Email password in Bitwarden? 2FA on Bitwarden?

I use a password that I have memorized (and don’t have recorded) for:

• My password manager
• My computer
• My email
• My phone

I do not use 2FA for any of these.

What the fuck why?

You might be confused. Why aren’t I using 2FA on my most prized jewels: my password manager and email? Why isn’t my email password in the password manager?

Your email is your identity

Your email is your identity online. The way that a website knows you are who you are is because you control your email. If you forget your password and you look at the password reset options its almost never, “call us and I’ll recognize your voice,” or “send us your photo ID/passport and we’ll verify that you’re you.” No. It’s “we are going to email you a link and you click it.” Sometimes with banks or anything you give your social security number to you can override the email thing with that but 99% of the time your email is your identity.

Why no 2FA?

Imagine if to enter any house, buy anything, or drive a car you needed your photo ID, a special passphrase, and a physical key. If you lost any three of those you’d be homeless and hungry until you got a new one. Unfortunately you need to enter a building to get a new ID, need an ID to get a new passphrase, and need to buy something to get a new key. So if you lost your key or ID you’d be turbo fucked.

The reality is not as dire online but it’s the same idea. If you need 2FA (key) to get your email (ID), and 2FA to get your passwords, then if you loose 2FA you loose everything.

Okay but is that sooooo bad?

Fuck yeah it is lmaoooo.

Can you do any work without your websites or email? How do you recover your email account? It might be linked to an old email. Do you know which one? Do you still know the password? Even if you do there might be period where the email provider just puts you on hold for 24 hours just in case your a hacker (this would give the victim time to be like “what no that’s not me don’t give access”)

I hope you have autopay or no bills due because without an email it’s probably going to take a full business day just to reset your bank and utilities.

Is someone in danger? Is something drastic happening that needs your attention? Is the boss trying to contact you? You don’t know. Hope it’s not that important.

Lets say you put out all the raging infernos in a few days. You still likely have weeks of password resets ahead of you. Did you even keep the health insurance card after putting it on Bitwarden? Time to dig around a closet you haven’t touched in six months and haven’t cleaned int two years.

And this is assuming you’re not traveling cause Hoooo boy if you don’t get lucky with some customer service reps then the best way for you to get back is getting deported.

The calculation changes here if you’ve allowed someone to recover your Bitwarden account (and saved the 2FA recovery keys to Bitwarden).

Right now I’m not in a position where my 2FA setup is 100% solid. That is to say it’s not unreasonable to imagine me loosing something, reseting something – something happening where I loose 2FA.

So I pick really big passwords and I know that, as long as I have a computer and internet I can get to all my stuff.

In the future I might use 2FA

In the future I am likely going to have like three physical 2FA devices: one on me, one at my house, and one at the bank/someone elses house/etc. At that point I might be comfortable doing 2FA. But I also don’t have someone who can recover my shit. Again, if you have that, the calculation changes.

Why isn’t my email in the password manager

If someone hacks my password manager they can run wild with… damn near everything. But I can reset accounts. So I’ll spend a few days just resetting shit and a few more days reversing transactions and such. It’s bad but as long as I can dedicate a day or two to resetting shit then I’m not gonna loose my house or anything.

If they hack my password manager and my email, well… The only way I’m getting out of that is by getting the police involved. And it will be a LONG process.

Picking a Good Password Passphrase

Here’s a nice xkcd comic that explains everything pretty well.

How password strength works

You don’t need to read this

Password strength comes from the idea that a hacker knows the general rules of how someone made the password but they don’t know the password itself. So they know the number of possible passwords then you divide that by the number of passwords you can guess per second. So lets do some examples.

If you know probability then that’s all it is. If not then here it is. If you have two lowercase letters next to each other then there’s 26² possible combinations. Three lowercase letters than 26³ etc. If there is two numbers then there are 10² possibilities, three numbers is 10³ etc. If you flip a coin twice there are 2² combinations, three times 2³, etc.

In general if you have multiple choices where each choice doesn’t effect the next, to find all the possibilities you multiply the number of choices you have for the first choice by the number of choices for the second choice.

So if you’re password is an English word (chosen out a dictionary of 50,000 words) where the first letter may or may not be capitalized then you have 50,000x2=100,000 possible combinations. 50,000 because you can choose any of the words and x2 because the first letter can be lowercase or upper case.

So why was Tr0ub4dor&3 so bad? Because it’s not a random password. You know its an English word that has some substitutions. Troubador is probably going to be in a dictionary of 100,000 words (I actually found it in a dictionary of 30,000 but whatev). Some common substitutions are

• a -> @, 4
• e -> 3
• i -> 1, !
• l -> 1, !
• o -> 0
• s -> $

Lets say that each word has on average 12 different ways you can write it given the substitutions (that’s like three of the above substitutions). That means theres 12x100,000 = 1,200,000 possible passwords. Okay but there’s a thing at the end that has a piece of punctuation (32 possibilities) and a number (10 possibilities) and they can come in either order. That’s 640 possibilities for the little bit at the end. So in total, to find Tr0ub4dor&3 I’d have to search 640 * 1,200,000 = 768,000,000 passwords. One desktop computer can check two billion passwords a second.

