[HN Gopher] Bitwarden releases "emergency access" feature
___________________________________________________________________
Bitwarden releases "emergency access" feature
Author : madsmtm
Score : 120 points
Date : 2021-01-21 19:56 UTC (3 hours ago)
(HTM) web link (bitwarden.com)
(TXT) w3m dump (bitwarden.com)
| shakna wrote:
| > On confirmation, the grantor's Master Key is encrypted using
| the grantee's public key and stored once encrypted. Grantee is
| notified of confirmation.
|
| > When the request is approved or the wait time lapses, the
| public-key-encrypted Master Key is delivered to grantee for
| decryption with grantee's private key.
|
| I'm not quite sure how I feel about the way they're doing this.
| Whilst this is a feature a lot of people desire, the way that
| they're doing it makes it feel like it would be impossible to
| verify that they're not storing your Master Key, or transmitting
| it to someone else - i.e. backdoor.
|
| At least, not with the level of detail I can find. [0]
|
| [0] https://bitwarden.com/help/article/emergency-access/
| judge2020 wrote:
| I'm under the impression that the "encrypt master key with the
| receiver's public key" step is done on-client, so you could
| verify that the master key isn't being stored the same way you
| can very they're not sending the master key when logging into
| the web ui: looking at devtools and seeing everything that
| leaves the network.
| e12e wrote:
| It's a little too much to sort through on mobile, but I
| believe this is a reasonable place to start looking (this is
| the web app, the server might be worth a look too). As far as
| I can figure out, it's not part of the cli client.
|
| https://github.com/bitwarden/web/commit/3c5a972bc9e959c5ced9.
| ..
|
| Reminder: bitwarden isn't just an awesome service, it's also
| committed to open source!
| shakna wrote:
| > I'm under the impression that the "encrypt master key with
| the receiver's public key" step is done on-client
|
| However, what would prevent them sending two public keys, one
| for your contact, and one for someone else? Or sending the
| wrong public key?
|
| How is the key exchange itself verified other than "Bitwarden
| user"?
|
| Those questions aren't answered.
| tptacek wrote:
| Am I reading it right that this allows people to designate access
| to their password manager via _email_? I feel like I have to
| missing something, like a previous step that fingerprints the
| emergency contact 's key or something.
|
| (I get that we rely on email for stuff like this all the time,
| but your password manager is part of what protects your email
| account, which is why we rely on email as much as we do for
| resets).
| dsissitka wrote:
| They encourage you to verify the grantee's fingerprint phrase:
|
| > To ensure the integrity of your encryption keys, verify the
| displayed fingerprint phrase with the grantee before completing
| confirmation.
|
| https://bitwarden.com/help/article/emergency-access/#confirm...
|
| > The fingerprint phrase is an important security feature that
| assists in uniquely and securely identifying a Bitwarden user
| account when important encryption-related operations are
| performed (such as sharing).
|
| https://bitwarden.com/help/article/fingerprint-phrase/
| WatchDog wrote:
| While I make heavy use of a password manager, I still choose to
| memorize my email password, and not store it in a password
| manager, precisely because it is is relied on so much, and can
| be used to reset the majority of the passwords stored in the
| manager anyway.
| joerickard wrote:
| Nice! I was already satisfied using Bitwarden, and now I will no
| longer have to manually manage my ICE backup.
|
| In the past I've kept an offline copy of my 'vault' on a few USB
| keys in a safe deposit, for my family in case of death or
| similar. I'm curious how others have solved this problem.
| neartheplain wrote:
| I periodically send my loved ones encrypted copies of my
| password vault. A copy of the decryption key is stored in my
| safe-deposit box, which they can access only after I am gone.
| This lets me update the contents of my password vault without
| having to visit the bank.
|
| And actually, the safe-deposit box only holds one half of the
| decryption key. My loved ones have the other half in their
| respective safe-storage locations. This means a rogue bank
| employee can't drill my box and do anything useful with the
| contents.
