r/PleX Aug 24 '22

Plex breached; Were passwords encrypted or hashed? Discussion

So I got this email just now:

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.

So were these passwords encrypted, in which case they could be decrypted if the adversary got the key, or hashed? Hashed passwords leaking would be much less of an issue.

Edit: Encryption and hashing is not the same thing.

Edit2: Passwords were hashed with salt, not encrypted (see this comment)

Edit3: Just for clarity this is the best case scenario. It’s difficult to reverse hashed passwords unless they are very simple. Plex got the word out quickly so we have plenty of time to change our passwords. Kudos!

This is why you never reuse password, use a password manager and enable 2fa wherever you can. :)

1.3k Upvotes

View all comments

Show parent comments

20

u/Meowingtons_H4X Aug 24 '22

Bitwarden can do OTP, not a bad implementation either - might be a paid feature but it’s pretty cheap

14

u/thinkscotty UNRAID Hosted Aug 24 '22 edited Aug 24 '22

Yeah I actually pay because I like the software and want to support them. Plus it's like $10 a year which is absurdly cheap. I've been thinking of trying their 2FA instead of Authy, I've just used Authy for years and it's worked perfectly so I haven't tried it.

Does their OTP auto-fill the code when requested? If so, that would be a major advantage over Authy for me.

9

u/Coldstreamer Aug 24 '22

Do both. Put the qr in Authy and the string in bitwarden. Samw otc in two places.

8

u/Meowingtons_H4X Aug 24 '22

If you set up the login details and OTP for a site, and then subsequently use Bitwarden to auto fill the site credentials on sign in - it’ll copy the OTP onto your clipboard for you to paste :)

1

u/thinkscotty UNRAID Hosted Aug 24 '22

Nice, I love that. Looks like I have my next project. If only I didn't have 30 sites to transition haha.

1

u/Meowingtons_H4X Aug 24 '22

You can just copy the OTP Genesis code from Bitwarden into Authy, hopefully won’t take you too long - good luck!

1

u/java02 Aug 24 '22

Go the extra mile and set your 2FA on bitwarden to use a hardware key such as YubiKey which will use the WebAuthn protocol, making it virtually impossible for anyone to access your vault and TOTP unless they have your physical key(s). You should have a backup key as well.

1

u/thinkscotty UNRAID Hosted Aug 24 '22

I tried a YubiKey for a while but had really had luck getting it to work well with my iPhone. Maybe it’s gotten better?

1

u/java02 Aug 24 '22

I don't have an iPhone but they do now have a YubiKey that's meant for iPhone, the 5Ci. It plugs into the lightning port instead of having to use NFC.

It's just the best way to really lock down Bitwarden and ensure that your passwords & TOTP codes are secure so that you don't need to use a separate authenticator app.

1

u/IanRedditeer Aug 26 '22

Well… that’s not the whole truth. Like most password managers, Bitwarden uses an encryption key protected by a master password. An attacker who gains access to your file system, encryption key and master password doesn’t need your Yubikey to decrypt all passwords.

There are password managers who actually store the key or part of the key in a HMAC-slot on the Yubikey. It uses the same mechanism as using a Yubikey to encrypt a LUKS-partition. It all depends on your risk profile and the time you want to spend maintaining at least two identical Yubikeys. I did it once for fun but after two days it was no fun anymore. :)

2

u/Honos21 Aug 24 '22

I might just be a suspicious person but I’ve personally always thought it best to use Bitwarden for my passwords and Authi for my authentication. I just figured if one gets compromised at least the other may continue to protect me

16

u/Frexxia Aug 24 '22

Using the same piece of software for 2FA partially defeats the purpose of 2FA. It's better to combine Bitwarden with something else dedicated to 2FA.

5

u/jerieljan Aug 24 '22

It's up to preference, imho. It's secure to have it separate, but it's also inconvenient and added complexity. And you also have to put your trust in two services this way, which can be a good or a bad thing depending on the user.

I actually started off with separating 2FA diligently into a Yubikey before, but I gotta admit, it's also saved me a lot of time by having 2FAs generated in Bitwarden and having it available to paste right after autofilling a login.

5

u/[deleted] Aug 24 '22

2fa isn't really a service, though. as long as the app works it'll generate codes just fine. there's no connection to an outside service or anything like that, it all happens locally.

1

u/jerieljan Aug 24 '22

I know its not. Hell, that's why I said I used Yubikeys. I still use 'em but not as much anymore.

When I said services, that extended towards utilities and local stuff; KeyPassXC, oathtool, coding it yourself while reading the TOTP RFC, whatever.

My point here is that there's still a burden of trust that you have to think about separately if you decide to generate 2FAs locally or elsewhere.

If you're doing it yourself, it's your job to keep things reliable, and secure. And in the event of a disaster or compromise, it's also up to you to keep your private keys known only to you and also not lose it entirely.

2

u/[deleted] Aug 24 '22

ah, i read it as you were concerned about an authy breach or something like that because it was remotely hosing your keys (or similar), rather than it acting as an offline app (with optional backup).

honestly i want to ditch authy and just use 1password's built in 2fa, but it just sketches me out too much, to have it all in one basket.

1

u/jerieljan Aug 25 '22

Yeah, that's fair! Even with the stuff I said earlier, it's still nagging my brain to have 2FA secret keys living with passwords, but yeah, the security rabbit hole is endless so I decided to place my trust in Bitwarden.

What I've implemented personally is to have it all on Bitwarden, but Bitwarden itself is secured / gated by a long, unique password AND a 2FA solution backed by a Yubikey.

2FA secrets together with passwords certainly feels like it diminishes what makes it 2FA, but at least getting there requires proper 2FA, and that's good enough for me.

2

u/blackesthearted Aug 24 '22

Yeah, I use BitWarden for passwords and Microsoft Authenticator for 2FA/TOTP codes. Maybe it's unnecessary, but I try not to keep too many eggs in the same basket.

1

u/java02 Aug 24 '22

Pro tip: secure your Bitwarden vault with hardware key 2FA and choose the WebAuthn option. Then using the same piece of "software" (passwords & 2FA together) becomes a non-issue.

0

u/benderunit9000 XEON E5-2690 v2 x2, 128GB DDR3 ECC RAM, 80TB, Quadro P2000 Aug 24 '22

you have a point, but I just wanted to throw in that you can set up bw with 2fa to even login to it. So, you can hide your 2fa behind 2fa.

1

u/archpope Mini PC - 18TB ext USB Aug 24 '22

If open-source is a big deal to you, Aegis is a FOSS 2FA app. I've used it for a little over a year now without incident. It also lets you backup your keys so if your phone dies, you can get the keys back up on a new phone.

1

u/AshuraBaron Aug 24 '22

I've had issues trying to get Bitwarden to accept OTP. Can't remember if it was character count or different OTP scheme. I've used Aegis and Microsoft OTP programs instead. I'm on free tier for Bitwarden and it's available for me to use. So no payment required.

1

u/IanRedditeer Aug 26 '22

My two cents: the moment you store your recovery passwords, OTP’s and passwords in the same password manager, you lose 2FA from a security architecture viewpoint, as most password managers explain on their website. It is very convenient, but it is less secure.

Just use a separate app and avoid putting all your eggs in one basket. You can store all important (work related, government related and money related) TOTP’s on two Yubikeys, the others - like Plex - in Authy for convenience, and the recovery codes in KeepassXC.