|
|
|
|
|
|
by artjomb
1230 days ago
|
|
|
I disagree with the article that server-side iterations in this case are useless. They are used for access control. Bitwarden's API likely doesn't permit anybody to access the encrypted blobs of anybody. You have to authenticate at the server to be able to access your blob. Since the iterations might be low for producing the master key and therefore the master password hash, the server must treat the master password hash as just another password and therefore iterate the hash quite often (100,000x). Assuming no malicious insider or an outside attacker gets their hands on the encrypted blobs this is the most important attack prevention. |
|
|