The Most Important Bitwarden Setting You Never Heard Of

Поділитися
Вставка
  • Опубліковано 28 гру 2024

КОМЕНТАРІ • 138

  • @miran289
    @miran289 Рік тому +22

    God bless your soul. Having had multiple email addresses for years and for different purposes it was a nightmare for me to figure out a way to keep track of all my passwords, so before, I used to have similar pws to use on all of them and that led all my accounts to get hacked earlier this year and it left me paranoid ever since. Now, I don't save any passwords anywhere and don't even trust the browsers with it, so coming across your Bitwarden videos was a true blessing and it gave me a much needed sense of cyber security. THANK YOU SO MUCH!

  • @robertbishop7078
    @robertbishop7078 Рік тому +30

    Before Argon2id was available I had the iterations at 2 million. This took about 16 sec to decrypt on my Amazon Fire HD 10 Plus (2021). In May after I knew Bitwarden was updated across all my devices to support Argon2id. Late June I did my own digging on what these settings mean. I did not modify the settings as far as you showed. Default Argon2id was 4 sec to decrypt. After my changes to the iterations, it is about 10 sec to decrypt the vault. Thanks for describing these settings.

    • @teachmecyber
      @teachmecyber  Рік тому +2

      Nice! You were well ahead of the game before argon2id became available.
      The order of operations for increasing values would be memory and then iterations. Those are the two most important ones (and the ones that impact the amount of time to decrypt).
      If you haven't seen this, check it out for more testing. It was super helpful for me:
      antelle.net/argon2-browser/

    • @elleeden2024
      @elleeden2024 Рік тому +1

      @@teachmecyber Jason, I have Agron2id with 6,128,8
      Thoughts on that, strong enough? And is that stronger and harder to crack Vs PBDK..... 600000?

  • @matthiasm7092
    @matthiasm7092 Рік тому +41

    If you use more than 64MB of memory, iOS autofill won’t work anymore. Bitwarden updated this information.

    • @teachmecyber
      @teachmecyber  Рік тому +5

      Thanks for the info!

    • @sportbikejesus
      @sportbikejesus 5 місяців тому +1

      If you use autofill you can end sending your password to mean ole hacking guy

  • @Lyle-In-NO
    @Lyle-In-NO 20 днів тому

    I have to say, this video is absolutely awesome. The terms & methods are clearly explained AND you provide the technical terms/names I'll need to learn if I want gain a deeper understanding. You've definitely gained one more fan & sub!

  • @coold501
    @coold501 Рік тому +13

    Explain more on bitwarden.... i am using it since 2 years and i was unaware of this... please make some detail in-depth exploration video on bitwarden

    • @teachmecyber
      @teachmecyber  Рік тому +1

      Thanks for the feedback! If I get some more requests on this, I'll make a more in depth video on how it all works behind the hood.

  • @TheCynysterMind
    @TheCynysterMind 5 місяців тому +7

    While 11 months late on this video.... You can also choose a password manager that does not store your password vault on the internet.
    Only a couple do this. Some create an encrypted password vault on your local computer so even if a site gets hacked... that site can ONLY get the one password that was passed through the web-extention. (if your whole vault is stored in a web extension like lastpass or one-pass you risk losing your whole vault to a nefarious website.)

    • @becks0816
      @becks0816 2 місяці тому

      A nice approach, which doesn't work if you use a computer at work and want to login to a site using your private login.

    • @TheCynysterMind
      @TheCynysterMind 2 місяці тому

      @@becks0816 You can create a copy of your vault and place it on a thumb drive. setting up the work roboform to look at your thumbdrive. I do this

    • @jim7smith
      @jim7smith 15 днів тому

      @@becks0816 But, if you self host your bitwarden, these problems are solved.

  • @dannyl6507
    @dannyl6507 Рік тому +9

    It doesnt matter what the algorithm is. For example lets say you have a really weak password of 1234, then the hash for 1234 will still be whatever that hash is. So entering 1234 will still unlock your vault regardless of what hashing algorithm is being used on the backend. The point is to use a strong passphrase.