Now lets think of four random words. Let’s use a smaller dictionary of more common words. Say 16,000 words. Four random words, all lowercase, space separated, means 16,000 x 16,000 x 16,000 x 16,000 or 16,000⁴. That is 65,000 trillion combinations (6.5x10¹⁶). This would take at least 37 days on a desktop computer (which is still not ideal but much better).

If you used a dictionary of 81,000 words (I have such a dictionary linked in The Generating a passphrase below) and four words then it would take a desktop computer 68 years to crack.

Generating a passphrase

An easy way to make a good passphrase is to go to Che and he’ll generate a password for ye using the 12dicts password set which has 81,000 words. I looked it up and on modern hardware it would take a desktop computer 68 years to crack a password that is made of four random words from that list. If the speed of computers doubles every year then you’re passphrase will last maybe 12 years.

Another way to make a passphrase is to just come up with a good phrase.

• The nephrologist is trynna kill me
• Will Kissinger die one day?
• Chronology is a temporal concept

If you know another language you can mix em to great effect. And remember you only need to type this password in sparingly so don’t skimp.

Timeouts: Hard and soft locks

Disclaimer: I cam up with the terms “hard-lock” and “soft-lock”. If you google them you probably won’t get anything good.

For you to see your password on the screen, the password has to be stored somewhere in your computer unencrypted. When your password manager is unlocked either the passwords are stored unencrypted or they are encrypted but the key is also on your computer. If you shut off your computer and are able to turn it on and, without internet, and get to your passwords again, it means that when the computer is off the passwords are accessible to anyone who can read your users data.

Keep in mind that it would take me probably around 3 hours to clone the hardrive of most laptops these days. Windows and Linux both don’t encrypt your hardrive by default. So if I put in a little work it wouldn’t be too hard to steal all the passwords from someone if I was left alone with their laptop for a few hours.

These kinds of attacks are called “evil maid” attacks. The idea is that if you were in a hotel an evil maid could go into your room and clone your laptop. Police are probably the biggest user of these attacks since they can just take your shit whenever they want.

Another attack that is kind of like this is when you lend someone your phone and you’ve unlocked your Bitwarden app. It’s really not uncommon that you give someone your phone to look at a picture, take a picture of your and your friends, make a quick call, etc. They can simply open the app and readoff your passwords or even share a password with their account.

Hard locking and soft locking your account can defend against these. Also encrypting your hardrive.

Hard/Soft locks

Hard locking is when your (your app/the website) fully deletes all the info/key material off your computer. You have to fully re-enter your password to get to your passwords again.

Soft locking is when the stuff is obscured. Sometimes it’s the case that if you have full permissions on the computer you will still be able to get to the content and sometimes there’s another encryption level but it’s just like a four digit pin. Either way, from the user perspective they have to enter a pin, or do a fingerprint unlock or something.

Soft locking is good in the situation where you’re going to lend your phone to someone. You don’t have to worry that they are going to fully copy your hardrive or try 10,000 passwords. They have like 30 seconds with the phone and if they type too much you’ll get suspicious. So a fingerprint or whatever is 100% a-okay as a way of keeping the honest.

Hard locking is for preventing evil maid attacks. I recommend that you have settings that cause your apps/addons to hard lock when you turn the computer off. Another thing you can do is to have an encrypted hardrive or encrypted user data section. When the hardrive is encrypted then you need the normal password to get to the data. Hard lock in the app/addons is better, though, because your much more likely to have a longer password there and you might even have MFA enabled for your password manager.

Configuring Timeouts

Bitwarden has a concept of a timeout where after a certain amount of time you are hard or soft-locked out. Here are the pages where I explain how to configure that:

TODO pages

A guide to MFA

I already spoke about MFA but now I’m going to speak about it more in depth.

One of the main ideas with multi factor authentication is that you need to have something you know and something you have. The idea is if a hacker gets your passwords or password vault they will only ever have what you know. They can never get what you have and thus can never log in as you. If you accidentally drop the thing you have on a street people still need to know something to make it useful. The reality of the situation is never that clean cut, however.

Recovery paths are a hackers way in

The easiest place to hack someone is oftentimes the recovery path. By “recovery path” I mean whatever workflow exists for when you loose your MFA. For example, if you click “I forgot my password” there’s sometimes a recovery option to put in “security questions” like “where did you go to highschool.” If you answer those questions honestly then you’re in a situation where someone can bypass your password and MFA. (Of course if someone is just doing an automated attack – which is the 99% case – they aren’t gonna be able to figure out what highschool you went to and such.)

In Bitwarden when evaluating the security/usability trade off for an MFA method, the security is most likely the security of the recovery path.

