• zahel@lemmy.world
    link
    fedilink
    English
    arrow-up
    51
    ·
    1 year ago

    The way that Bitwarden stores your data, it is encrypted as a blob on AWS. If anyone compromises Bitwardens infrastructure, they can’t do anything because even Bitwarden doesn’t have the keys to decrypt your vault.

    Your vault can only be decrypted with your master passwords, and decryption happens locally, on device. No decrypted information is sent over the internet.

    As far as someone gaining access to your master password and this all other passwords stored in the pass manager, that is why 2 factor authentication exists.

    I could give you my Bitwarden master password right now, but that won’t help if you don’t also have my 2fa code.

    And that’s just talking about using the hosted version of Bitwarden.

    If you self host, you don’t even have to have the app available to the public internet, and can access it purely through a vpn to your LAN.

    Then the attacker would not only need to have access to your local network, also know your master password, and have access to your 2fa.

    If they know that much about you, you have larger concerns.

    So in short, your concern is mostly addressed and not really a concern if you utilize the features provided, such as 2fa

    • mac12m99@feddit.it
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      13
      ·
      1 year ago

      If someone compromise bitwarden infrastructure can (and probably will) silently release a “new” minor version of app and webapp so that every master password is sent to him, and then decipher passwords.

      It will last only some hours at worst but will still collect a lot of passwords.

      That’s only thing I’m worries about, but I still use bitwarden as I think my passwords being compromised in this evenience as nearly impossible

        • mac12m99@feddit.it
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Bro, what I said is that an attacker who someways get access to production, can push modified source code that send cleartext password to him before everything else.

      • ward2k@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        It absolutely shouldn’t be possible compromised or not for someone who has gained unlawful access to start pushing malicious code to production as long as proper security is in place

        • mac12m99@feddit.it
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          It shouldn’t be possible to break any service but hackers do that daily. If proper security is in place they will need some 0day exploits, but it’s not impossible, just extremely difficult