    • @teachmecyber
      @teachmecyber  Рік тому +4

      A strong master password is the first and most important step. The algorithm just adds a layer of security in the event someone does try to brute force it. It's added protection against a lastpass type scenario.

    • @1080pixel
      @1080pixel Рік тому

      Hashing isn't the only thing beeing applied... salts and multiple iterations will harden even a simple password like 1234 - of course, it wouldn't widstand a brute-force attempt.

    • @seanmcmurphy4744
      @seanmcmurphy4744 10 місяців тому

      @@1080pixelThe point is a password like 1234 is going to be on every common password list and is going to be one of the first tried in a brute force attack

    • @1080pixel
      @1080pixel 10 місяців тому

      @@seanmcmurphy4744 Do you know what salting does?

    • @robervaldo4633
      @robervaldo4633 6 місяців тому +2

      the point of the video is making it harder for your vault to be cracked in case bitwarden servers are hacked and the encrypted vaults themselves are stolen, which was what happened to lastpass

  • @ScriptureFirst
    @ScriptureFirst 9 місяців тому +1

    Excellent explanation 🙏🏼💎

  • @EdwardsNH
    @EdwardsNH Рік тому +12

    You can (and should) change all your passwords stored in lastpass (then switch to something like bitwarden), but sadly, any notes will still be there for the hackers. Eventually, it WILL be cheap to crack all of the stolen collections, and your notes are theirs

    • @teachmecyber
      @teachmecyber  Рік тому +1

      +1 for changing your passwords in lastpass. Even with the notes, it will be good to go through those notes and make sure there isn't anything sensitive that needs to be changed (e.g. like security questions and things of that nature).

    • @mike80808
      @mike80808 Рік тому +1

      Changing the notes won't matter. The copies of the vaults that were stolen have the notes from when they were stolen last summer (2022).

  • @lajtilajti
    @lajtilajti Рік тому +4

    I never heard before Argon2id, thanks.

  • @elleeden2024
    @elleeden2024 Рік тому +3

    Jason, what does it mean exactly to rotate my accounts encryption keys and do you support doing that?

    • @teachmecyber
      @teachmecyber  Рік тому +2

      The encryption key is used to encrypt the vault. So if you change your master password it doesn't change the encryption key.
      Typically you only rotate your encryption key if you have reason to suspect it has been compromised.
      For most users, they won't need to rotate their encryption key.

    • @elleeden2024
      @elleeden2024 Рік тому +2

      @@teachmecyber Gotcha, thanks :)

  • @elleeden2024
    @elleeden2024 Рік тому +3

    Thank you Jason, I really love your videos, very educational.
    As a result of your videos, I went to Bitwarden from Keepass.
    And may I ask your thoughts on Proton Pass?
    Worth looking into?

    • @teachmecyber
      @teachmecyber  Рік тому +1

      Glad to hear that! I haven't done a full deep dive yet on Proton Pass. I typically favor companies who focus on the password manager as their primary business. So things like 1password, Bitwarden, and Dashlane.

  • @williamschlass6371
    @williamschlass6371 11 місяців тому +2

    Why would further encyrpting your master password matter? Wouldn't it be easier for the hacker to simply try to brute force your password either way? So why does it make any real difference whether you use SHA-256 or the Argon2id?

    • @teachmecyber
      @teachmecyber  11 місяців тому +1

      Argon2id slows down the bruteforcing process. It basically just takes longer for it to calculate whether the password is right or not, which slows down the attacker's ability to guess passwords. It's helpful in the LastPass scenario where attacks stole the vault.

    • @williamschlass6371
      @williamschlass6371 11 місяців тому +1

      @@teachmecyberI see, thank you for the clarification!

    • @ScottElblein
      @ScottElblein 8 місяців тому

      @@teachmecyber So then really the entire purpose of this is specifically to add in that login delay time?

