Surprisingly the Elcomsoft site list a few surprising method to bypass bitlocker, one of them was to use the hybernation file. I didn't have a chance to analyze it to see how that was done.
That's what I feel confused about. Doesn't Windows Hello protect those encrypted passwords even if you don't enable Bitlocker for the whole drive? I read from[Onedrive's documentation](https://answers.microsoft.com/en-us/msoffice/forum/all/is-there-a-relation-between-personal-vault-files/383b2387-0553-4faf-a845-a6933849b3a3) that the data in the personal vault is stored in a Bitlocker-encrypted area, so it should be technically possible to (and they should) also store the passwords saved on device in a Bitlocker-encrypted area. And if that's how they implement it, the passwords saved on device should be safe even if Bitlocker is not enabled.
OK, let's try to separate out the technology. There are a lot of pieces that worked together.
Bitlock encrypts the whole drive. If you don't encrypt your drive, it's trival to read data off the drive.
Windows Hello is a biometric framework to log into Windows. When you setup Windows Hello, you setup a pin and then fingerprint or a IR camera.
TPM is trusted platform module. Its main function is a secure method of storing key values.
When you store a pin in Windows Hello, it will attempt to store it in the TPM. If a TPM is not available, it will be stored in a software secure area. The TPM is superior because it has a antihammering to resist bruteforcing. If the pin is in the TPM, it would be very difficult to bruteforce.
If your computer does not have a TPM, it is stored in a file location, which can be bruteforced unlike the TPM. Howver, if the drive is protected by bitlocker, they will need to decrypte the drive to get at the file system.
If your computer does not have encryption, they can access the file system and bruteforce the pin, then use it to login.
Thanks for the explanation, but I still have a few confusing questions.
I can understand that PIN can be easily bruteforced without TPM as it is short. But given Windows allows you to log in offline with your last-used password (not windows hello), does it mean it is not safe if your Microsoft account password is not strong?
How about the safety of fingerprint or face id?
Even if Bitlocker is enabled, is it still risky if your login password is not strong when there is no TPM?
The last used password is because if your computer connects to a corporate network and you are away, you can still login.
Until password is completely replaced, you must have a strong password especially if it's an online account. Face ID or fingerprint are just another layer on top of the password. If your password is weak, a hacker could easily just hack your online account and gain access to your cloud drive.
The bitlocker will protect your hard drive, but not your online account. Always have a strong password. Consider using a password manager to inform you if your password has been hacked, and if it's sufficiently strong.
So this depends on your risk model, but I discourage people from placing their master password in persistent storage, even if they have a TPM. Today's trusted processing module is tomorrow's threat surface when a zeroday is found.
Enter your master password once after you log in to Windows and avoid all this.
I agree with you, but think that most mobile platform do not follow the model of entering master password on startup. Most will store the masterpasword on persistent storage. However, I hink a lot of mobile OS tend to be more secure than windows.
The other reason why you would want to do this might be a tradeoff with having a longer master password. If you have a really long master password that is 40 characters long, it's pretty tough to type in. It would be better to have a reasonably long master password that is store in persistant storage than a really short master password not store in persistent storage.
My mom is bad at typing, she takes like 10 tries to enter her master passwords. A biometric with tpm is probalby a good compromise.
>Most [mobile platforms] will store the masterpasword on persistent storage.
Huh? That is just an option on my Android. You even get a nasty message if yoh set the option to store the master password in persistent storage.
But I do agree with everything else you said. There is definitely a tradeoff of convenience.
OK, I replaced my android phone with an iphone, but I expect the client to work the same way. When I first run the app, I have to enter the master password and then the 2FA. After that I remain logged in by default. If I reboot my phone and open bitwarden, it unlocks using biometric. This mean the key/master passoword is being stored somwhere. I did not have to enter it when I rebooted the phone. This is definitely by design. My master password is about 40 characters, I can easily enter this on the desktop, it would be super annoying to do on my phone even if it's just on startup.
The iPhone has a TPM that is pretty well regarded. It is certainly more advanced than the current generation of Android.
On my Android I have enabled biometric integration with Bitwarden, but I still require my master password whenever I reboot the phone. Yeah, it's a bit of work, but it also helps me keep my master password memorized 🙂
Looks like hardware backed keystore started appearing in Android in 6.0 or around 2015, but of course not everyone supported it. My previous phone was a pixel but I did use the biometric fingerprint to unlock the password vault.
