Conversation

Am I correct assuming that the #Bitwarden server-side iterations provide no security value? Judging by their security whitepaper, they are misimplemented in the same way as for #LastPass.

See https://bitwarden.com/images/resources/security-white-paper-download.pdf, page 9. The server-side iterations are applied to the master password hash before it is stored. They are not applied to the encryption key however, this one is derived from the master password with the 100,000 PBKDF2-HMAC-SHA256 iterations performed on the client side.

If someone were to get a copy of the Bitwarden data, they will need to bruteforce the master password. In order to test their guesses, they don’t need to check the master password hash – they can rather test whether they can decrypt the data. And here they are only slowed down by the 100,000 client-side iterations.

This does *not* have to be like this. See for example the Firefox Sync protocol: https://blog.mozilla.org/warner/2014/05/23/the-new-sync-protocol/ (“new” design from 2014). Here the scrypt hashing performed on the server side is a necessary step both to validate the password and to derive the encryption key.

Mind you, Bitwarden is still better than LastPass assuming that they encrypt all the data and have consistent PBKDF2 iteration settings for all accounts. But they are not *that* much better, and 100,000 iterations is still factor 3 below current recommendations.