    • @robervaldo4633
      @robervaldo4633 6 місяців тому

      @@ScottElblein yes, assuming you have a good password, adding delay makes it take too long to try enough times to find the password

  • @unmapped89361
    @unmapped89361 Рік тому +6

    Good advice. But I think with a lot of iterations with PBKDF2 there is also a delay there. Your explanation sounded like the delay would be new with Argon2id...

    • @teachmecyber
      @teachmecyber  Рік тому +1

      That's correct, with more iterations on PBKDF2 there will also be a delay.

  • @jono2702
    @jono2702 9 місяців тому +1

    Thank You, Thank You, Thank You!!!

  • @dreamer6471
    @dreamer6471 19 днів тому

    Sir, can i have a full structure for Cyber security Analyst or Network Architecture.

  • @ronniehigginson323
    @ronniehigginson323 Рік тому +1

    Great stuff man, thanks for the tip. So yeah, I been dealing with hacking for a minute. Would love to know if I could be hacked while a page is loading? I use the "copy and paste" method when inputting my username and password, which might not be the safest. So when I go back to the page I'm try to login to, could those hackers switch pages on me and have me logging in a phishing site?

    • @teachmecyber
      @teachmecyber  Рік тому +3

      The biggest risk with copying / pasting is that you could be putting it into a phishing page. With autofill or passkeys, it will detect the URL and only put the password (or passkey) in if it recognizes the URL.

    • @ronniehigginson323
      @ronniehigginson323 Рік тому +1

      @@teachmecyber thanks man, just what I'd figured.

  • @neuideas
    @neuideas Рік тому +3

    My Bitwarden password is 44 characters long, and my PBKDF2 iteration count is 1 million. I set this up before Argon was available. Unlocking my vault on my cheap Onn tablet takes a few seconds or so, so I figure I have hit the sweet spot for now. I'll consider Argon in the future, though.

    • @teachmecyber
      @teachmecyber  Рік тому +1

      You've got a great set up with that combination. Argon will have some more security control against certain types of attacks, but they're not a huge concern for the majority of people.

  • @JulesE521
    @JulesE521 9 місяців тому +2

    When backing up the Bitwarden vault, where is the safest place to store a .json file after exporting the vault?

    • @teachmecyber
      @teachmecyber  9 місяців тому +1

      If you're doing it as a backup, you can store it on an encrypted USB drive.

    • @chefmike8888
      @chefmike8888 8 місяців тому

      I trade with family members. 3 members have mine incase my sister lost mine, like usual. But i placed it on her computer where she doesn’t go. The external drive i get called over to update when she needs to. Im the family it guy so they don’t know that we all have the important backup files in the classic 3 place rule.

  • @Panicthescaredycat
    @Panicthescaredycat 8 місяців тому +1

    Would the next best option be a Yubikey?

  • @Eric-jb1ym
    @Eric-jb1ym 6 місяців тому +2

    With 2FA tho is this even necessary?

  • @BrandonLambertus
    @BrandonLambertus 3 місяці тому

    Is all of this still applicable today? Or did Bitwarden update itself to the point where it is no longer needed?

  • @terranova45074
    @terranova45074 10 місяців тому +1

    Can the same be done with my RoboForm??

  • @Gorky25
    @Gorky25 10 місяців тому +1

    How much is ok to put for KDF?

    • @teachmecyber
      @teachmecyber  10 місяців тому

      The current minimum recommended amount is 600,000. I would go higher if your devices support it.

  • @ConnieLintner
    @ConnieLintner 9 місяців тому +1

    What do you think about using YubiKey 5C with Bitwarden?

    • @teachmecyber
      @teachmecyber  9 місяців тому

      It's the most secure option!

    • @ConnieLintner
      @ConnieLintner 9 місяців тому +1

      That’s great! I JUST set mine up with one, along with your recommendation from this video, Argon2id. Thanks for all the info!!!!

  • @maxmustermann9858
    @maxmustermann9858 Рік тому +9

    Please don’t say uncrackable, nothing is uncrackable. Even when it takes Mathematically 200 Mio years to guess a Password there are always ways to shorten this time.
    Especially when you take algorithms like AES or hashing Algorithms like Sha256 or Argon2 there is always the possibility that there is a security flaw in the algorithm itself. A truly uncrackable algorithm would be the onetime pad but everything which is mathematically calculated can be cracked especially with quantum technology.

