My problems with Bitwarden’s lax security measures

Imagine this – you got all your secrets stashed in a box, that requires a key. This box is sitting in a very public place, say your city’s park. Also, a LOT of copies of the keys lie hidden away, somewhere – if you really know how to look, they’re there. You’re just trusting that people don’t know how to look for these keys, and it helps you sleep soundly at night.This, well, the above, is Bitwarden. What’s Bitwarden? Bitwarden is probably the most commonly used Password Manager, after LastPass decided to slash the free tier. Bitwarden stores all your secrets, all username, passwords, maybe some secure notes, some credit card details. All of your digital life is there.

Here’s the problem though, the key to access all this data might already exist on the internet. Actually, scratch that, it PROBABLY does exist on the internet! Can you verify this? Yes, but you have to pay unfortunately. So, now, there is a price tag against your online security. What do I mean? Bitwarden does offer some kind of audit, like LastPass did. But this is locked for premium users only, listed under Vault Health Reports. Actually, I have no idea whether they check your username and master password – and I don’t want to compromise my account to verify whether this exists.

On the same subject, I bet that most of the users who use Bitwarden re-use passwords for their Master Password, probably passwords that got compromised in the past and tempted them to start using Bitwarden in the first place? Am I speaking from experience? I’ll let you answer that one yourself. There is no need to try it on my account though, promise!

Also, it gets worse. If your details do INDEED exist and someone compromises them, you’re done. By default (or, at least for me) – 2FA is not turned on by default. So if someone does get hold of your details – you’re toast. Why isn’t 2FA enforced by default? My McDonalds app requires 2FA in order for my (initial) login to get some free fries! Why doesn’t my literal secret chest enforce 2FA? Not to mention, that I don’t really like the 2FA that is offered with the free version – for this kind of 2FA I prefer SMS – but that’s just my opinion.

Sorry – but another thing. I think that having your username as your email is quite silly as well. I’d prefer to pick a username which might be arbitrary and exist only in Bitwarden’s universe. But by having the email as the username prevents me from doing so. That means, by simply signing up to the services, my account is automatically searchable against billions of compromised passwords, such as I’d prefer if the username was some actual free-text field. Gmail users MIGHT be able to get away task-specific emails.

Here’s a take-away of all my woes:

  • The free account does not come strong auditing capabilities, such as re-used passwords.
  • Master passwords probably use reused passwords
  • 2FA is not on by default
  • Username must be your email address

Of course, I understand that Bitwarden, as a company, is there to make money at the end of the day, but I feel that profits are coming in at the expense of giving people a proper secure platform to trust literally all their online (and offline) secrets, which is a bit of a shame! In all fairness, the subscription for a year is very low at only $10 which solves the auditing issue and better 2FA capabilities.

Fortunately, this is all hypothetically, but this kept me up all night, literally. Onto the next one!

Why doesn’t a virus just terminate your Antivirus process? – Protected Process Light

..because it doesn’t have enough privileges to do so! Starting from Windows 8.1, Protected Process Light (PPL) was introduced. Protected Processes were implemented in Windows Vista (and was mostly focused on DRM), but it was greatly improved, such has having different levels of protection, depending on the application.

There are multiple uses of PPL, but for this post, let’s focus on Antivirus software. We’ll also not be diving deep into how to develop this. If you’re developing this, you probably know far more than me and this blog.

Since Antivirus (AV) software are at the forefront of stopping viruses from harming machines, it’s a very common target for viruses. Normally, AVs place a lot of rules and heuristics inside the application to protect against such threats, but PPL now enables antivirus software to run as a Protected Application under the PPL scheme.

There are multiple levels under the PPL Scheme: from 0 to 7. 0 is no protection and 7 is maximum protection. The kernel is protected under level 7, critical windows components are level 6 and antiviruses run at level 3. Processes with a higher level have more power and will trump over lower levels in terms of accessibility. So, an antivirus cannot terminate a critical windows process, since level 6 is higher than level 3.

Not all Windows Components are protected under the PPL scheme, critical applications such as ssms.exe, csrss.exe, services.exe are under the PPL scheme, running at level 6. Applications such as Task Manager is not under the PPL scheme, and for a very valid reason.

The PPL scheme allows such AVs services to be launched and protected from unloaded untrusted code. Given that an AVs have the PPL value of PROTECTION_LEVEL_CODEGEN_LIGHT (, all DLLs that it loads needs to have a equivalent DLL Signature Level or higher. This ensures that no DLL foul play, such as file replacement or plating takes place. These checks are done at DLL loading level by the Code Integrity Windows component.

If you’re looking to create an application under the PPL scheme, you’ll need to get it signed by Microsoft. Given that only Microsoft can sign applications to contain these kinds of protection levels, viruses can’t have this kind of protection. Keeping in mind that PPLs run more privileged to non-protected processes (even those applications running as Admin), viruses simply cannot terminate AV processes.

You can see this for yourself – fire up Task Manager (even if admin mode if you’d like) and try to close MsMpEng.exe (Windows Defender Service). If you try to terminate the process, Task Manager will just say “Access Denied”. This is because since Task Manager is not under the PPL scheme, it simply doesn’t have enough rights terminate the AV.

Attempting to terminate MsMpEng.exe
Attempting to terminate MsMpEng.exe

You can read a bit more on how AVs are protected here: