Hi, I recently installed vaultwarden, especially for the TOTP feature.
I wanted to know if TOTP on Bitwarden/vaultwarden was secure enough.
Like if someone break into my account, he can access my all password database and the TOTPs.
I am using Aegis for now, but I’m really unsure about using the TOTP feature.
Really depends on your threat model, there are different schools of thought on storing TOTP codes with your password manager.
You can absolutely be creating a single point of failure and putting “all your eggs in one basket” so to speak. As you are correct if someone was able to successfully gain access to your password vault, i.e. spear-phishing attack, some unknown vulnerability, etc. Then they could easily export all vault data such as password and TOTP secret seeds.
One way to avoid this is the practice of “peppering” your passwords, in which the full password generated by and stored in your Vaultwarden instance is not the full password used at login.
One may take a word or phrase to add somewhere to the generated passwords.
i.e. if your pepper phrase was “Christmas”, and the stored password in Bitwarden was something like “eVhtn$QMG8rm&x84”, then the full password used to login would be “eVhtn$QMG8rm&x84Christmas”
This would mean even if someone got into your password vault they would still not have the additional pepper needed to login to any sites.
Though this does add an additional step and many use password managers for their balance of security and convince.
I personally don’t see much of a need to pepper passwords as it could be quite cumbersome as mentioned but YMMV depending on your individual situation.
In my opinion a password vault secured with a good strong passphrase with high entropy that is only used for that service, and secured with 2FA is secure enough for most cases. Also don’t fall victim to spear-phishing attacks.
Anything important, such as financial, production network, social media accounts, etc is stored in a separate dedicated authenticator app.
Things that may be less important such as homelab test environments, gaming and streaming services, etc I still enable MFA wherever I can when possible. These accounts are not “mission critical” so to speak and come with the added convenience of easily logging in to those accounts when needed, as well as being able to secure accounts with 2FA and still have them shared in an organization.
1 Like