    • @teachmecyber
      @teachmecyber  Рік тому +2

      Yes, everything is going to be crackable with limitless time or the advancement of quantum computing. But for 99.9% of people, this setup will keep their vaults in a position that won't be crackable given their risk profile.

    • @maxmustermann9858
      @maxmustermann9858 Рік тому +1

      @@teachmecyber Yes that’s true, I’m cyber security you only need to run faster then your friends to not get chased. But I think it’s wrong to say that anything is uncrackable. I understand what you mean but for someone who doesn’t know a lot or anything of that, it implements that it’s really uncrackable. When you explain it like you now did it would bring the people more to the reality without underestimating the risk. But anything else is great. It would be great to see videos for advanced or more tech savvy people in the future. Keep going!

    • @teachmecyber
      @teachmecyber  Рік тому

      Any advanced topics in particular you'd like to see?

    • @maxmustermann9858
      @maxmustermann9858 Рік тому +1

      @@teachmecyber Maybe something like how to handle a digital will in a secure way (government proof) that I would still consider basic, but some IOT stuff with things like MDNS and Firewall. Or things like Ransomeware protection. All your videos are fine but what I’ve missing is that you go really deep and explain the details. It’s not a must and can be boring or not necessary for the average viewer, it would be just some input you can maybe use for orientation.

    • @teachmecyber
      @teachmecyber  Рік тому

      Thanks for the feedback!

  • @jmoorman
    @jmoorman 3 місяці тому

    Is this KDF feature only available on the paid version of Bitwarden? I don't see it on my free version.

  • @nethiyashwanth124
    @nethiyashwanth124 Рік тому +2

    Good content 👍

    • @teachmecyber
      @teachmecyber  Рік тому +2

      Thanks! Hope it was helpful in securing your passwords!

  • @Damariobros
    @Damariobros 6 місяців тому +2

    3:09 I always thought zero-knowledge encryption was just, the password was turned into a key and tested on its merits - if it successfully decrypted the vault, it must be the correct password. If it failed, then it wasn't correct. Interesting! Does that mean Bitwarden does have a database of hashes?

  • @the-Gammaron
    @the-Gammaron Рік тому +2

    Hello, can you please measure the time difference between argon2id, and the default one? Also, do you think my low-end Android could handle it?

    • @teachmecyber
      @teachmecyber  Рік тому +3

      Here's a website you can use to test the different timings. You can also run this from your Android to test the difference and tune it to something that works best for you.
      antelle.net/argon2-browser/

    • @the-Gammaron
      @the-Gammaron Рік тому +1

      @@teachmecyber is argon2id and argon2di the same?

    • @teachmecyber
      @teachmecyber  Рік тому

      Yep, same thing!

  • @Hawk_112
    @Hawk_112 10 місяців тому +1

    I tried the 2nd method of Argon2id ( 500mb one) and on my pc its slower than mobile , but still fine about ( 7 sec on mobile and about 12 on pc )

    • @teachmecyber
      @teachmecyber  10 місяців тому +1

      Wow, I would not have expected that!

    • @Hawk_112
      @Hawk_112 10 місяців тому

      @@teachmecyber yeah kinda weird lol , btw I have 6th gen i7 and 16gb ram on pc and my mobile got qualcomm 732G with 6gb ram so that desktop cpu should be alot better in term of power 😅

    • @Dex4Sure
      @Dex4Sure 7 місяців тому

      @@Hawk_112 not really. the qualcomm chip is lot newer and for this kind of stuff it probably is better than the dated i7.

  • @Damariobros
    @Damariobros 6 місяців тому

    Question: If a password of mine is in one or more data breaches, but the password breach was only bcrypt hashes and my password is very secure and long, is it safe to use it on a website still?

