Security of SecurePass

So. I've lots of questions regarding the security and privacy of SecurePass which I couldn't answer myself using available documentation.

I've read that the data is encrypted.

But what data? Just the passwords or metadata as well (which data fields within securepass are encrypted)? Are all these items in turn encrypted individually with an item key? Which algorithm(s) is/are used for the encryption? How is the password sharing facilitated? Is SecurePass open source? Where do I find technical insights? How does it compare to KeePass and/or services with better documentation such as Protonpass?

Why should I trust you? Where are the data centres located? Which jurisdiction is applied? How do you make sure that my data is safe and secure?

Find more posts tagged with

bitdefender password manager

Accepted answers

All comments

Scott

Hi @Printable

In general, here is their Privacy Policy which was updated last month. See 7.6 Bitdefender Password Manager and Bitdefender SecurePass.

https://www.bitdefender.com/en-us/site/view/legal-privacy-policy-for-home-users-solutions

As far as security, I would think SecurePass would fall in line with Bitdefender Password Manager, Bitdefender would make sure of that. See Privacy and Security:

https://www.bitdefender.com/consumer/support/answer/2700/

But, it would be nice if @Alexandru_BD would follow up with any additional information he could provide, and that eventually Bitdefender will create an updated SecurePass article with more information than below, unless I'm not aware of something else in that regard that has already been published by Bitdefender.

https://www.bitdefender.com/consumer/support/answer/107798/

Is my data safe in Bitdefender SecurePass?

Yes. SecurePass uses end-to-end encryption and requires both your Bitdefender login and master password to access your data.

And no, SecurePass is not open source, it is Bitdefender's closed source proprietary password manager.

Kind regards

Printable

Well... There's a bit of contradiction here.

I've read the privacy policy already and if you look closely at chapter 7.2 it states: "Bitdefender provides two password management solutions: Bitdefender Password Manager provided through a third-party provider and Bitdefender SecurePass, a password manager built on open-source technology."

I'd like to emphasise the "built on open-source technology" bit there. This can be read in two different ways. It's entirely possible that it means that the source code of the app could be open source - whilst still being in possession of the server backgrounds. But it'd show the tech savvy users and community how the encryption operates. Other solutions are open source as well whilst requiring a subscription. The part that matters here is transparency. I wouldn't have to raise these questions if the code was available. Some service providers provide their program sourcecode and audit their backend+code independently.

Also the "Bitdefender Password Manager provided through a third-party provider" bit is already a bit shady. Has bitdefender ever been in full control of the front and backend or is SecurePass the first time? If so that could mean a huge improvement to the old Bitdefender Password Manager with its unknown third party operator. I'm willing to put more trust in bitdefender than in unnamed third parties.

And then again chapter 7.2 states: "You will have full control all the time to your personal data in the Passwords vaults which may contain usernames, emails, passwords, secret keys, notes, addresses, personal IDs and credit card data. Vaults are not accessible to anyone, except the user; Bitdefender does not have access or control of passwords. All passwords are encrypted with a key, that only the user of the service has knowledge about, in one single place, with complex master password requirements."

"Bitdefender does not have access or control of passwords". This could either mean that the whole vault is encrypted or that it's just the passwords. Metadata such as emails, usernames, notes, etc could technically remain unencrypted. This might seem far fetched at first but in 2022 when LastPass was hacked they shared that the passwords were indeed encrypted but not the corresponding websites. That's a huge privacy risk in case of an attack.

I've also read the "end-to-end encryption" bit already on bitdefenders product webpage - but this still offers a flurry of possibilities. Is it using XCha-Cha20 or AES? If AES which one: 128? 256? Then again, is password hashing done with PBKDF2 like lastpass did it? Or is it Argon2 or bcrypt?

There's a lot of lessons to be learned once you dig into this 2022 lastpass hack and it's ongoing compromisation after that until at least August 26. 2022. Did bitdefender do its homework?

I'm already providing my premium security with loads and loads of trust and permissions - I even provide bitdefender with a flurry of permissions regarding my Gmail and Outlook accounts. Something I'd normally never do. I would've wished to see local spam protection in thunderbird etc to get an overhaul as well. But storing all my passwords in SecurePass based on the "trust" I put in the product is a gamble I'm not willing to take right now. Not with important details still being unknown. If I'd use the 2FA features even my 2FA would be at risk in case of a hack.

