Don't store TOTP in Bitwarden for your online accounts!

Since I’ve started working in Information Security space, I’ve been talking to a lot of people about the topics related to protecting ones identity online. Basically, trying to answer the question: What does it take to sufficiently secure my online accounts? Of course the meaning of sufficiently is very subjective here, but I’ve always kept it vague to gauge what it means to them specifically.

I did make sure to talk people of various backgrounds – from deeply technical all the way to not technical at all. Surprisingly many of them, even among the quite technical crowd, turned out to be lacking the understanding of some important fundamentals. In particular, it’s not always clear to them, what problems Multi-Factor Authentication (MFA) is targeting and solving. What threats do Password Managers are targeting and solving.

Recently on one of my absolute favorite Podcasts, Coder Radio, the host, Chris Fisher, mentioned that Bitwarden has this great feature: built-in TOTP Authenticator. He’s really technical guy, but not Cybersecurity expert, so didn’t give it much thought. And that triggered me to write about the issue with using Bitwarden’s TOTP Authenticator solution in particular.

First let’s establish some fundamentals around both, Password Managers and MFA.

Password Manager – Core Principles

In order to be able to answer the question: Why should I care to use Password Manager? we first have to understand what the problem with passwords is. To do that let’s run through an attack scenario:

  1. A user, let’s call him Bob, has created an account on Facebook, GMail, LinkedIn, Instagram, Twitter, Amazon, Spotify, and a whole bunch of other sites. Ideally, Bob should create a completely unique password for each of them. The reality is, thought, that very few people would be able to memorize that many completely unrelated passwords, especially if some of them are not used regularly. So Bob ends up using either the exact same password for all/most of those sites, or some slight variations of the same password. Modified in a fairly simple way so that it can be easily memorized or figured out when logging in.
  2. Now, one of the many sites that Bob has signed up to got popped. In addition to then, it also turned out that this particular site does not even hash passwords of their customers. They store those in cleartext in a SQL DB. Trust me, that still happens in 2022…
  3. Hacker got an early birthday present – a huge package of passwords and associated email addresses of a large group of people. That actually happened to me few years ago when one of the sites, I had an account on, got owned.
  4. Hacker knows that many people either re-use the same or only slightly modified versions of the same core on different sites. So they try all those emails/passwords on various sites hoping to gain access to some users accounts on other sites. Bob might’ve been one of the unlucky winners and got a number of his accounts owned by the hacker.

For me, the damage turned out to be contained solely to that hacked site – all my passwords on all the sites were completely randomly generated by the password manager. Getting to know my password on that particular site didn’t give the attacker any access to my other accounts on other sites. Also, since I use a strong passphrase to lock my Password Manager’s vault. The leaked password was not related in any way to the Password Manager passphrase.

Summary

The core benefit of using a Password Manager correctly(!) is that our passwords are completely unique. One of them being compromised does not automatically render other passwords compromised.

When you use Password Manager, make sure you’re protecting it with a long and difficult password/passphrase and you don’t use that passphrase anywhere else as your password.

Shortcomings

One huge elephant in the room that we have to address here is that if an attacker gains access to our Password Manager’s vault, it’s game over – they have keys to the kingdom. All the completely unique passwords are in their hands. By using Password Manager we’re putting all the eggs in one basket.

MFA – Core Principles

The shortcoming explained above can be greatly reduced by using MFA, but only if we don’t store the MFA secrets together with the passwords in the Password Manager’s vault. Say, you use a YubiKey. Or Google Authenticator on your phone.

If, instead, you use Bitwarden’t TOTP Authenticator feature, you’re effectively putting the second factor of authentication in the same place as your passwords. So now if it comes to worst and the Password Manager gets compromised, the attacker will get their hands not only on the your passwords, but also the secrets used to generate the TOTP HMACs.

Bitwarden’s TOTP Authenticator can actually be useful

Among the people I’ve “interrogated” about sufficiently securing their online accounts were few who proudly said they’ve adopted a Password Manager and… they’ve copied their favorite password that they’ve been reusing all over the place into the Password Manager. And now they use Password Manager’s web browser extension to paste the same password into each login form. Well, the only thing they’ve gained is a false sense of security.

However, if they do add a 2nd factor of authentication, even if that’s a TOTP managed by the same Password Manager, they do end up in a much better place. Now, looking back at the attack scenario I described above, their leaked password is not enough to log into other online accounts. Yes, they are still vulnerable to scenario where their Password Manager account gets popped and the TOTP secrets are revealed. But still, their security posture has improved a lot!

So at scale – you cannot deny that this solution does actually have a real value. We simply cannot expect global society at scale to get a firm grip on all those contexts that, let’s face it, are not trivial to thoroughly understand.

If you have any comments, please, fell free to shoot me an email, or drop me a note.

TOTP  MFA