Bitwarden's unlock with PIN feature is convenient, but also a security risk
Users of the password manager Bitwarden may use the application on all major platforms and on the web. Depending on how they have set up the password manager, they may have to enter the master password of the account to access the vault or use a PIN to do so.
Using a PIN is a convenient option, as it is usually easier to enter the few characters of the PIN than a 30+ length master password. Convenience may sometimes reduce security, and a new analysis of PIN use suggests that Bitwarden vaults, that are protected by a PIN, can be brute forced.
The attack requires local access to the vault. While that is a barrier, it is still important that users are aware of the issue. A stolen laptop or unlocked device may be all that is needed to gain access to the password vault stored locally on the device, provided that a PIN was set up.
Using a PIN to unlock Bitwarden passwords
Bitwarden's vault is unlocked with a master password by default. Users may add additional security features, such as Webauthn or other two-factor authentication methods to improve security further.
Bitwarden supports a convenience feature, called Unlock with PIN, that provides access with a user selected PIN. The feature is available for Bitwarden's desktop and mobile applications, and for its browser extension.
Bitwarden explains how a PIN is set on the support page. Users are not limited to using digits or a length of four. They may select any combination of characters. The PIN works in the selected Bitwarden application only when set and only locally.
Bitwarden added a prominent security warning on the support page that informs users that "using a PIN can weaken the level of encryption".
Brute-forcing the local vault
Bitwarden's applications lock PIN access after 5 failures to type the correct PIN. The security researcher discovered that attackers do not need to use Bitwarden's applications to try and brute force the PIN and gain access to the vault.
Instead, attackers may attack the encrypted local data directly using brute force attacks. A proof of concept exploit has been published for Linux. The exploit returns any 4 digit PIN in less than four seconds, according to the developer.
Recommendations
Bitwarden users have two main options to protect their password vaults against brute force attacks:
- Skip setting up a PIN.
- Select a very strong password for the PIN.
Not setting up a PIN requires no action on part of the user. The PIN is an optional feature that does not need to be set up. Users who want to set up a PIN should pick one that is considerable stronger than a four digit PIN. The use of different characters and a considerable length improve security, but reduce convenience at the same time.
Keeping the computer or device secure, for instance with full-disk encryption and strong security features, may mitigate the risk as well.
Thanks Mikko,
However, didn’t you mean to say this:
In Bitwarden terminology this means the Master Password is used for vault login (decrypting encrypted data from disk to RAM).
But after login you lock and unlock the data in RAM using the PIN.
The correct way to use the PIN is to require master password after reboot/restart it the Bitwarden app and use PIN to prevent access while the vault is in RAM.
In Bitwarden terminology this means that PIN is used for vault login but after login (decrypting encrypted data from disk to RAM) you lock and unlock the data in RAM using the PIN.
Note that if the attacker has code running on your computer with system level access (administrator/root), then all vault data can be leaked at the moment you access any of the data in the vault, so system security is still very important.
This is only a threat surface if the Bitwarden user has chosen NOT to require the master password on restart. This effectively stores the master password on your hard disk. You even have to click through a warning to set this option.
I tested my Yubikey to unlock bitwarden browser extension. The long press gives a “pin” of 37 characters.
you, Martin Brinkmann, the last of mohicans of GH. I only read you posts.