Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

A developer forgot one word of their Bitwarden master passphrase and documented how they recovered it via local brute-force. Since the vault was locked but not logged out, they inspected the Firefox extension's storage via about:debugging to extract the email (used as salt), kdfConfig, and masterPassword_masterKeyHash. They then traced Bitwarden's source code to understand the two-step crypto: PBKDF2 key stretching to derive a masterKey, followed by 2 iterations of PBKDF2 to produce the local verification hash. A short Python script using xkcdpass's wordlist iterated through 7776 candidates and found the missing word on the first run. Along the way, the author flags a subtle cryptographic concern: Bitwarden uses the PBKDF2 iterations parameter for domain separation between the local and server-side hashes, which is fragile by design, though the specific parameter ordering (masterKey as password, userPassword as salt) avoids a practical backdoor.

Bruteforcing the Bitwarden master password I forgor 💀