I'd love to see a complete post on how SecurePass is meant to stay secure. Technical backgrounds, reasoning, discussions bitdefender had, explanations - ProtonPass has all that on their blog and website easily accessible. They go into detail there whilst trying to explain it for average people. I'd love to see this from Bitdefender. That could mean an increase in sales as well - trust is of the essence in the business of password managers. And even I would consider switching from my trusty, transparent and fully open source KeePass vault. Still one of the gold standards to me. I'd love some password sharing and secure cloud storing. Meanwhile I'm still sitting here with my USB drive and homemade half-arsed cloud xD

Thank you Scott, you've tried your best :)

Scott

https://community.bitdefender.com/en/discussion/comment/348178#Comment_348178

Hello again :)

As far as open source, I've never seen Password Manager publicly audited by other developers etc. or has that ever been mentioned as far as I know, and I'm sure SecurePass is the same way. But like I say @Alexandru_BD can look at this when he gets back from his holiday time off, if not sooner.

Licensing: The search results mention that Bitdefender Wallet, which is a password manager module, is only available with Bitdefender’s paid security solutions (Antivirus Plus, Internet Security, and Total Security). This implies that the password manager is proprietary and not open-source.

Development: The search results mention that Bitdefender Password Manager is developed and maintained by Bitdefender, a private company. Open-source projects typically have a community-driven development process, whereas Bitdefender’s password manager appears to be developed and controlled by the company.
Code availability: There is no mention of the Bitdefender Password Manager’s code being publicly available or accessible, which is a key characteristic of open-source software.
Comparison to Bitwarden: In the Reddit discussion, users recommend Bitwarden as an alternative to Bitdefender Password Manager, highlighting Bitwarden’s open-source nature as a major advantage. This comparison implies that Bitdefender Password Manager is not open-source.

Cheers, and happy holidays :)

Scott

@Printable

Just to follow up, the original BD Password Manager was built on the SaferPass app, with some of Bitdefender's own inclusions. From what I understand, that app wasn't totally open source, so that also carried over to the BD version. As far as SecurePass, I'm not sure what that foundation is, but maybe in the updated article to include SecurePass, it was mentioned as being open source. Maybe it is to private 3rd party audits/scrutiny, and not a public type of open source that we think of as with Bitwarden on GitHub?

Like I say, hopefully we'll both find out more.

Cheers :)

Printable

The more one engages with the topic the deeper one tumbles down into a rabbithole xD

Glad you're enjoying it with me

Flexx

https://community.bitdefender.com/en/discussion/comment/348192#Comment_348192

Many technology vendors today rely on a collaborative approach, outsourcing certain aspects of their product development and manufacturing to third-party specialists. This strategy allows them to leverage specialized expertise, optimize production costs, and accelerate development cycles. By collaborating with best-in-class partners, vendors can enhance their product offerings, deliver more innovative solutions to the market, and maintain a competitive edge in rapidly evolving technological landscapes.

When it comes to Bitdefender, it's important to recognize that some third-party vendors play a key role in the foundation of its software products:

Bitdefender VPN: The Bitdefender VPN software, available on Windows, iOS, Android, and macOS, is built upon the architecture of Hotspot Shield.
Bitdefender Identity Theft Protection: This service is provided by IdentityForce (https://www.identityforce.com) and offers comprehensive identity protection solutions.
Bitdefender GravityZone Apps for Android and iOS: The mobile app for the Bitdefender GravityZone platform on both Android and iOS is developed by Zimperium. Zimperium also creates its own security app for Android and iOS, which features a similar user interface to the one developed for Bitdefender.

And there are more partnerships and integrations that further contribute to Bitdefender comprehensive security ecosystem.

Regards

Scott

https://community.bitdefender.com/en/discussion/comment/348196#Comment_348196

Thanks, but I don't want us to get off track, as we were both wondering about open source, let alone @Printable's first post SecurePass security questions :) Do you have any insights on those?

Regards

Flexx

https://community.bitdefender.com/en/discussion/comment/348197#Comment_348197

Based on the information I have gathered from the web:

Bitdefender Wallet was based on KeePass, an open-source password manager known for its strong encryption and local storage approach.
Bitdefender SecurePass is built using Bitwarden, an open-source password manager with cloud-based storage for syncing across multiple devices.
Bitdefender Password Manager is possibly based on SaferPass. However, unlike SaferPass, Bitdefender Password Manager does not have a website-based dashboard; it only has an extension-based dashboard.

Regards

Alexandru_BD

Hello,

The client side encryption is based on Curve25519 and Salsa20 - everything stored in the vault is encrypted by these two algorithms. When you share something with another user, the software uses public-private key cryptography to securely exchange the data between the users, so that the server has no access (not even temporary) to the data. Next to the regular TLS encryption, SecurePass also has an additional transport encryption layer between the client and server that allows it to pin the cryptographic identity of the system and protects the data. By design, the developers would not make a password manager that would leave customers vulnerable in any way. And yes, the previous Password Manager is based on Saferpass. As for the open source technology used, I don't have any insights on that at the moment, but if I find more information worth sharing, I'll post it here.

Regards,

Alex