Bitwarden — Post-Quantum Cryptography Analysis
Bitwarden's vault data is encrypted with AES-256-CBC — symmetric, therefore quantum-safe (Grover's attack halves security to 128-bit, still acceptable). The higher risk comes from RSA-2048 used in organization key sharing and ECDH in the Secure Send feature. TLS connections use ECDHE key exchange, which is quantum-vulnerable to 'harvest now, decrypt later' attacks. A nation-state adversary capturing TLS traffic today could decrypt it when quantum hardware matures.
Findings
RSA-2048src/Core/Services/Implementations/UserService.csUsed for organization asymmetric key pairs. Quantum computers running Shor's break 2048-bit RSA.
ECDH (P-256)src/Core/Models/Data/Organizations/OrganizationUserDetails.csElliptic-curve Diffie-Hellman for secure share. ECDLP is quantum-vulnerable.
PBKDF2-SHA256 (low iteration count in legacy clients)src/Core/Auth/Models/Business/Tokenizer.csMaster password derivation. Low iteration counts (<100k) reduce classical brute-force resistance.
SHA-1 (legacy TOTP compatibility)src/Core/Auth/Services/Implementations/TotpService.csRFC 6238 TOTP uses HMAC-SHA1. Weak for collision resistance but acceptable for OTP use case.
Compliance note
The vault data itself is not immediately at risk — AES-256 gives 128-bit post-quantum security. The critical gap is the organization key sharing path (RSA-2048) and TLS transport susceptibility to HNDL attacks. Financial and healthcare organizations storing sensitive credentials should prioritize migration.
Is your codebase using any of these algorithms?
QuantumScan checks your repo in ~90 seconds. Free. No account needed. Supports GitHub, GitLab, Bitbucket, and ZIP uploads.
Run a free scan →