Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacBH928

macrumors G3
Original poster
May 17, 2008
8,275
3,696
the Linux kernel has been FOSS since day one; however, all Pentium IIs and AMDs at the time suffered from the F00F bug, and that one had been around for at least 5 years at the time it was was patched. That was both a software and design flaw in the CPU's architecture as well as the kernel.

Same goes for the Spectre and Meltdown bugs, which affected every CPU except ARM. Intel's code for it was FOSS, and numerous developers, including Linus Torvalds himself stated it to be complete garbage and implemented a better solution.

To answer your question of why this is coming up now, this all stems from everyone taking more forensic looks at code due to the LastPass breach. Everyone is on edge, so everyone is getting a deeper look into their implementations.

BL.

So when you say "a bug was found" you mean that someone found a work around to breach or do you mean people actually wrote the code, saw the code, knew about it all along and just ignored it?

Can we assume closed source software is at a worse situation since not as many people read it and review it? For example , can we assume something like Dashlane is filled with security holes except that no one can detect them as easily since its closed source?

also, if I increase the hashes iteration in the settings, are we on the safe side now? and why doesn't Bitwarden just auto do this for all users?
 

bradl

macrumors 603
Jun 16, 2008
5,916
17,395
So when you say "a bug was found" you mean that someone found a work around to breach or do you mean people actually wrote the code, saw the code, knew about it all along and just ignored it?

A bug is when a system isn't behaving as it's designed to behave.

A vulnerability is a way of abusing the system (most commonly in a security-related way) - whether that's due to a design fault or an implementation fault.

So with the F00F, spectre, and meltdown bugs, it was a fault in the design of the architecture that let that flaw be abused by the vulnerabilities created to abuse that bug.

Can we assume closed source software is at a worse situation since not as many people read it and review it? For example , can we assume something like Dashlane is filled with security holes except that no one can detect them as easily since its closed source?

It can be said that way, yes. However, on the other side of that coin, FOSS can have bugs inserted into the code tree and, pass peer review, and make it into the release of the compiled binary; worse, it could be an implementation that is normal and correct, based on the architecture's spec, but still have the bug, because the bug was introduced further upstream.

For example with password managers, let's say that a FOSS password manager allowed RC4 or SHA-1 for its encryption methods. The developers of that code correctly implement those encryption algorithms into that password manager. The code is clean and with no bugs in how it was coded. However, since there were bugs in RC4 and SHA-1, in which both encryption methods are completely broken, those bugs now exist in the password manager, despite the developers being absolutely correct with the code they've written.

Now, some malicious user comes along and abuses those bugs by creating vulnerabilities to be used against that password managers, and that is where we get the problems coming up with both Dashlane and LastPass.

FOSS can be safer than closed source, as long as everything upstream from it (architecture specs, algorithms, etc.) are safe and secure as well.

also, if I increase the hashes iteration in the settings, are we on the safe side now?

Yes; that is what the article is saying to do.

and why doesn't Bitwarden just auto do this for all users?

That is what Bitwarden is interpreting as a "feature request", hence everyone's bewilderment.

BL.
 

MacBH928

macrumors G3
Original poster
May 17, 2008
8,275
3,696
It can be said that way, yes. However, on the other side of that coin, FOSS can have bugs inserted into the code tree and, pass peer review, and make it into the release of the compiled binary; worse, it could be an implementation that is normal and correct, based on the architecture's spec, but still have the bug, because the bug was introduced further upstream.

The same could be said about closed source software. They can be using other FOSS code in there (I think) or their own flawed code. Except with closed source software, no one is there to see the code and know its happening.
 

MacBH928

macrumors G3
Original poster
May 17, 2008
8,275
3,696
  • Haha
Reactions: drumcat

johnkree

macrumors 6502
Jun 23, 2015
279
281
Austria
I am not sure how CLI password manager is useful as one of the most important feature of any manager is to autofill
There are browser extensions for Firefox and Chrome that will autofill by button, like Bitwarden. It's completely open source, you can define everything you want yourself, it's highly encrypted and it is cross OS.
The only downside is that there are no mobile apps for it.
 

MacBH928

macrumors G3
Original poster
May 17, 2008
8,275
3,696
There are browser extensions for Firefox and Chrome that will autofill by button, like Bitwarden. It's completely open source, you can define everything you want yourself, it's highly encrypted and it is cross OS.
The only downside is that there are no mobile apps for it.

Hmm..are you saying it works with Bitwarden?

This seems geared towards programmers. because I hear they like everything in CLI.
 

johnkree

macrumors 6502
Jun 23, 2015
279
281
Austria
Hmm..are you saying it works with Bitwarden?

This seems geared towards programmers. because I hear they like everything in CLI.
No no. It is similar to the Bitwarden browser extension. Which means that you have to press the button to fill in the credentials and the password. It's not like Apple Passwords autofill. But I'm ok with that. I will try it myself today and report back.

oh, and there is even an iPhone client, Pass for iOS that works with gopass. So... It seems too good to be true.
I follow this thread almost since the beginning. I know that you often said: Few devs are bad because the code isn't reviewed a lot. But think about this: Using an almost unknown software adds also a layer of protection because it's not attractive for hackers.
 

MacBH928

macrumors G3
Original poster
May 17, 2008
8,275
3,696
No no. It is similar to the Bitwarden browser extension. Which means that you have to press the button to fill in the credentials and the password. It's not like Apple Passwords autofill. But I'm ok with that. I will try it myself today and report back.

oh, and there is even an iPhone client, Pass for iOS that works with gopass. So... It seems too good to be true.
I follow this thread almost since the beginning. I know that you often said: Few devs are bad because the code isn't reviewed a lot. But think about this: Using an almost unknown software adds also a layer of protection because it's not attractive for hackers.

So whats the specific advantage of this password manager specifically over something like keepass? Just the CLI?
 

johnkree

macrumors 6502
Jun 23, 2015
279
281
Austria
Did you ever open an electron app and felt like you would open a browser that first has to connect to somewhere else? Most password apps are clunky, more or less. open Bear, then open Notion. 1Password 6 used 70 MB of RAM, 1Password 7 used about 400 the last time I tried it.

CLI is superfast and using up to no resources. I have a crossword generator in Python, it doesn't even show up in the resources window. Terminal is using 36 MB Ram while I use it.

It is the same on Windows and Mac. I mean, the same the same. Not like Keepass. I used Keepass besides Apple Passwords the last 2 years. On Windows. On Mac I used Strongbox. And while it is similar, it is not the same. Keepass on Windows is a mixed experience, with so many settings and stuff to do to make it work. It's not convenient.
Strongbox on Mac is easier to handle but it is also very complex.

At last it is more secure. You said somewhere else that using a well known manager platform like Keepass in a combination with an app that is made by few people like Strongbox may not be a good combination and I think you're right. With a CLI app you can be sure that only a handful of nerds will ever use it. This will never be attractive for a hacker. Devs will always concentrate on one thing: the code. And not how they will sell their app. Compared to Strongbox, where they always have to work on getting the UI better to get more customers.
 

gregmac19

macrumors regular
Jul 28, 2016
186
134
Did you ever open an electron app and felt like you would open a browser that first has to connect to somewhere else? Most password apps are clunky, more or less. open Bear, then open Notion. 1Password 6 used 70 MB of RAM, 1Password 7 used about 400 the last time I tried it.

CLI is superfast and using up to no resources. I have a crossword generator in Python, it doesn't even show up in the resources window. Terminal is using 36 MB Ram while I use it.