Only the lowest common denominator matters

If you have multiple MFA methods, say a Yubikey and SMS, the shittiest method is the only one that has to be broken. So say you have a twitter account and you put in your phone number at some point then add a Yubikey. A hacker can just try to log in then be like “use other method” or “recover account” or whatever and there will be a way for them to use SMS.

In Bitwarden you may be tempted to use a phone number. This is probably a bad idea because it doesn’t matter what you slap on after that, the security of your account becomes the security of your password + SMS. Similarly, if you have TOTP and a Yubikey only the TOTP matters security wise.

Biometrics suck as authentication

Biometrics are not good to use to secure your password manager. Sometimes apps will let you like soft lock them with biometrics. The idea is that all the data is on the devices unencrypted but you need to provide a fingerprint to access it. This, on it’s own, is not very good. However, if you have a robust phone password and you use a fingerprint so that when you lend someone your phone to make a quick call they cant access your passwords that’s a decent system.

Roundup

I’m going to walk you through a somewhat complicated setup so you can get an idea of how these all play together.

Lets say Toph runs a small business where he is the only employee. Toph isn’t a tech person and wants things to be pretty easy so she sets up her bitwarden as follows:

• Long passphrase (“More Like ‘The Pebble’ Haha”).
• She turned MFA on.
  • She has TOTP where she threw out the recovery codes.
  • She also has two Yubikeys hooked up to her account.
    • One is hidden and burried “close by.”
    • One she gave to her close personal friend Iroh for safe keeping.
• She uses a random 8 digit pin on her phone and a fingerprint scan for the soft-lock for the app.
• She set her app to hard-lock every night.

“I read the Password Strength section and 8 digits isn’t enough”

It is actually.

Modern phones now a day have TPMs. These are separate chips that are for security. When your phone boots up it runs a little bit of code to get you to the login screen but all your contents remain encrypted. When you put in a password it goes to the TPM and says “is this password correct” and the TPM thinks for a second (literally like it injects artificial pauses for maybe a tenth of a second) either says “yes, here’s the key to decrypt the data”, “no”, or “too many guesses fuck you”.

The TPM is designed as a strongbox and you can’t (if it’s designed correctly) directly read the data out of it. You can only ask it “did I get the right password” which means your limited by how many guesses it allows you to make. In practice this means that an eight digit can be guessed only with a bunch of exploits that make it work not quite as intended and even then it might take a whole day.

TPMs are amazing and everyone loves them.

This is maybe a good system. She intends to use TOTP as main way to log into her account. Usually she would have to worry about where to put the TOTP recovery codes but she didn’t want to deal and instead opted for using Yubikeys as her recovery method.

Every morning she will have to unlock the Bitwarden app on her phone with the full password and her TOTP app (she uses Authy) but after that it’s protected behind her phones pin and her fingerprint. This allows her to give her phone to Soka when showing him a picture without worrying that he’ll be able to get access to her passwords.

She has no SMS authentication methods which means if the government ever captures her and takes her phone they can’t just ask FireMobile to give control of her phone number to them so they can get in. Setting the phone to hard-lock every night also means that if the government captures her while shes sleeping and hacks her phone, they still can’t get to her passwords. However, she does run the risk that if they capture her during the day and can hack her phone before the day ends then they will have all her passwords.

She also run a not insignificant amount of risk that she simply looses everything, however. Let me paint a picture for you.

Iroh dies (he’s pretty old). Toph doesn’t immediately go out and get a new Yubikey (she’s mourning her friend). Then she drops her phone in a puddle. So she goes to the hiding spot for her buried Yubikey and tries to dig it up. She hasn’t needed it in years, hasn’t checked on it, and thus realizes that she forgot where she put it.

She panics. But then she realizes that the TOTP app she uses actually has a backup and restore process. She didn’t really spend any time configuring it so the way it works is if she logs into a new phone with the Google account she used on her old phone (she uses android) and downloads the TOTP app, it will recover the codes for her after a 24 hour wait. She memorized the password to her Google account and, although MFA was enabled, she was able to recover because Google had her phone number on record and let her get past MFA with that. She’s super excited at first but then realizes that at any point the government could have told the TOTP app company to hand over the TOTP codes. While her data was safe against a thief or Soka, it was never safe against the government or a hacker who targeted the TOTP company. If they had her password, she reminds herself. If they didn’t have her password they would still get nothing.

Bitwarden Backup Passphrase

Bitwarden will give you a backup recovery key/passphrase thing when you make the account. This enables you to recover the account if you forgot your password. This supposed to be printed out and put in a safe/safe deposit box or something like that.

If you give other people the ability to recover your account then the recovery key isn’t so important and you can probably not print it. If you don’t trust anyone like that then you might consider printing it.

However, if you are one of those people that don’t really have a safe place to stash a piece of paper and/or loose stuff like that a lot. Maybe it’s best that you don’t print this out.