  • @elleeden2024
    @elleeden2024 Рік тому +2

    Jason, so is my understanding correct...so whenever we create a database, our password is NEVER sent to Bitwarden, but the HASH, and if that is the case, how can Bitwarden verify our password is correct when opening the database if all they have is a copy of a "HASH" and not the Password?
    Thank you kindly :)

    • @teachmecyber
      @teachmecyber  Рік тому +2

      The only way to calculate the right hash is to have the right master password! It's a nice way to ensure that someone has the right password without needing the actual password.

  • @RBzee112
    @RBzee112 6 місяців тому

    What about 2FS with an authenticator app? That's what I have setup.

  • @hfa_dev
    @hfa_dev Рік тому

    if you use more security and if it takes long, I assume that you use the remember session? Or everytime you login to something you go, put your password, 2fa code, and wait for bitwarden to open?

    • @teachmecyber
      @teachmecyber  Рік тому +1

      This depends on the site. I prefer to login each time if the site doesn't have any additional security protections. E.g. some mail clients like Google will force a more secure login if the device is not recognized.
      The main risk is that if you're not using a secure MFA method like passkeys or FIDO2 hardware, you could get phished. This could steal your session token which would give the attacker access to your account.
      Check out my video on 2FA for more info on that style of attack.

    • @americanswan
      @americanswan 10 місяців тому

      ​@teachmecyber
      Good point about session keys.
      I have Yubikeys set for all my major accounts.

  • @loki76
    @loki76 Рік тому +1

    2:05 that chart doesn't show special characters/symbols. If it had that in the chart the "strong" section wouldn't be measured in "centuries" but millions/Billions of years.
    At least with conventional computing power.

    • @teachmecyber
      @teachmecyber  Рік тому

      I think you'll appreciate this: specopssoft.com/blog/best-password-practices-to-defend-against-modern-cracking-attacks/
      Not the most direct comparison as it focuses on cracking MD5 hashes for passwords, but it shows the addition of special characters and how that can support the strength of your passwords.

  • @AK-wm8lj
    @AK-wm8lj 5 місяців тому

    Thanks. How would I safely delete or discard json file which we saved before we changed settings. ? I am assuming that all passwords were saved on my laptop. I know I can just delete the file from my laptop but would it delete from online world? Lol

  • @WaseemM2
    @WaseemM2 Рік тому +1

    Imagine entering a really long master password/phrase on a mobile device when you install bitwarden or when it times out. It is a pain specially with various virtual keyboard behaviors.

    • @teachmecyber
      @teachmecyber  Рік тому +2

      You can configure it to use your fingerprint and not prompt for the password

  • @gablen23
    @gablen23 Рік тому +1

    After setting it up as suggested the first time(Argon2id, 500 MB, KDF 6 and 8), I was able to log back into the web safe without any problems, but the mobile keeps giving me errors: "username or password is incorrect. Try again." Does this mean that this setup is too strong for my mobile?
    I tried lower values, but that didn't work either, so I had to reset it to PBKDF2 SHA-256 and 600.000 KDF to be able to log in on my mobile.

    • @teachmecyber
      @teachmecyber  Рік тому +1

      No, it would just go super slow on mobile but wouldn't throw this type of error. Double check your master password you're typing in

    • @gablen23
      @gablen23 Рік тому +2

      @@teachmecyber Well, I figured out what the problem was, wrote to support, they replied very quickly, and it turned out that the region setting was wrong because I had chosen EU instead of US. As they wrote, it doesn't depend on the physical location, but where it was initially established. Very useful video by the way, thank you!

    • @teachmecyber
      @teachmecyber  Рік тому +1

      Ahh okay, that's makes sense. It's likely because they're not storing the vaults in both regions, so you need to make sure you're connecting to the right one. Thanks for letting me know!

  • @marijnable
    @marijnable Рік тому +4

    I dont think the bottleneck is the encryption at this point. If your password is indeed 16+ chars with some punctuation people are not going to try and crack it. If they really wanted access they would do so by other means, like phishing or social engineering. Uncrackable sure, but impossible to get unauthorized access, no.

