Bitwarden PINs can be brute-forced

submited by
Style Pass
2023-03-17 22:30:03

The Bitwarden desktop client and browser extensions allow the user to unlock Bitwarden with a PIN. This PIN can be set-up per device after logging in to an account using the master password. All information pertaining to the PIN is stored locally on the device. It cannot be used to sign in to an account (read: authenticate with the Bitwarden backend server), but it can be used to obtain access to the vault data, that has been synced and stored locally in encrypted form.

Let's now assume that the user enables the PIN unlock and configures Bitwarden so that it doesn't require the master password on restart.

on disk, where \(\mathcal{K}\) is a key derivation function. This means if an attacker can at any point gain access to the encrypted vault data stored on the device the attacker can brute-force the PIN: the attacker can check whether decryption of \(c\) succeeds using the guessed PIN. This brute-force will very likely be successful, since PINs are usually very low-entropy. Now, granted, the key derivation function is PBKDF2 with 100000 iterations (+ HKDF), but that won't help with a 4 digit pin.

Bitwarden seems to be aware that PINs are low-entropy and that many PIN guesses are a problem: the client allows only 5 PIN unlock attempts. However this 5 guesses limit is enforced completely within the client's logic: it relies on the attacker using the official Bitwarden client. Instead, an attacker can directly attack the ciphertext \(c\) above, trying different PINs until the ciphertext successfully decrypts.

Leave a Comment