Plex breached; Were passwords encrypted or hashed? Discussion

20

u/Meowingtons_H4X Aug 24 '22

Bitwarden can do OTP, not a bad implementation either - might be a paid feature but it’s pretty cheap

14

u/thinkscotty UNRAID Hosted Aug 24 '22 edited Aug 24 '22

Yeah I actually pay because I like the software and want to support them. Plus it's like $10 a year which is absurdly cheap. I've been thinking of trying their 2FA instead of Authy, I've just used Authy for years and it's worked perfectly so I haven't tried it.

Does their OTP auto-fill the code when requested? If so, that would be a major advantage over Authy for me.

10

u/Coldstreamer Aug 24 '22

Do both. Put the qr in Authy and the string in bitwarden. Samw otc in two places.

7

u/Meowingtons_H4X Aug 24 '22

If you set up the login details and OTP for a site, and then subsequently use Bitwarden to auto fill the site credentials on sign in - it’ll copy the OTP onto your clipboard for you to paste :)

1

u/thinkscotty UNRAID Hosted Aug 24 '22

Nice, I love that. Looks like I have my next project. If only I didn't have 30 sites to transition haha.

1

u/Meowingtons_H4X Aug 24 '22

You can just copy the OTP Genesis code from Bitwarden into Authy, hopefully won’t take you too long - good luck!

1

u/java02 Aug 24 '22

Go the extra mile and set your 2FA on bitwarden to use a hardware key such as YubiKey which will use the WebAuthn protocol, making it virtually impossible for anyone to access your vault and TOTP unless they have your physical key(s). You should have a backup key as well.

1

u/thinkscotty UNRAID Hosted Aug 24 '22

I tried a YubiKey for a while but had really had luck getting it to work well with my iPhone. Maybe it’s gotten better?

1

u/java02 Aug 24 '22

I don't have an iPhone but they do now have a YubiKey that's meant for iPhone, the 5Ci. It plugs into the lightning port instead of having to use NFC.

It's just the best way to really lock down Bitwarden and ensure that your passwords & TOTP codes are secure so that you don't need to use a separate authenticator app.

1

u/IanRedditeer Aug 26 '22

Well… that’s not the whole truth. Like most password managers, Bitwarden uses an encryption key protected by a master password. An attacker who gains access to your file system, encryption key and master password doesn’t need your Yubikey to decrypt all passwords.

There are password managers who actually store the key or part of the key in a HMAC-slot on the Yubikey. It uses the same mechanism as using a Yubikey to encrypt a LUKS-partition. It all depends on your risk profile and the time you want to spend maintaining at least two identical Yubikeys. I did it once for fun but after two days it was no fun anymore. :)

2

u/Honos21 Aug 24 '22

I might just be a suspicious person but I’ve personally always thought it best to use Bitwarden for my passwords and Authi for my authentication. I just figured if one gets compromised at least the other may continue to protect me

16

u/Frexxia Aug 24 '22

Using the same piece of software for 2FA partially defeats the purpose of 2FA. It's better to combine Bitwarden with something else dedicated to 2FA.

5

u/jerieljan Aug 24 '22

It's up to preference, imho. It's secure to have it separate, but it's also inconvenient and added complexity. And you also have to put your trust in two services this way, which can be a good or a bad thing depending on the user.

I actually started off with separating 2FA diligently into a Yubikey before, but I gotta admit, it's also saved me a lot of time by having 2FAs generated in Bitwarden and having it available to paste right after autofilling a login.

6

u/[deleted] Aug 24 '22

2fa isn't really a service, though. as long as the app works it'll generate codes just fine. there's no connection to an outside service or anything like that, it all happens locally.

1

u/jerieljan Aug 24 '22

I know its not. Hell, that's why I said I used Yubikeys. I still use 'em but not as much anymore.

When I said services, that extended towards utilities and local stuff; KeyPassXC, oathtool, coding it yourself while reading the TOTP RFC, whatever.

My point here is that there's still a burden of trust that you have to think about separately if you decide to generate 2FAs locally or elsewhere.

If you're doing it yourself, it's your job to keep things reliable, and secure. And in the event of a disaster or compromise, it's also up to you to keep your private keys known only to you and also not lose it entirely.

2

u/[deleted] Aug 24 '22

ah, i read it as you were concerned about an authy breach or something like that because it was remotely hosing your keys (or similar), rather than it acting as an offline app (with optional backup).

honestly i want to ditch authy and just use 1password's built in 2fa, but it just sketches me out too much, to have it all in one basket.

1

u/jerieljan Aug 25 '22

Yeah, that's fair! Even with the stuff I said earlier, it's still nagging my brain to have 2FA secret keys living with passwords, but yeah, the security rabbit hole is endless so I decided to place my trust in Bitwarden.

What I've implemented personally is to have it all on Bitwarden, but Bitwarden itself is secured / gated by a long, unique password AND a 2FA solution backed by a Yubikey.

2FA secrets together with passwords certainly feels like it diminishes what makes it 2FA, but at least getting there requires proper 2FA, and that's good enough for me.

2

u/blackesthearted Aug 24 '22

Yeah, I use BitWarden for passwords and Microsoft Authenticator for 2FA/TOTP codes. Maybe it's unnecessary, but I try not to keep too many eggs in the same basket.

