... where? :)

[NeoLizzard]

EDIT: Removed my dirty hack, since it was not working as expected and caused account logout - don't apply!

[Coronon]

Please correct me if I am wrong, but we should be able to implement changing the client side interactions for both new and already registered users. For new users we should be able to change the default used on signup (at least on the web version, I don’t know if you can sign up through the app?). For already registered users we could run the change as soon as they login, so that the vault is decrypted (at least on the web version, as we are effectively in control of the JS that handles all the inputs anyway).

or have I forgotten about something here?

[BlackDex]

The encryption part is something i want to stay away from on our side actually. Modifying the web-vault on that level is asking for issues in my opinion. I rather have that Bitwarden does this on there side automatically, which they can, and they can push that to the server in which case we can update that info.

[Coronon]

Thats understandable, let’s hope that Bitwarden acknowledges this problem soon and pushes changes. It was on the front page of HN, so the community is definitely aware - question being if Bitwarden the company cares

[BlackDex]

Well, i think they care, since they have changed the defaults currently to 600k, yet unreleased, but it's in there master branch on both, server, mobile and clients repo.

The only thing i do not know, is if they somehow do an auto-update of the default iterations for the user in some way if there current default is the older default. The problem with that is, you need to know if a user has changed it them self or not. It could be that they have a device which doesn't support a higher amount of iterations without a very large slowdown.

But, I don't know. We will have to wait and see. It shouldn't be that hard for them to implement something like this :).

[Coronon]

Thank you for the update, exited to see whats coming :)

[masterwishx]

sorry im confused a little with password iterations, in bitwarden site i found they have 600000 on server side + 100000 on client side .
But i had only 100000 on server side and changed to 350000 becose of default for vaultwarden now. and having some second of entering to vault on mobile now ....
can find this option on mobile bitwarden also ....

[NeoLizzard]

Thank you for clarification - it was just an idea from my side. As I wrote prior - haven't tested it.

[masterwishx]

Searching in the Bitwarden clients have nothing to do with a database backend. Nothing is done on the server side regarding this.

Thanks for explaining...

[masterwishx]

I'm using vaultwarden with SQLite by default but also have dedicated Mariadb, Postgresql.

[masterwishx]

Only the initial loading of the vault data could be affected.

Sorry for my last question here, do you mean if I move to mariadb from sqllite it will increase initial loading of data?
Becouse I see some latency after entering to vault and loading data on my mobile...

[masterwishx]

I changed to Mariadb from sqllite, but didn't saw a faster initial load data in mobile, so changed back to sqllite for now.
I have only one user for now but will have 5-7 famaly users maybe in future, I hope it's good for SQLite?