    • @teachmecyber
      @teachmecyber  Рік тому

      100% agree with you. That's why the use of a strong master password and MFA will help secure your account.
      These settings are useful in dealing with a LastPass scenario where the vault is stolen.

    • @rajmerchant3178
      @rajmerchant3178 Рік тому

      😊

    • @rajmerchant3178
      @rajmerchant3178 Рік тому

      😊😊😊

    • @notreallyme425
      @notreallyme425 Рік тому

      How does someone trying to crack your password know how many characters long your password is and if you’re using punctuation?

    • @teachmecyber
      @teachmecyber  Рік тому +2

      They won't know how long or complicated your password is. The weaker the password though, the easier it will be for them to have a match. They typically will start with less complex passwords because it's quicker to check.

  • @Abdulrahman-my3tu
    @Abdulrahman-my3tu 10 місяців тому +1

    thanks

  • @OtisNJay
    @OtisNJay 6 місяців тому

    I like to ask... I already have security keys setup on my account. Does it then matters if someone cracked my password? Am I still okay?

    • @robervaldo4633
      @robervaldo4633 6 місяців тому

      I haven't looked deep into this, but as I understand it, the security keys are used only as a barrier to login and get to the password vault, so they don't add security to the vault encryption itself, if someone finds your password they woudln't be able to access your bitwarden account without yor security keys, but if a hacker gets into bitwarden servers and obtains your password vault (what happened to lastpass and the point of this video), the security keys don't matter

    • @OtisNJay
      @OtisNJay 6 місяців тому

      @@robervaldo4633 I did not realize that... thank you for taking the time to explain it.

  • @Meowski_2
    @Meowski_2 8 місяців тому

    I love the tinfoil hat cats with the sound & all the little video game things you put in your videos. This is boring stuff but youre the 7th grade teacher I wish I had!

  • @beejereeno2
    @beejereeno2 7 місяців тому +1

    PASHWORD HASHING

  • @mvevitsis
    @mvevitsis 6 місяців тому

    This advice is straight up wrong. You want to set parallelism to 1. Higher than 1 will make it faster to crack your vault, and will offer you no speed benefits for unlocking your vault if you are using bitwarden on desktop (which currently doesn't support multiple threads for argon).

  • @merlinsreturn
    @merlinsreturn Рік тому +1

    What does "make sure it's not sitting in your system" mean in the context of the masterword? It's annoying and frustrating when you assume your audience knows what specific you are referring to like the clipboard or some other place. I don't want the back forth questioning to understand your words. I should get it from the video.

    • @teachmecyber
      @teachmecyber  Рік тому +2

      That was in reference to the password export when you are migrating to bitwarden. You don't want to have the password export sitting on your computer because someone can get your passwords in cleartext in that file.

    • @sublim3princ371
      @sublim3princ371 6 місяців тому

      @@teachmecyberso where do you store that file?!

    • @robervaldo4633
      @robervaldo4633 6 місяців тому

      @@sublim3princ371 as shown in the video, that backup was just to make sure you could recover your passwords if changing the encryption parameters gave you some problem and "broke" it, after everything went well, it's better to just remove the backup file (because it has all your passwords unencrypted) or, if you want to keep such a backup, store it in an encrypted backup device (or also bitwarden allows you to get an encrypted json file, instead of an unencrypted one)

    • @WakeUpAmerican000s
      @WakeUpAmerican000s 3 місяці тому

      @@sublim3princ371 -- You can put the JSON file in a temporary folder --- it's only needed for the import to BitWarden, so once you import your data to BitWarden, use a file destroy utility (overwrites the JSON file with zeros) to delete it right away.

  • @ActuallyAwesomeName
    @ActuallyAwesomeName Рік тому +1

    6:12 LOL Paschword Hasching Competischion

    • @teachmecyber
      @teachmecyber  Рік тому

      They have competitions for everything!

  • @MikeHunt-rw4gf
    @MikeHunt-rw4gf Рік тому +1

    Algorithm.

  • @Dex4Sure
    @Dex4Sure 7 місяців тому

    Just use defaults. No point for almost anyone to go beyond that.