|
| The password vault itself is a plaintext file that I decrypt
| and edit/grep as needed. I use the OpenSSL command-line tool
| for encryption and decryption. My loved ones either have this
| installed by default on MacOS, or have a Cygwin installation on
| Windows with which I have tested the commands. The safe-deposit
| box contains short and detailed instructions for use for my
| non-technical loved ones.
|
| I also use the Google Chrome password manager with client-side
| encryption enabled. Whenever I change any important passwords,
| I'll export its contents to my text file password vault.
| NikolaeVarius wrote:
| I have a similar and opposite problem. I would be fine with all
| my secrets dying with me, but what i want to protect against is
| me going into a coma/for some reason I forget how to access my
| accounts.
|
| How to securely manage it so that only I can open it if my
| biological self is there? I don't trust bank safe deposit boxes
| and I can't put a safe worth using inside my Apt.
|
| https://www.nytimes.com/2019/07/19/business/safe-deposit-box...
| ibejoeb wrote:
| Perhaps just an old ipnone or android with a fingerprint
| sensor and another installation of bitwarden. You can keep
| the phone's passcode written down because its only use is to
| start the device. Then configure biometric log-in for
| bitwarden as an alternative to a distinct passphrase. In the
| event of a total blank, you should still have access as long
| as you retain a finger.
| jbverschoor wrote:
| Requires a passcode before allowing biometrics
| ahnick wrote:
| I think you are going to have to rely on another human being
| (or perhaps a group of trusted individuals) even in that
| case. Depending upon what caused your incapacitation, you may
| or may not be able to actually retain and manage your secrets
| going forward. Put another way, if your wetware is damaged
| you may need a backup (aka trusted human) to handle your
| secrets on your behalf.
| vorpalhex wrote:
| Shamir's secret sharing is the algorithm for splitting a
| key and requiring only a subset of pieces (so you can
| disperse it to 20 friends but only need 11 to agree to
| reform the key).
|
| This would give you protection both against the amnesia
| route (where you fall unconscious, lose your memory but are
| totally fine afterwards) and the route where you're unable
| to manage your secrets at all (eg stroke resulting in
| longterm failure to maintain memories or make decisions).
|
| You'd still, for the total lose route, need a replacement
| actor (someone acting on your behalf) to assemble and
| receive the key, and be the keyholder moving forward - and
| you would likely need to leave instructions with the flock
| of people having pieces of the key on how to select or
| confirm your future keyholder.
| fhoxh wrote:
| This represents a dramatic escalation of side-channel attack
| vectors and surface area. It's an unfortunate inevitability that
| this will not end well. Secure platforms never provide
| affordances for backdoors, especially backdoors tightly coupled
| to externalities. Bitwarden is further attracting unnecessary
| attention to itself from actors who have an interest in the
| collection of the volunteered emergency-trust relationships.
| Bitwarden would be well-advised to reconsider this feature.
| Nightshaxx wrote:
| I disagree. This is an extremely important feature. If
| something happens to me, I wouldn't want my family to have to
| jump through insane hoops to get access to my accounts for a
| bit of extra theoretical security. At this point something
| traumatic has already happened to them and this would just be
| another emotion burden. This could be for financial reasons, or
| say if I were missing, to communicate with my friends.
|
| Let people who don't need it and don't want it turn it off, but
| for me I'd definitely have it on.
| aunlead wrote:
| The pandemic has made me (re)evaluate how my family can get to my
| finances and online services. Such solutions can solve issues
| related to bank/trading account access and key documents but what
| about subscription services? All my subscription services from
| Netflix/Plex (less important) to VPN/Blackblaze (more important)
| are tied to my credit cards, which upon my untimely demise will
| be deactivated. My family will surely get locked out if I don't
| leave clear instructions on each of the services and how they can
| access them, etc. Then there is a technical aspect of taking over
| these service.
|
| I'm curious on how others have planned around this?