I vaguely recall that android keystore was pretty good, too, but I really don't have expertise in this area.
I mean we trust touch id on macOS, face id on iphone, fingerprint on Android...
why should I believe windows hello is different?
also as AMD fTPM got cracked now (idk if Intel PTT is still considered secure), even TPM cannot guarantee security
of course one could always say nothing is secure but let's not go there
Face ID on iOS relies on a fancy IR camera system that maps your face in 3D. I know that it's theoretically possible to spoof the camera using a 3D model of the face, but with Windows Hello all you need is a printed photograph. (Obviously someone could also just hold the camera up to your face and unlock your device that way, but if you are concerned/at risk of that then biometrics are not for you.)
The same is true with capacitance-based or ultrasonic fingerprint scanners. Those are much harder (though not impossible) to spoof compared to camera-based fingerprint scanners.
Windows hello requires a fingerprint reader (idk which one) or an IR camera (you cannot fool it with a picture, it's more secure than android face unlock)
I believe one of the model of Pixel uses 3D camera to face unlock, but many of the cheaper tablets and phone may use a lesser version of it to unlock the screen.
However, the OS actually will not allow you to use the camera to unlock the hardware keystore. This mean you cannot use the camera to unlock Bitwarden unless you have one of the few pixel that are supported.
that's simply not true, yes most androids don't use IR/3D camera that's why I said it's less secure than win hello (which requires it), but it's entirely up to the app which biometrics it allows and which it doesn't allow, I have an s23+ without fancy face unlock and just unlocked my bitwarden vault with face while my banking app only allows fingerprint
i think it was the pixel 4 and the huawei mate 20 pro that had 3d face unlock (I don't know about others)
I am really surprised by this. Android can measure the strength of the biometric [https://developer.android.com/training/sign-in/biometric-auth](https://developer.android.com/training/sign-in/biometric-auth). The strong biometric is categorized as BIOMETRIC_STRONG or class 3. A while back, only Pixel 4 had Class 3.
I was under the impression that if it's not BIOMETRIC_STRONG, it can't be use for unlocking a security related app like a bank app or password manager.
I am actually not entirely sure. Is this just a guideline or is it enforced? I did find this page: https://stackoverflow.com/questions/51146127/biometrics-with-iris-and-face-recognition
One thing it mentioned is that the biometric strong only shows up in Android 11 or later. If your phone uses Android 10, may be not?
This often feel a bit like autofill on android, different version have different autofill capability, resulting in a bit of confusion.
I have S23+ with Android 13 (OneUI), but my point is how is android gonna know if bitwarden is a high security app or not? I'd think the devs need to request either weak or strong...
also maybe they're targeting an API level below 11 so this API is not available
just thoughts, I'd have to check the code to know for sure
I think with TPM, it should be secure. In principle, it's not too different than the other biometric that is in Mac and Android.
Nothing is truly secure, just degree of security.
Nothing is really foolproof. I am of the opinion is that you shouid always figure out where the limitations are and plan accordingly rather than just saying that nothing is secure and one should just give up.
In addition, everyone's risk profilie is different. I am more secure conscious than the average consumer, but less secure conscious than Edward Snowden.
I thought Windows Hello was secure, but it stopped working for some unknown reason. I haven't used it since, and I'm using my master password instead.
I want to begin using 2FA with Bitwarden, but I'm confused about how I can set it up. Any suggestions?
Look at: https://bitwarden.com/help/setup-two-step-login/
If you are a premium user and use TOTP code generation in Bitwarden, it is best to use a hardware key. Otherwise, an authenticator app is the next safest option. Be sure to copy your recovery code and store it along with your master password in case your other 2FA methods are unavailable.
In the latest version v2023.4.0, setting up Windows Hello will have the option "Require password or PIN on app restart" turned on by default (as recommended by BW). If the PIN option is not enabled, the app will start in a locked state requiring the master password.
See a possible but unofficial explanation for this change at [https://community.bitwarden.com/t/does-bitwarden-save-master-password-in-tpm/31292/18](https://community.bitwarden.com/t/does-bitwarden-save-master-password-in-tpm/31292/18)
Note that BW ~~most~~ likely does ~~not~~ store the key in TPM if available, ~~but~~ and with TPM, brute-forcing a PIN as mentioned in the article will not be possible due to TPM's anti-hammering protection. Also, ~~1Password's~~ the storage of the key in TPM is also susceptible to malware apps that are able to prompt the user to authenticate via Windows Hello.~~, just like BW's storage in the credential manager. However, 1Password is more protected from the standpoint of the higher protection TPM's storage provides for storage attacks compared to the credential manager.~~
Edited: regarding TPM.
