Bitwarden's unlock with PIN feature is convenient, but also a security risk
Users of the password manager Bitwarden may use the application on all major platforms and on the web. Depending on how they have set up the password manager, they may have to enter the master password of the account to access the vault or use a PIN to do so.
Using a PIN is a convenient option, as it is usually easier to enter the few characters of the PIN than a 30+ length master password. Convenience may sometimes reduce security, and a new analysis of PIN use suggests that Bitwarden vaults, that are protected by a PIN, can be brute forced.
The attack requires local access to the vault. While that is a barrier, it is still important that users are aware of the issue. A stolen laptop or unlocked device may be all that is needed to gain access to the password vault stored locally on the device, provided that a PIN was set up.
Using a PIN to unlock Bitwarden passwords
Bitwarden's vault is unlocked with a master password by default. Users may add additional security features, such as Webauthn or other two-factor authentication methods to improve security further.
Bitwarden supports a convenience feature, called Unlock with PIN, that provides access with a user selected PIN. The feature is available for Bitwarden's desktop and mobile applications, and for its browser extension.
Bitwarden explains how a PIN is set on the support page. Users are not limited to using digits or a length of four. They may select any combination of characters. The PIN works in the selected Bitwarden application only when set and only locally.
Bitwarden added a prominent security warning on the support page that informs users that "using a PIN can weaken the level of encryption".
Brute-forcing the local vault
Bitwarden's applications lock PIN access after 5 failures to type the correct PIN. The security researcher discovered that attackers do not need to use Bitwarden's applications to try and brute force the PIN and gain access to the vault.
Instead, attackers may attack the encrypted local data directly using brute force attacks. A proof of concept exploit has been published for Linux. The exploit returns any 4 digit PIN in less than four seconds, according to the developer.
Bitwarden users have two main options to protect their password vaults against brute force attacks:
- Skip setting up a PIN.
- Select a very strong password for the PIN.
Not setting up a PIN requires no action on part of the user. The PIN is an optional feature that does not need to be set up. Users who want to set up a PIN should pick one that is considerable stronger than a four digit PIN. The use of different characters and a considerable length improve security, but reduce convenience at the same time.
Keeping the computer or device secure, for instance with full-disk encryption and strong security features, may mitigate the risk as well.Advertisement