security against memory attacks? #236

New Issue

OVERLORD · 2026-02-04T18:51:39+03:00

OVERLORD commented

2026-02-04 18:51:39 +03:00

Originally created by @pdarcos on GitHub (Feb 21, 2019).

Hi everyone,

Great project.

Has anyone read the latest report regarding password managers all being vulnerable to reading password in memory? https://www.forbes.com/sites/kateoflahertyuk/2019/02/20/password-managers-have-a-security-flaw-heres-how-to-avoid-it/

I wonder how bitwarden/bitwarden_rs would fare in this audit. Anyone have any more info?

Cheers

Originally created by @pdarcos on GitHub (Feb 21, 2019). Hi everyone, Great project. Has anyone read the latest report regarding password managers all being vulnerable to reading password in memory? https://www.forbes.com/sites/kateoflahertyuk/2019/02/20/password-managers-have-a-security-flaw-heres-how-to-avoid-it/ I wonder how bitwarden/bitwarden_rs would fare in this audit. Anyone have any more info? Cheers

OVERLORD closed this issue

2026-02-04 18:51:48 +03:00

OVERLORD commented

2026-02-04 18:52:03 +03:00

@mprasil commented on GitHub (Feb 21, 2019):

I think this question needs to be asked upstream. We use upstream code for the client side.

Server itself (which is what bitwarden_rs does) only handles already encrypted data, so there isn't much to leak.

@mprasil commented on GitHub (Feb 21, 2019): I think this question needs to be asked upstream. We use upstream code for the client side. Server itself (which is what `bitwarden_rs` does) only handles already encrypted data, so there isn't much to leak.

OVERLORD commented

2026-02-04 18:52:20 +03:00

@mprasil commented on GitHub (Feb 21, 2019):

I'm going to close this, but feel free to reopen if you think this question is still relevant for some reason.

@mprasil commented on GitHub (Feb 21, 2019): I'm going to close this, but feel free to reopen if you think this question is still relevant for some reason.

OVERLORD commented

2026-02-04 18:52:28 +03:00

@dani-garcia commented on GitHub (Feb 21, 2019):

To add some extra info, all the clients have an option to auto-lock the vault that should remove the master pass from RAM. Other than that and using 2FA, there is no other solution, really. If an attackere has control of your devices you've already lost.

@dani-garcia commented on GitHub (Feb 21, 2019): To add some extra info, all the clients have an option to auto-lock the vault that should remove the master pass from RAM. Other than that and using 2FA, there is no other solution, really. If an attackere has control of your devices you've already lost.

OVERLORD commented

2026-02-04 18:52:34 +03:00

@pdarcos commented on GitHub (Feb 21, 2019):

@dani-garcia That's what I was thinking too.

Thanks for confirming. I've opened up a ticket in the BW repo about this since it is an upstream client side vulnerability. https://github.com/bitwarden/browser/issues/876

Cheers

@pdarcos commented on GitHub (Feb 21, 2019): @dani-garcia That's what I was thinking too. Thanks for confirming. I've opened up a ticket in the BW repo about this since it is an upstream client side vulnerability. https://github.com/bitwarden/browser/issues/876 Cheers

OVERLORD referenced this issue

2026-02-05 04:51:44 +03:00

[PR #236] [MERGED] Grammar fixes to README.md #2652

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#236