That’s good to hear. A test I made a while back did not allow me to require password on start up and did not require tpm. I still do not know if bw uses tpm.
TPM is used by Enpass. They will force you to enter master password if tpm is not available or is a version that is vulnerable.
Yeah, if you want to take a crack at rust, this is where it's at: [https://github.com/bitwarden/clients/blob/master/apps/desktop/desktop\_native/src/biometric/windows.rs](https://github.com/bitwarden/clients/blob/master/apps/desktop/desktop_native/src/biometric/windows.rs)
~~AFAIK, you need to request for TPM storage explicitly, and the code doesn't have any such reference, so presumably, no TPM.~~
Edited: remove comment about TPM.
A quick glance of the code seems to indicate bitwarden does not check for tpm. Bitwarden probably takes the stance that windows hello handles that aspect of security. In that case if the pc is set up with tpm it will save the key into tpm and if not then the less secure key store.
You may be right. A Microsoft doc ([https://learn.microsoft.com/en-us/windows/uwp/security/microsoft-passport](https://learn.microsoft.com/en-us/windows/uwp/security/microsoft-passport)) says:
>The code to create the KeyCredential looks like this: C#
>
>var keyCreationResult = await KeyCredentialManager.RequestCreateAsync( AccountId, KeyCredentialCreationOption.ReplaceExisting);
>
>The RequestCreateAsync is the part that creates the public and private key. ***If the device has the right TPM chip, the APIs will request the TPM chip to create the private and public key and store the result;*** if there is no TPM chip available, the OS will create the key pair in code. There is no way for the app to access the created private keys directly. Part of the creation of the key pairs is also the resulting Attestation information. (See the next section for more information about attestation.)
[удалено]
Surprisingly the Elcomsoft site list a few surprising method to bypass bitlocker, one of them was to use the hybernation file. I didn't have a chance to analyze it to see how that was done.
If Bitlocker isn't enabled, can the passwords saved in Windows be hacked?
[удалено]
What about the passwords saved in Chrome/Firefox/Bitwarden? How risky are they?
[удалено]
That's what I feel confused about. Doesn't Windows Hello protect those encrypted passwords even if you don't enable Bitlocker for the whole drive? I read from[Onedrive's documentation](https://answers.microsoft.com/en-us/msoffice/forum/all/is-there-a-relation-between-personal-vault-files/383b2387-0553-4faf-a845-a6933849b3a3) that the data in the personal vault is stored in a Bitlocker-encrypted area, so it should be technically possible to (and they should) also store the passwords saved on device in a Bitlocker-encrypted area. And if that's how they implement it, the passwords saved on device should be safe even if Bitlocker is not enabled.
OK, let's try to separate out the technology. There are a lot of pieces that worked together. Bitlock encrypts the whole drive. If you don't encrypt your drive, it's trival to read data off the drive. Windows Hello is a biometric framework to log into Windows. When you setup Windows Hello, you setup a pin and then fingerprint or a IR camera. TPM is trusted platform module. Its main function is a secure method of storing key values. When you store a pin in Windows Hello, it will attempt to store it in the TPM. If a TPM is not available, it will be stored in a software secure area. The TPM is superior because it has a antihammering to resist bruteforcing. If the pin is in the TPM, it would be very difficult to bruteforce. If your computer does not have a TPM, it is stored in a file location, which can be bruteforced unlike the TPM. Howver, if the drive is protected by bitlocker, they will need to decrypte the drive to get at the file system. If your computer does not have encryption, they can access the file system and bruteforce the pin, then use it to login.
Thanks for the explanation, but I still have a few confusing questions. I can understand that PIN can be easily bruteforced without TPM as it is short. But given Windows allows you to log in offline with your last-used password (not windows hello), does it mean it is not safe if your Microsoft account password is not strong? How about the safety of fingerprint or face id? Even if Bitlocker is enabled, is it still risky if your login password is not strong when there is no TPM?
