Abstract
If an attacker can get access to the encrypted vault data stored locally on your device,
and you’ve configured a Bitwarden PIN as in the image below, the attacker can brute-force the PIN and gain access to your vault’s master key.
Effectively, Bitwarden may just as well store the data in plain text on disk.
Bitwarden does not warn about this risk.
The Bitwarden desktop client and browser extensions allow the user to unlock Bitwarden with a PIN.
This PIN can be set-up per device after logging in to an account using the master password.
All information pertaining to the PIN is stored locally on the device.
It cannot be used to sign in to an account (read: authenticate with the Bitwarden backend server), but it can be used to obtain access to the vault data, that has been synced and stored locally in encrypted form.
Let’s now assume that the user enables the PIN unlock and configures Bitwarden so that it doesn’t require the master password on restart.
Then a secret derived only from the user’s email and PIN will be used to encrypt the master vault key.
It stores roughly
[c = mathrm{Encrypt}_{mathcal{K}(mathrm{email}, mathrm{PIN})}(text{master key})]
on disk, where (mathcal{K}) is a key derivation function.
This means if an attacker can at any point gain access to the encrypted vault data stored on the device the attacker can brute-force the PIN:
the attacker can check whether decryption of (c) succeeds using the guessed PIN.
This brute-force will very likely be successful, since PINs are usually very low-entropy.
Now, granted, the key derivation function is PBKDF2 with 100000 iterations (+ HKDF), but that won’t hel