It is the same on Windows and Mac. I mean, the same the same. Not like Keepass. I used Keepass besides Apple Passwords the last 2 years. On Windows. On Mac I used Strongbox. And while it is similar, it is not the same. Keepass on Windows is a mixed experience, with so many settings and stuff to do to make it work. It's not convenient.
Strongbox on Mac is easier to handle but it is also very complex.

At last it is more secure. You said somewhere else that using a well known manager platform like Keepass in a combination with an app that is made by few people like Strongbox may not be a good combination and I think you're right. With a CLI app you can be sure that only a handful of nerds will ever use it. This will never be attractive for a hacker. Devs will always concentrate on one thing: the code. And not how they will sell their app. Compared to Strongbox, where they always have to work on getting the UI better to get more customers.
"At last it is more secure." This is utter BS.
 
Last edited:

johnkree

macrumors 6502
Jun 23, 2015
279
281
Austria
"At last it is more secure." This is utter BS.
Ah this is a very helpful comment. You seem to be a security expert. Now, if it is not too much work for you, maybe you can enlighten this forum and elaborate your helpful comment a litte bit?

The security of a program depends on many factors. While it's true that lesser-known programs may not be immune to security vulnerabilities, they may have some advantages over more popular programs, such as having a smaller codebase and fewer features to review for vulnerabilities. Additionally, the smaller user base for lesser-known programs makes them less of a target for attackers, which also improves their security.

This should be pure logic, but maybe logic is not something you are accustomed to. Then maybe you start reading some scientific evidence about it:
  • A 2015 study by Symantec found that the top 50 software programs installed on users' computers were responsible for 80% of the vulnerabilities discovered in those systems. The study also found that less popular programs tended to have fewer vulnerabilities.
  • A 2016 study by the National Institute of Standards and Technology (NIST) analyzed data from the National Vulnerability Database and found that software popularity was a significant factor in predicting the number of vulnerabilities discovered in that software.
  • A 2017 study by the University of Maryland and the Fraunhofer Institute for Experimental Software Engineering found that software popularity was negatively correlated with the quality of the software's code. The study also found that more popular software tended to have more bugs and security vulnerabilities.
  • A 2010 study by Microsoft found that there was a strong correlation between the size of a program's codebase and the number of security vulnerabilities discovered in that program. The study found that programs with fewer lines of code tended to have fewer vulnerabilities.
  • A 2014 study by the University of Cambridge analyzed the source code of a number of popular software projects and found that there was a correlation between the size of the codebase and the number of security vulnerabilities. The study found that projects with more lines of code tended to have more vulnerabilities.
  • A 2017 study by the University of Maryland and the Fraunhofer Institute for Experimental Software Engineering found that software quality was negatively correlated with code complexity. The study found that more complex code tended to have more bugs and security vulnerabilities.
  • A 2015 study by the University of California, Davis analyzed the security of several popular Linux command-line tools and found that they tended to have fewer security vulnerabilities than their GUI counterparts. The researchers attributed this to the fact that CLI tools typically have a smaller codebase and fewer dependencies than GUI tools.
  • A 2018 study by the University of Texas at San Antonio analyzed the security of several popular web browsers and found that command-line browsers like Lynx and w3m were more secure than their GUI counterparts. The researchers attributed this to the fact that CLI browsers don't support certain features like JavaScript, which are often used in web-based attacks.
 
  • Like
Reactions: HDFan and MacBH928

gregmac19

macrumors regular
Jul 28, 2016
186
134
You stated something as fact: "At last it is more secure." You provided absolutely no evidence back this statement up. None. I merely called out your lie.
 

johnkree

macrumors 6502
Jun 23, 2015
279
281
Austria
You stated something as fact: "At last it is more secure." You provided absolutely no evidence back this statement up. None. I merely called out your lie.
Is it because studies have proven that the market share of Windows attracts more malware programmers than Linux or Mac, or is it simply a matter of pure logic? After all, why would a hacker bother to target a system that is only used by a handful of people when they can easily compromise millions of machines by exploiting a security flaw in an app that is widely used? It's a well-established fact that 80-90% of all malware is designed to target Windows. This cannot be solely attributed to the openness of an operating system, as Linux, which is open source, only accounts for less than 1% of malware infections. These are undeniable facts.
 

