Cybersecurity Analysis of Password Managers

Bitwarden Analysis

About our Research:

For this research project, we've chose software tool for Password Management called Bitwarden.
Bitwarden is a well-known, open source password manager that stores and encrypts user data.
We used a Windows 11 machine for our testing

Analysis

Bitwarden is a well-known, open-source, password manager that stores encrypted user data in the Azure Cloud and/or locally on the host machine, ensuring that sensitive information is protected even if the servers are compromised. It comes with several pricing flavors in which each level offers extra security layers. For the sake of this paper, the free personal account level was utilized and assessed (Help Center).

When installed on a Windows 11 machine, Bitwarden’s data is stored in C:\Users\[USER]\AppData\Roaming\Bitwarden by default. Bitwarden uses AES-CBC 256-bit encryption to protect user data in transit and at rest. The encryption key is derived from the user's master password using the PBKDF2 SHA256 key derivation function and salted with a unique value. The encryption keys are stored in a separate location from the encrypted user data, and only the user has access to the encryption keys through their master password (Help Center).

Bitwarden operates on a zero-knowledge model, which means that the company does not have access to the user's passwords or any other sensitive data.

Attack

For this attack, Bitwarden was installed locally on a Windows 11 VM. A testing account was registered with Bitwarden using the master password of Masterpassword2(.). Inside the vault, 3 passwords were stored with varying levels of strength from a known password out of the “rockyou” dictionary to a password generated by Bitwarden.

The goal was to retrieve the master password to gain access to the testing vault. In order to do this, a malware program was designed to mimic a regular update that would be passed to the user via some form social engineering. For this scope, the social engineering aspect will not be explained. The malware would work in the background to exfiltrate the user’s credentials. In this scope, attacker anonymity, persistence nor digital footprint coverup will not be addressed.

Screenshot 1

Task manager showing the trigger python program running in the background.

Screenshot 2

Password input

Screenshot 3

Log file output after key logger has executed.

Platform Set-up

The script was originally written all in python for its ease of use and large libraries available for the necessary purposes. The execution of the python code will be done via batch files to run python and a vbs file to run the initial startup in the background. The malware designed for the attack is a keylogger. The goal being, that the keylogger runs for one minute after the user starts the Bitwarden.exe. The generated text file from the logger would then send the data to the attacker’s host machine.

The installation of the malware will look like a simple update. It will use a Bitwarden logo, to give the appearance of safe source to entice the user to click through all the acknowledgements and safety concerns. The malware itself will have several key components. The install package will install the keylogger activation script in the start-up folder C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. This activation script will run constantly in the background waiting for its trigger which is the running of Bitwarden.exe. From there the keylogger will execute and record user input for one minute and transcribe to a text document. At this point a script will send this document to the attacker’s machine for analysis.

References:

Help center. (n.d.). Retrieved February 14, 2023, from https://bitwarden.com/help/

Vaidehi, M., & Rabi, B. J. (2014). Design and analysis of AES-CBC mode for high security applications. Second International Conference on Current Trends In Engineering and Technology - ICCTET 2014, Current Trends in Engineering and Technology (ICCTET), 2014 2nd International Conference On, 499–502. https://doi.org/10.1109/ICCTET.2014.6966347

Choi, H., & Seo, S. C. (2021). Optimization of PBKDF2 Using HMAC-SHA2 and HMAC-LSH Families in CPU Environment. IEEE Access, Access, IEEE, 9, 40165–40177. https://doi.org/10.1109/ACCESS.2021.3065082

Page updated

Google Sites

Report abuse