|
| edit: typo
| toomuchtodo wrote:
| Everything should be documented. We have a binder with
| checklists that walk you through gaining access to everything
| the other partner might need in the event of death (email
| accounts, domain registrar, bank and brokerage accounts,
| auto/home/life insurance, ongoing recurring bills of all
| sorts). Bitwarden databases are exported to paper, 3 hole
| punched, and put in the binder on a schedule. Both partners get
| setup with each other's 2FA OTP tokens. Have options? Agreement
| goes in the binder. Own real estate? Deeds, land trusts, LLC
| agreements, etc related to this go in the binder. If in doubt,
| print it out.
|
| Either one of us can assume responsibility for the entire
| estate in about an hour or so, the only delay would be a life
| insurance benefit payout. If you have assets that your partner
| might not know how to facilitate liquidity for, or when to, pay
| someone you trust to manage that. Your gift to your family is
| when you leave the world, they can continue on without fumbling
| to wrap up loose ends.
|
| https://getyourshittogether.org/checklist/
| legerdemain wrote:
| In an accident or disaster (house fire, flooding, earthquake,
| you name it), this binder will be gone. This binder should be
| in a secret manager.
| toomuchtodo wrote:
| Keep a copy in there if you want for convenience, I argue
| you'll still want a paper backup somewhere. Opsec is hard,
| people are fallible.
|
| "What was the password?", "Where's the Yubikey?", etc.
| These are not the failure scenarios you want to encounter
| during a tragedy.
| [deleted]
| jjnoakes wrote:
| I don't do anything with my online accounts; for assets I rely
| on beneficiary information and my will, and I expect that the
| online accounts will just die off (as CCs close, etc).
|
| I've always wondered if I should do more. What are the
| downsides of relying only on wills and beneficiaries? What
| might I be missing with this super basic estate planning?
| MrStonedOne wrote:
| Their concern seems (to me) to stem mostly from how the rest
| of their family will be able to use the household services if
| they pass.
|
| Should the family have to setup new netflix accounts with new
| watch history tracking because the primary account holder
| passed away? Given how long it would take for the cc's to get
| cancelled and netflix to notice, would it be smart for your
| kids or partner to get that kind of gut wrenching reminder of
| what was lost months after your death?
| NamTaf wrote:
| Having gone through an unexpected, young death where nothing
| was recorded, I've come to the opposite conclusion: anything
| significant enough to care about already has next-of-kin
| processes established such that the Right Person will be able
| to sort it out.
|
| Indeed, when it comes to stuff like finances, at least where I
| live, touching them post-death creates issues when the legal
| channels confirming there's no contest over next-of-kin haven't
| been run to ground. In those situations, having a password
| means nothing.
|
| This doesn't mean you shouldn't prep a will and have processes
| in place, but it gave me a lot of reassurance that I did not
| need to worry so much about this.
| gpanders wrote:
| After my wife watched the show "Dead To Me" on Netflix, we had
| this exact same discussion. I ended up writing a "death
| document" on Google Docs and sharing it with her. It just
| outlines "here's where everything is and this is what you do
| with it". It was done kind of jokingly, but now that it's
| written it actually makes me feel much better.
|
| For passwords and such, she has a Bitwarden account too and we
| share all important passwords (finances, medical, etc) in a
| shared organization between the two of us.
| _wldu wrote:
| Have one email account on your domain (example.com) and use
| that for everything important. Use a long random password for
| the account and don't 2FA it. Share that with your family.
| That's probably all they need to gain access and reset your
| other accounts.
|
| If you 2FA the email account, you risk locking you and them out
| permanently for many services. I've written some about this. If
| you care to read it:
|
| https://www.go350.com/posts/now-they-have-2fa-problems/
|
| Also, if you 2FA other things and aren't really careful, you
| may lock them out even if they know the password and/or are
| able to reset it. That is by design.
|
| This problem is growing larger every year as more sites enable
| or mandate 2FA. It's impossible for humans to manage this at
| scale.