MacBH928

macrumors G3
Original poster
May 17, 2008
8,275
3,696
Did you ever open an electron app and felt like you would open a browser that first has to connect to somewhere else? Most password apps are clunky, more or less. open Bear, then open Notion. 1Password 6 used 70 MB of RAM, 1Password 7 used about 400 the last time I tried it.

CLI is superfast and using up to no resources. I have a crossword generator in Python, it doesn't even show up in the resources window. Terminal is using 36 MB Ram while I use it.

It is the same on Windows and Mac. I mean, the same the same. Not like Keepass. I used Keepass besides Apple Passwords the last 2 years. On Windows. On Mac I used Strongbox. And while it is similar, it is not the same. Keepass on Windows is a mixed experience, with so many settings and stuff to do to make it work. It's not convenient.
Strongbox on Mac is easier to handle but it is also very complex.

At last it is more secure. You said somewhere else that using a well known manager platform like Keepass in a combination with an app that is made by few people like Strongbox may not be a good combination and I think you're right. With a CLI app you can be sure that only a handful of nerds will ever use it. This will never be attractive for a hacker. Devs will always concentrate on one thing: the code. And not how they will sell their app. Compared to Strongbox, where they always have to work on getting the UI better to get more customers.

Indeed it might be lighter to use, but the average person needs a GUI to interact with. CLI is for the masters of coding. Heck even linux hardcore users run GUI apps and a DE.

Most apps no matter how heavy they are use marginal resources compared to the power of the modern devices.

Is it because studies have proven that the market share of Windows attracts more malware programmers than Linux or Mac, or is it simply a matter of pure logic? After all, why would a hacker bother to target a system that is only used by a handful of people when they can easily compromise millions of machines by exploiting a security flaw in an app that is widely used? It's a well-established fact that 80-90% of all malware is designed to target Windows. This cannot be solely attributed to the openness of an operating system, as Linux, which is open source, only accounts for less than 1% of malware infections. These are undeniable facts.

Popular platforms have more vulnerabilities but doesn't mean less popular ones do not, and you only need 1 to break the security and lose your passwords.

If I was a thief, I will target the least secure not the more popular. Even if it was just a 1000 users, thats a 1000 credit cards!
 

johnkree

macrumors 6502
Jun 23, 2015
279
281
Austria
Popular platforms have more vulnerabilities but doesn't mean less popular ones do not, and you only need 1 to break the security and lose your passwords.

If I was a thief, I will target the least secure not the more popular. Even if it was just a 1000 users, thats a 1000 credit cards!
While it is true that less popular platforms can also have vulnerabilities, it is important to consider the scale of the impact of a successful attack. Popular platforms often have millions or even billions of users, which means that a single vulnerability could potentially impact a huge number of people.

On the other hand, a less popular platform with only a few thousand users may not be as attractive of a target to attackers. Even if an attacker manages to successfully exploit a vulnerability, the number of potential victims would be significantly smaller.
You are right in that any platform can have vulnerabilities but the potential impact of a successful attack on a popular platform can be significantly greater than that of a less popular platform. Therefore, it is important for all platforms to prioritize security, but the scale of the impact should also be considered when assessing the level of risk.

One study published in 2020 by Positive Technologies analyzed the security of popular mobile banking apps and found that 95% of the apps contained at least one security vulnerability. The study also found that the more popular apps tended to have more vulnerabilities than less popular ones.

Another study conducted by Comparitech in 2019 analyzed the security of various social media platforms and found that the more popular platforms tended to have more data breaches and security incidents.

These studies suggest that popular platforms and apps may be more attractive targets for attackers, which can lead to more frequent and severe security incidents.