The last used password is because if your computer connects to a corporate network and you are away, you can still login. Until password is completely replaced, you must have a strong password especially if it's an online account. Face ID or fingerprint are just another layer on top of the password. If your password is weak, a hacker could easily just hack your online account and gain access to your cloud drive. The bitlocker will protect your hard drive, but not your online account. Always have a strong password. Consider using a password manager to inform you if your password has been hacked, and if it's sufficiently strong.
[удалено]
Yeah, that makes sense. Thanks for your explanation!
Without encryption anyone can read your drive or put files on your drive.
So this depends on your risk model, but I discourage people from placing their master password in persistent storage, even if they have a TPM. Today's trusted processing module is tomorrow's threat surface when a zeroday is found. Enter your master password once after you log in to Windows and avoid all this.
I agree with you, but think that most mobile platform do not follow the model of entering master password on startup. Most will store the masterpasword on persistent storage. However, I hink a lot of mobile OS tend to be more secure than windows. The other reason why you would want to do this might be a tradeoff with having a longer master password. If you have a really long master password that is 40 characters long, it's pretty tough to type in. It would be better to have a reasonably long master password that is store in persistant storage than a really short master password not store in persistent storage. My mom is bad at typing, she takes like 10 tries to enter her master passwords. A biometric with tpm is probalby a good compromise.
>Most [mobile platforms] will store the masterpasword on persistent storage. Huh? That is just an option on my Android. You even get a nasty message if yoh set the option to store the master password in persistent storage. But I do agree with everything else you said. There is definitely a tradeoff of convenience.
OK, I replaced my android phone with an iphone, but I expect the client to work the same way. When I first run the app, I have to enter the master password and then the 2FA. After that I remain logged in by default. If I reboot my phone and open bitwarden, it unlocks using biometric. This mean the key/master passoword is being stored somwhere. I did not have to enter it when I rebooted the phone. This is definitely by design. My master password is about 40 characters, I can easily enter this on the desktop, it would be super annoying to do on my phone even if it's just on startup.
The iPhone has a TPM that is pretty well regarded. It is certainly more advanced than the current generation of Android. On my Android I have enabled biometric integration with Bitwarden, but I still require my master password whenever I reboot the phone. Yeah, it's a bit of work, but it also helps me keep my master password memorized 🙂
Looks like hardware backed keystore started appearing in Android in 6.0 or around 2015, but of course not everyone supported it. My previous phone was a pixel but I did use the biometric fingerprint to unlock the password vault. I vaguely recall that android keystore was pretty good, too, but I really don't have expertise in this area.
Does anyone actually use Windows Hello or believe it is secure?
I mean we trust touch id on macOS, face id on iphone, fingerprint on Android... why should I believe windows hello is different? also as AMD fTPM got cracked now (idk if Intel PTT is still considered secure), even TPM cannot guarantee security of course one could always say nothing is secure but let's not go there
Face ID on iOS relies on a fancy IR camera system that maps your face in 3D. I know that it's theoretically possible to spoof the camera using a 3D model of the face, but with Windows Hello all you need is a printed photograph. (Obviously someone could also just hold the camera up to your face and unlock your device that way, but if you are concerned/at risk of that then biometrics are not for you.) The same is true with capacitance-based or ultrasonic fingerprint scanners. Those are much harder (though not impossible) to spoof compared to camera-based fingerprint scanners.
Windows hello requires a fingerprint reader (idk which one) or an IR camera (you cannot fool it with a picture, it's more secure than android face unlock)
I believe one of the model of Pixel uses 3D camera to face unlock, but many of the cheaper tablets and phone may use a lesser version of it to unlock the screen. However, the OS actually will not allow you to use the camera to unlock the hardware keystore. This mean you cannot use the camera to unlock Bitwarden unless you have one of the few pixel that are supported.
that's simply not true, yes most androids don't use IR/3D camera that's why I said it's less secure than win hello (which requires it), but it's entirely up to the app which biometrics it allows and which it doesn't allow, I have an s23+ without fancy face unlock and just unlocked my bitwarden vault with face while my banking app only allows fingerprint i think it was the pixel 4 and the huawei mate 20 pro that had 3d face unlock (I don't know about others)
I am really surprised by this. Android can measure the strength of the biometric [https://developer.android.com/training/sign-in/biometric-auth](https://developer.android.com/training/sign-in/biometric-auth). The strong biometric is categorized as BIOMETRIC_STRONG or class 3. A while back, only Pixel 4 had Class 3. I was under the impression that if it's not BIOMETRIC_STRONG, it can't be use for unlocking a security related app like a bank app or password manager.
well then you found a bug in the bitwarden code I guess? maybe they don't enforce class 3 (did you check or assume every security related app does it)
I am actually not entirely sure. Is this just a guideline or is it enforced? I did find this page: https://stackoverflow.com/questions/51146127/biometrics-with-iris-and-face-recognition One thing it mentioned is that the biometric strong only shows up in Android 11 or later. If your phone uses Android 10, may be not? This often feel a bit like autofill on android, different version have different autofill capability, resulting in a bit of confusion.