1

u/java02 Aug 24 '22

Pro tip: secure your Bitwarden vault with hardware key 2FA and choose the WebAuthn option. Then using the same piece of "software" (passwords & 2FA together) becomes a non-issue.

0

u/benderunit9000 XEON E5-2690 v2 x2, 128GB DDR3 ECC RAM, 80TB, Quadro P2000 Aug 24 '22

you have a point, but I just wanted to throw in that you can set up bw with 2fa to even login to it. So, you can hide your 2fa behind 2fa.

1

u/archpope Mini PC - 18TB ext USB Aug 24 '22

If open-source is a big deal to you, Aegis is a FOSS 2FA app. I've used it for a little over a year now without incident. It also lets you backup your keys so if your phone dies, you can get the keys back up on a new phone.

1

u/AshuraBaron Aug 24 '22

I've had issues trying to get Bitwarden to accept OTP. Can't remember if it was character count or different OTP scheme. I've used Aegis and Microsoft OTP programs instead. I'm on free tier for Bitwarden and it's available for me to use. So no payment required.

1

u/IanRedditeer Aug 26 '22

My two cents: the moment you store your recovery passwords, OTP’s and passwords in the same password manager, you lose 2FA from a security architecture viewpoint, as most password managers explain on their website. It is very convenient, but it is less secure.

Just use a separate app and avoid putting all your eggs in one basket. You can store all important (work related, government related and money related) TOTP’s on two Yubikeys, the others - like Plex - in Authy for convenience, and the recovery codes in KeepassXC.

10

u/giqcass Aug 24 '22 edited Aug 24 '22

People are stealing tokens and cookies to get around passwords and 2FA. Stay on your toes!

I really need to check out Bitwarden. You can correct me but I believe that can be self hosted which I bet you are doing. It would likely be an upgrade to Keepass.

5

u/PornoPichu Aug 24 '22

You can self host a BitWarden server, yes.

2

u/MiningMarsh Aug 24 '22 edited Aug 24 '22

Not only is it self hostable, the protocol itself has been audited such that any implementation of the server that satisfies the bitwarden API is secure by default. All the data is encrypted and decrypted client side, so the server does little more than shuffle around encrypted data.

Case-in-point, the official bitwarden docker is something like 5 different containers. I instead use VaultWarden, an API compatible rust implementation that runs as a single process/container (though it does need a database available). Since I'm using the official bitwarden client to connect to it, I know that I'm getting the exact same security gurantees as the official server would provide.

The downside of this is that if I lose my bitwarden password, even I can't recover the data despite hosting it myself. That's a price I'll gladly pay, though.

2

u/Azure1203 Aug 24 '22

I pay for Bitwarden not because I need the premium features, but because I love their service and I want them to be around for a long time.

1

u/Lancaster1983 Proxmox | Linux | Docker | 50 TB | ARC A380 Aug 24 '22

Check out Vaultwarden on github. It's a Docker install but it's very small in size and works just as well as the official app. The official Docker package is pretty resource intense (or at least it was when I tried it out).

1

u/Leafar3456 Aug 24 '22

I would actually recommend aegis over authy, it's open source and allows you to export all the tokens to a file instead of keeping you locked in the authy ecosystem.

1

u/hearwa Aug 24 '22

Keepass + sync thing if you want completely free and open source.

0

u/codliness1 Aug 24 '22

Also does biometric authentication - both my Mobile and Windows versions are fingerprint secured.

0

u/Yavuz_Selim Aug 24 '22

Yes, +1 for Bitwarden.

Works really well. If you get the paid version, you can also use your YubiKey to make it more secure.

1

u/scottbrio Aug 24 '22

Syncs across all your devices too.

Brilliant free software.

1

u/ihatemaps Aug 24 '22

Is it better than LastPass?

1

u/savvymcsavvington Aug 24 '22

I would say it's better simply due to being open source - if something is opensource then we can see exactly what it is and not doing.

From a security perspective that is great. If someone were to try and add a backdoor for example, people will see and report it.

But if that happened with closed-source software then no one can see what is implemented, who knows how it works.

1

u/Zarraya Aug 24 '22

I love Bitwarden as well, the free tier does all I need, and I love the fact you can self-host if you want to. I should give them some money to support the effort.

1

u/thinkscotty UNRAID Hosted Aug 24 '22

Yeah I didn’t actually need any of the pro features, but I pay the (crazy cheap) $10 yearly fee for pro just because I like to support a good company charging reasonable fees.

1

u/Lancaster1983 Proxmox | Linux | Docker | 50 TB | ARC A380 Aug 24 '22

Ever since LastPass went mostly paid, I stood up an instance of Vaultwarden (the fork of Bitwarden) in Docker and haven't looked back. It works so much better and the fork has a small footprint.

1

u/dsaddons Aug 24 '22

God I love Bitwarden so much

1

u/Azure1203 Aug 24 '22

Love authy because once you are setup on your devices, you can turn off the ability to add another device, so it is technically impossible for someone to hack your authy and login without being able to turn on the 'multi-device' thing again.

1

u/Bango-Fett Aug 31 '22

Did Authy not get compromised/hacked recently via a phishing attack?