CLI is for the masters of coding.
This is not true, at least not on a Mac. It's not for the average housewife, that's true, but doing simple stuff like unrar, download videos, scanning for system errors,... is easy and sometimes easier and less stressing than with a GUI counterpart. Terminal saves every input and with arrow down and up you can look for it and don't have to put it in twice. It is very convenient.
 

gregmac19

macrumors regular
Jul 28, 2016
186
134
This is not true, at least not on a Mac. It's not for the average housewife, that's true, but doing simple stuff like unrar, download videos, scanning for system errors,... is easy and sometimes easier and less stressing than with a GUI counterpart. Terminal saves every input and with arrow down and up you can look for it and don't have to put it in twice. It is very convenient.
"This is not true, at least not on a Mac. It's not for the average housewife,..."

Nice sexist comment!
 
Last edited:

Apple_Robert

Contributor
Sep 21, 2012
34,291
49,540
In the middle of several books.
Last edited:

MisterSavage

macrumors 601
Nov 10, 2018
4,605
5,448
Thanks for posting. I wasn't aware that Bitwarden had followed through with the user request. I just changed mine.

Edited to add: I just changed the iteration in Strongbox as well.
No problem! I bumped up the values for these also after changing to argon2.

Kdf iterations: 10

Kdf memory: 256

Kdf parallelism: 16
 

MacBH928

macrumors G3
Original poster
May 17, 2008
8,275
3,696

I thought increasing the iterations solved the Bitwarden issues (which I did). Is this even better? or whats going on here?

The feature will be opt-in, and should be available on the same page as the password iteration settings in Bitwarden's web vault.

If its better, why its opt-in and not a standard? is there a reason not to switch to the new method?
 

MacBH928

macrumors G3
Original poster
May 17, 2008
8,275
3,696
No problem! I bumped up the values for these also after changing to argon2.

Kdf iterations: 10

Kdf memory: 256

Kdf parallelism: 16

this is getting complicated for a simpleton like me, and the rest of the average internet users
 

MisterSavage

macrumors 601
Nov 10, 2018
4,605
5,448
I thought increasing the iterations solved the Bitwarden issues (which I did). Is this even better? or whats going on here?



If its better, why its opt-in and not a standard? is there a reason not to switch to the new method?
Well they cover it in the article. It's an implementation that makes it much tougher for an attacker to brute force your vault.

PBKDF2 AES iterations relies on a high number of iterations to hash the passwords in an effort to deliberately slow the attacks. With 600,000 it will take a long time to brute-force a vault, and can be taxing on the CPU. Argon2 not only slows down this threat, but also consumes memory for running passes, and it also has a degree of parallelism that is determined by the number of CPU cores/threads. Let's just say it's a lot more expensive for a hacker both in terms of time and resources to attack an Argon2 encrypted database.

I wouldn't switch to the new method if your device/browser/etc doesn't have the Feb update (version 2023.2.0). But if you hit a problem you could just use the web vault to switch back. Always make a backup of your data before making changes like this.
 

MacBH928

macrumors G3
Original poster
May 17, 2008
8,275
3,696
Well they cover it in the article. It's an implementation that makes it much tougher for an attacker to brute force your vault.



I wouldn't switch to the new method if your device/browser/etc doesn't have the Feb update (version 2023.2.0). But if you hit a problem you could just use the web vault to switch back. Always make a backup of your data before making changes like this.

Bitwarden should already be doing backups on their own, at least the PRO version should. Its a "safety net"of cloud based services.
 

MisterSavage

macrumors 601
Nov 10, 2018
4,605
5,448
Bitwarden should already be doing backups on their own, at least the PRO version should. Its a "safety net"of cloud based services.
I'd be shocked it they weren't. What I was trying to indicate is that it would be unwise to not have a backup yourself when you're fiddling with encryption settings. If the worst case scenario happened and you somehow got locked out of your data you would still be covered.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.