| dnadler wrote:
| My wife and I recently had to settle an estate (pre-covid), and
| most subscription services are quite easy to work with. The
| estate we were dealing with was a bit of a mess, so we
| basically had nothing to go on except some bank/credit card
| statements. We were able to contact the banks, deactivate all
| the credit cards, and contact some services to request refunds
| for several months of service. We didn't have any trouble
| getting those refunds after providing the death certificate.
|
| Obviously, it would have been much less of a hassle if we'd had
| the account information from the beginning, but there were much
| more annoying problems to deal with than deactivating Netflix.
|
| If you're really concerned about this, make sure you have a
| will in place and beneficiaries defined on your financial
| accounts. That is probably just as important as making sure
| your dependents have immediate access to your money.
| rubyist5eva wrote:
| safety deposit box at my bank with my accounts, passwords and
| 2FA recovery codes in a notebook
| dastx wrote:
| And you still can't use it in Firefox's private mode.
| Barrin92 wrote:
| Bitwarden is just fantastic. It's open source, the interface is
| clean, works fine on all platforms for me and pretty much
| everything is free. If the devs browse here, thanks for making
| it.
| opheliate wrote:
| Just want to echo this. I've been using Bitwarden for about a
| year now, and a few months ago, my mum (not technologically
| literate) had her email hacked. Getting her set up with
| Bitwarden & teaching her how to use it was one of the easiest
| experiences I've had when introducing her to new software.
| Really well designed.
| alexanderh wrote:
| How dependent is it on them as a service? If their
| website/service disappeared off the face of the earth tomorrow,
| would I still have access to my passwords locally?
|
| I'm still hesitant to use any form of password management that
| relies on cloud services. I still like Keepass (with auto-
| updates disabled for security because their updater uses HTTP,
| of course), for my purposes. I can Sync my keepass file any
| number of secure ways that don't rely on a single provider.
| Aeolun wrote:
| As far as I know they only sync a data blob, so you would
| just not get any updates.
| bilange wrote:
| > If their website/service disappeared off the face of the
| earth tomorrow, would I still have access to my passwords
| locally?
|
| They provide a selfhosted alternative to their cloud service.
|
| Not only that, there is a rust based birwarden server
| reimplementation that doesn't phone home (IIRC I believe the
| official self-hosted server needs an API key?), is compatible
| with all platform clients (at least for my needs).
| https://github.com/dani-garcia/bitwarden_rs
| viraptor wrote:
| Your passwords are cached locally on the devices. You can
| export your vault too. If their public service goes down (or
| if you don't want to use it in the first place) you can stand
| up your own server (there are at least 2 common
| implementations) and point your clients at it.
| itake wrote:
| I have been using Bitwarden for over a year now and there are
| still tons of UX bugs that annoy me.
|
| In Firefox extension:
|
| 1. There is no memory. If you close the window, to copy the
| password, you have to re-search for the account to find the
| username.
|
| 2. If you open up bitwarden before the page is loaded, it says
| it can't find the password box to fill in. This is probably an
| extension limitation, but still annoying.
|
| iOS
|
| 1. No memory. If I search for a username, I have to re-search
| for the password. It always opens up to the search screen (when
| I am using it via the password helper keyboard). 2. iOS the
| keyboard doesn't always show up to let me search for an account
| via password helper keyboard.
|
| In general
|
| 1. You should be able to set a default username or email to
| automatically use when creating a new account. I hate having to
| type my email address in every time when creating the account
| on mobile. 2. When you're registering an account on a website,
| I first create it in Bitwarden with a password then I paste the
| password into the textbox to register the account. If the
| website rejects the password cuz of formatting, I gotta go back
| into bitwarden, edit and update the password with the new
| format. it takes like 5 clicks. ugh.
|
| Thanks for listening.
| blakesterz wrote:
| Here's the details on how it works:
|
| https://bitwarden.com/help/article/emergency-access/
| hehehaha wrote:
| I am not so sure about this. I think they should certainly allow
| emergency access to shut down all access but not necessarily give
| access to a trusted party. Life can change quite unexpectedly.
___________________________________________________________________
(page generated 2021-01-21 23:00 UTC)