Inside Bitwarden: The power of multifactor encryption
- Blog
- Inside Bitwarden: The power of multifactor encryption
The Bitwarden security track record reflects an unequivocal encryption approach.
Credential management vendors employ a common set of encryption safeguards for vault information: 256-bit AES, used by federal governments; PBKDF2 or Argon2 for key strengthening and password hashing to prevent brute force attacks; secure random numbers to gather entropy; and end-to-end design to ensure ultimate privacy for users.
Bitwarden stands out by adding multiple layers of encryption and cryptography everywhere vault information resides and passes through in the cloud, across databases and servers, and on client devices. Before sharing the details let’s understand what it means for users:
Everything in a Bitwarden vault is end-to-end encrypted. No one, not even the Bitwarden team, has access to customer vault information.
Even if a database or server were to get breached by malicious actors, multifactor encryption helps ensure that the scrambled data is strongly encrypted.
Multifactor encryption provides both security and convenience. All of this protection works behind the scenes, so no action is required from customers.
As Bitwarden principal software engineer Matt Gibson puts it, “Encryption is the bread and butter of what Bitwarden offers.”
While bread and butter are easy concepts, encryption needs explaining: “It’s a mathematical procedure that takes plain text – something you can read – along with some cryptographic secrets and jumbles it up to produce something that looks totally random called ciphertext. The only way to reverse this is by knowing those same secrets used to create the ciphertext,” explains Gibson.
This means that in encryption, the ciphertext looks like gibberish and can only be decoded by its recipient – the person or website service it’s intended for. Encryption is critical for protecting emails, banking transactions, passwords, and other data from malicious hackers, spies, or online criminals.
The image below illustrates how Bitwarden encrypts data at rest and in transit, starting with data in client applications, then moving to the Transport Layer Security (TLS) layer. This TLS layer employs standards to ensure the website you’re interacting with is the right one and then encrypts data sent over the internet with keys that only you and the intended party have.
The encryption story goes deeper into the Bitwarden cloud database, storing encrypted vaults with additional layers of encryption using a process known as transparent data encryption.
"Multifactor encryption is more than a list of protections. Bitwarden deploys encryption unique to where data reside -- at a location or point in time. All of this is designed to protect your data," said Gibson.
More details: Bitwarden security fundamentals and multifactor encryption
For Bitwarden customers, security starts with your master password – make it strong and unique. Here are some tips on how to achieve that. From there, implement two-factor authentication (2FA) across all your accounts, including Bitwarden.
After that, rest assured that Bitwarden multifactor encryption is working behind the scenes to fortify vault security. Unlike other password managers, Bitwarden does not require customers to download, print, and store secret keys (another encryption approach that puts the burden on users) which are easily misplaced or forgotten.
“Multifactor encryption empowers Bitwarden to make users as safe as possible, giving them full control over the initial key (their master password) for encryption, without any additional work for advanced security,” says Gibson. “This means that, in the event of a breach, even accounts with weak master passwords are well protected.”
With multifactor encryption, Bitwarden offers a differentiated approach that adds to the sum total of security and convenience. Start a free 7-day Enterprise trial and put your trust in a company that is at the forefront of encryption.