Software WTF Moments–Bitwarden’s “Vault Export”

Three years ago, I switched from LastPass to Bitwarden for password management, mainly because there were features Bitwarden had that LastPass did not. One of the “features” I was not expecting, however, was the misleading export interface.

Bitwarden refers to its encrypted space as the Vault, and the logins, passwords, etc. that users store as Vault Items,

There are 4 types of items you can store in your Vault; Logins, Cards, Identities, and Secure Notes

Bitwarden provides options to export a vault for backup or other purposes.

Bitwarden Vault Screenshot
Bitwarden Vault Screenshot

There are two problems with this interface.

  1. Although the user is lead to believe that they are exporting their vault, not all items in the vault are exported if the user choose CSV. Specifically, even though Cards and Identities are clearly list as two of the four item types in a vault, they are not included in a CSV export.
  2. Attachments are not exported with any of the export options. As far as I can tell, there is no way to get a backup of attachments at all from the Bitwarden web vault without going through each item individually and manually saving the attachments.

This is documented in the Bitwarden help article on exports, but these sorts of omissions should be made clear front and center on the Export Vault page itself.

Even better, Bitwarden should just fix this. There are feature requests going back to 2018 that highlight the potential problems created by not having a method of exporting attachments from Bitwarden. As one user puts it,

It’s now JSON. Base64 encoding would work. This is a really annoying thing to miss. I really thought I had a full backup of my stuff until I saw the JSON is unexpectedly small given the attachments I’ve stored in BW. I use this to sync between two different BW accounts (paid one here, and my privately hosted one). Only it’s not really syncing, if the attachments are missing. These are scans of identity documents, private keys for PGP.

I understand this may be an issue for people who have huge amounts of attachments due to the size of the resulting JSON, but simply omitting them is not a solution. If that’s the concern, make it optional or filter by size or something.

The odd thing is that this doesn’t seem to be that big of an issue to resolve. Caesar Kabalan ran into the same problem and created a Github repository with a Bash script that exports an encrypted file containing all Bitwarden attachments using the Bitwarden CLI. But this process is only an option for pretty advanced users.

pass–the standard unix password manager

pass is a command line password manager for various *nix platforms.

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass makes managing these individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It’s capable of temporarily putting passwords on your clipboard and tracking password changes using git.

There is also an Android client available.

The Other Benefit of Using A Password Manager

Terence Eden’s essay That’s not how 2FA works is a good primer on how 2FA, for some people, is borderline magic thinking. 2FA is good at protecting against a particular set of attacks such as credential stuffing and brute force attacks, but it is not cybersecurity magic.

Eden points out that 2FA doesn’t help you better identify a site–so it doesn’t protect users from entering their passwords and sending a 2FA token if a phisher gets you to click on reall-bank.com instead of real-bank.com.

However, password managers are good at not falling for fake sites (in addition to allowing users to maintain unique, complex passwords for every site).

The best defence is to use a password manager. I recommend the open source Bit Warden.

A password manager stores your passwords. But it also stores the web address of site’s login page. If you visit githud, the password manager won’t prompt you to use the login details for github.

Defence in depth. Use 2FA to prevent attackers masquerading as you. And use a password manager to prevent fake sites masquerading as real sites.

Bitwarden Send Adds Secure Text/File Transmission to the Online Password Manager

Bitwarden has updated its online password manager to include transmitting text and files (100 MB upload limit) securely over the Internet.

Bitwarden Send empowers teams and individuals with a secure, simple way to share information directly with another person. Easily transmit text or files including passwords, billing credentials, or business documents fully encrypted. A Send object can be further protected with user-configured parameters, including:

A deletion date
An expiration date
A maximum access count
A password requirement
Option to disable

As with everything else Bitwarden does, files and text transmitted using Bitwarden Send are end-to-end encrypted and zero-knowledge (so Bitwarden does not have access to the content that is being sent and cannot decrypt or access the content).

Bitwarden posted a thorough explanation of how the Send service works.

Tom Lawrence Short Video on How Password Managers Handle Authentication

Tom Lawrence has a short 7-minute video explaining how password managers handle authentication without sending the user’s master password over the Internet.

The short version is that the password manager (Bitwarden in this case) generates a password hash in-browser using a salt derived from the username. This protects against replay attacks and ensures that the entire process of accessing the underlying passwords themselves occurs entirely client-side.

Personal Password Peppering/Secret Salting

A pepper or secret salt in cryptographic terms means “a secret added to an input such as a password during hashing with a cryptographic function” that is not stored with the hash itself.

Phani Karen wrote an article recently advocating using this method (which he refers to as “double-blind” and “horcruxing” for some reason) to increase the security of passwords stored in a password manager.

Karen’s recommendation goes something like this.

  1. Select an arbitrary (ideally random) short word or phrase. Let’s use kraken, for example.
  2. When you set up a password on an account, the password takes the form of passwordkraken (where password is a randomly generated password or passphrase).
  3. In your password manager, you only store password.
  4. So when you revisit the site, you copy password and then manually append -kraken

The claimed advantage of doing this is that if your password manager is ever compromised, your accounts are still safe unless someone is able to guess the -kraken password stem that is not stored in the password manager.

Karan refers to this as implementing a defense in depth approach, where multiple security layers are used to mitigate damage.

I would not recommend this approach for a number of reasons.

First, it increases the pieces of information you need to know to use your password manager. Currently, I need to know my username and password to access my accounts using Bitwarden. A system like this adds a third piece of information I need to memorize.

Maybe for the intended audience, that’s not a big deal, but given how many people struggle to understand and use a password manager in the first place, anything that adds more friction to that process is to be avoided.

Second, this is exacerbated by the fact that it would likely prove difficult to keep the secret salt secret for very long.

Currently, I have about 300 accounts stored in Bitwarden, all with unique passwords. Suppose I had been adding a secret salt to my passwords for the last 5 years. In that time, about 6 of the accounts that I have were part of public breaches.

I quickly changed those passwords once I was aware of the breach. Still, if I had been using a secret salt, anyone who breached my Bitwarden account would easily be able to go back and find one of those outdated, unused passwords and quickly see a secret salt pattern in there.

The only way to guarantee my secret salt stayed secret would be to change that salt every time I was aware of a public breach, which would mean updating hundreds of uncompromised accounts, which turns my password system’s complexity up to 11.