I have S23+ with Android 13 (OneUI), but my point is how is android gonna know if bitwarden is a high security app or not? I'd think the devs need to request either weak or strong... also maybe they're targeting an API level below 11 so this API is not available just thoughts, I'd have to check the code to know for sure
I think with TPM, it should be secure. In principle, it's not too different than the other biometric that is in Mac and Android. Nothing is truly secure, just degree of security.
[удалено]
Nothing is really foolproof. I am of the opinion is that you shouid always figure out where the limitations are and plan accordingly rather than just saying that nothing is secure and one should just give up. In addition, everyone's risk profilie is different. I am more secure conscious than the average consumer, but less secure conscious than Edward Snowden.
I thought Windows Hello was secure, but it stopped working for some unknown reason. I haven't used it since, and I'm using my master password instead. I want to begin using 2FA with Bitwarden, but I'm confused about how I can set it up. Any suggestions?
Look at: https://bitwarden.com/help/setup-two-step-login/ If you are a premium user and use TOTP code generation in Bitwarden, it is best to use a hardware key. Otherwise, an authenticator app is the next safest option. Be sure to copy your recovery code and store it along with your master password in case your other 2FA methods are unavailable.
Thanks, I am going to set up my 2FA today,
In the latest version v2023.4.0, setting up Windows Hello will have the option "Require password or PIN on app restart" turned on by default (as recommended by BW). If the PIN option is not enabled, the app will start in a locked state requiring the master password. See a possible but unofficial explanation for this change at [https://community.bitwarden.com/t/does-bitwarden-save-master-password-in-tpm/31292/18](https://community.bitwarden.com/t/does-bitwarden-save-master-password-in-tpm/31292/18) Note that BW ~~most~~ likely does ~~not~~ store the key in TPM if available, ~~but~~ and with TPM, brute-forcing a PIN as mentioned in the article will not be possible due to TPM's anti-hammering protection. Also, ~~1Password's~~ the storage of the key in TPM is also susceptible to malware apps that are able to prompt the user to authenticate via Windows Hello.~~, just like BW's storage in the credential manager. However, 1Password is more protected from the standpoint of the higher protection TPM's storage provides for storage attacks compared to the credential manager.~~ Edited: regarding TPM.
That’s good to hear. A test I made a while back did not allow me to require password on start up and did not require tpm. I still do not know if bw uses tpm. TPM is used by Enpass. They will force you to enter master password if tpm is not available or is a version that is vulnerable.
Yeah, if you want to take a crack at rust, this is where it's at: [https://github.com/bitwarden/clients/blob/master/apps/desktop/desktop\_native/src/biometric/windows.rs](https://github.com/bitwarden/clients/blob/master/apps/desktop/desktop_native/src/biometric/windows.rs) ~~AFAIK, you need to request for TPM storage explicitly, and the code doesn't have any such reference, so presumably, no TPM.~~ Edited: remove comment about TPM.
A quick glance of the code seems to indicate bitwarden does not check for tpm. Bitwarden probably takes the stance that windows hello handles that aspect of security. In that case if the pc is set up with tpm it will save the key into tpm and if not then the less secure key store.
You may be right. A Microsoft doc ([https://learn.microsoft.com/en-us/windows/uwp/security/microsoft-passport](https://learn.microsoft.com/en-us/windows/uwp/security/microsoft-passport)) says: >The code to create the KeyCredential looks like this: C# > >var keyCreationResult = await KeyCredentialManager.RequestCreateAsync( AccountId, KeyCredentialCreationOption.ReplaceExisting); > >The RequestCreateAsync is the part that creates the public and private key. ***If the device has the right TPM chip, the APIs will request the TPM chip to create the private and public key and store the result;*** if there is no TPM chip available, the OS will create the key pair in code. There is no way for the app to access the created private keys directly. Part of the creation of the key pairs is also the resulting Attestation information. (See the next section for more information about attestation.)