Bitwarden users who store their email account credentials within their Bitwarden vaults would have trouble accessing the sent codes if they are unable to log in to their email.
To prevent getting locked out of your vault, be sure you can access the email associated with your Bitwarden account so you can access the emailed codes, or turn on any form of two-step login to not be subject to this process altogether.
You must log in or # to comment.
Fuck Bitwarden.
They gave 3 days of notice. 🤡 Absolute shitshow.
Use Keepass, minimize your reliance on cloud. The “cloud” is just someone elses computer.
I self host Bitwarden (aka Vaultwarden) and recommend that to anyone who is comfortable hosting a container. For everyone else I still think Bitwarden cloud is the best most trustworthy free cloud credential manager.
KeePass rules though, I used it for years. I no longer recommend it mostly due to the difficulty of securely syncing the database which generally forces people to rely on a cloud provider anyway.
I’d say the title would be more precise like “starting February, 2FA will be required for all users” as tth email is also a form of 2FA.
I think it’s good, especially when done on the device level, making it that I don’t have to use the 2FA part every single time I login, it’s a good balance between security and usability
I understand this change by Bitwarden, but I wish they gave us the option to turn this off or at least given us more time before forcing this on us.
There’s a lot of comments talking about how this increases security, which is true. But it also increases the risk of account lockout. This is especially true in two scenarios: traveling and incapacitation.
Traveling - for those of us who travel frequently, we carry all of our belongings with us. This makes us particularly vulnerable to account lockouts. We can’t securely store backup devices or documents in easily accessible locations. We can’t easily rely on trusted friends or family because they are so far away. Also, internet accounts are more likely to lock us out anyway because we are logging in from a different country, which is suspicious behavior.
Incapacitation - god forbid, if there comes a time when we are permanently or temporarily incapacitation, it becomes important for our loved ones to access accounts. When we are in the hospital, it’s important that our loved ones get access to our personal accounts. I personally have advanced directives and have worked with an estate lawyer to make sure that my Bitwarden account becomes available. I also have instructions for immediate trusted family on how to access my vault if I were ever in the hospital. With this short notice, I need to scramble to get all of that updated and provide a way for them to access the account without my 2FA devices.
The above scenarios are based off of my real experience. These are real and likely risks that I have to account for. Security is not just making sure that outside bad actors CANNOT gain access, but it also means that the right people CAN get access at the right time.
What am I going to do? I’m weighing my options.
- I believe the self-hosted version of Bitwarden does not require this. This comes with its own set of risks though.
- Pay for premium, which comes with lockout support - I need to see if this can take care of both use scenarios above.
- Turn on 2FA and memorize the recovery code. While viable, since I will only use the recovery code once, I’m likely to forget it.
- Change the email to a non-2FA email address, only used by Bitwarden, with a strong but easily memorable password. This email must allow access from foreign countries without lockout (gmail is out). I’m actually strongly considering this.
I’ve had a good experience self hosting Bitwarden (using Vaultwarden). I’ve printed off some instructions for my wife or family to gain access in case something happens to me. I haven’t done this yet but I also want to occasionally export my vault to an encrypted USB to keep alongside things like passports and birth certificates.
Those might be good options for you too considering the risks you’ve outlined.
The other option for traveling that might be better is use Keepass with the file stored on your phone, that way no internet is needed and there’s no chance of lockout from your password DB.
Bitwarden caches passwords locally so if your self hosted instance goes down or is inaccessible to can still access those caches credentials and OTP codes.
I tested this thoroughly and was very nervous that a server outage at home would lock me out of the credentials I need in order to fix it. It’s been good enough for me to get by until I can fix whatever is broken.
My email is the only account that isn’t in my password manager. It is by far the most important account because basically all of my other passwords can be changed if someone has my email. My password manager password and my email password are the only 2 I have to remember, and they are both very strong passwords. Remembering 2 strong passwords isn’t much harder than remembering 1 to me.
Shit no. I can’t access my Email without 2FA. I can’t access my 2FA file without Bitwarden What do I do?
I have another 2FA app (Aegis) with the same keys added for my email and any other critical stuff.
use any other 2FA app for your email so you aren’t in a 2FA loop.
This is one of the reasons my main email is a (unique) password I still memorize, so if my password manager fails catastrophically I can still get in.
Find a new single point of failure?
I like to just use passwords I know with my brain.
Thats fine if it works for you.
My comment on all of this was purely that Bitwarden password was a single point of failure. Now we can shift that single point of failure somewhere else!
I’m not sure what the solution is.
Probably my mail
This is why I turned on 2FA with Aegis soon as I heard this news. I set them up with two passwords I remember well, and have biometrics set on both apps so fingerprint is all I’ll need 9/10 times.
I did it years ago when they sent me an email suggesting to do exactly that.
My problem with this is my email accounts are locked behind bitwarden. Can’t login to email without bitwarden. If both my devices get stolen at the same time I’m fucked. I’m not going to pay for premium to enable a emergency contact.
Downloaded bitwardens authenticatior app. Now firefox on my computer is asking for me to press on a security key which I assume is some sort of biometrics my computer doesn’t have.
I love 2FA I just don’t see how it is supposed to work if you need bitwarden to open your email to get your 2FA code.
Let’s say your backpacking through south america and both your devices get robbed. Your ticket home is in your email. What’s the solution here? You can’t go to a coffee shop and login to your email because its securely locked behind bitwarden. You can’t login to bitwarden because you can’t access your 2FA from your email.
What am I missing?
Use something else for 2fa not email. I used to use keepass for 2fa on my laptop and phone, but now I’m using ente auth. It’s convenient because I can login ente auth anywhere and get a code but the only thing is you’ll need to remember 2 passwords which is worth it imo.
So I need a 2FA application? Just seems a little ridiculous as that is what I use email for. So my bw pass is well over 25 chars and I need to have another app that requires an equally strong pass. Just seems a little overkill! Especially changing passwords every year.
You only need to enter the 2fa code once on a new device. How often do you switch devices for this to be a significant effort?
I rebuild my OS sometimes three times a year.
I’d hardly consider it overkill for protecting literally all of your online passwords.
I remember two passwords. My email and my password manager. Oh, and one of my banks.
Locking the key in the vault, or the backup vault, didn’t make sense to me. It also made sense for me to have access to one bank even if I lose both “vaults”.
My email pass is over 25 more or less random characters that I change about once a year. That’s why I use bitwarden!
You provided a situation where your phone was robbed and you didn’t plan for it so you didn’t print the relevant information.
So… Prepare ahead? Go to a relevant office with identification to get access to the relevant tickets again?
“What can I do if all the tools at my disposal to get the relevant information are stolen?” You get fucked. