this post was submitted on 10 Feb 2024
2 points (62.5% liked)

Bitwarden

896 readers
2 users here now

Discuss the Paswordmanager Bitwarden.

founded 2 years ago
MODERATORS
wuffa@discuss.tchncs.de
2
Bitwarden master password and public server auth (lemmy.ca)
submitted 1 year ago* (last edited 1 year ago) by Darkassassin07@lemmy.ca to c/bitwarden@discuss.tchncs.de
5 comments fedilink hide all child comments
 

I have what may be a stupid question...

How is it your master password is both used to decrypt your vault and used to authenticate with bitwardens public servers to acquire a copy of your vault/view it in the web app, but bitwarden can't use that password entry to decrypt the vault themselves?

(please correct me if I'm misunderstanding, as I use self-hosted vaultwarden for my server instead of the public ones)

you are viewing a single comment's thread
view the rest of the comments
[–] Darkassassin07@lemmy.ca 2 points 1 year ago (1 children)

See, password hashing I'm familiar with. (or at least the concept)

But there's nothing stopping the web app just sending the password you've entered directly to the web server. It's open source, so I'm sure those with the skill have looked through the code, but every time you visit the page, you're reloading fresh code that could easily have changed since your last visit. It could even be targeted to specific users making it extremely difficult to look for.

This is a concern that's been in the back of my mind ever since I learned of password managers. I only began using one because I could self host it and cutoff any possible access.

[–] oktoberpaard@feddit.nl 2 points 1 year ago

I see. Well, that’s a valid concern, I guess. That’s similar to how WhatsApp is end-to-end encrypted, but they might as well be sending your private key somewhere, or your locally decrypted messages. In the end it’s to a certain extent based on trust, unless you can and are willing to control and/or audit the critical parts.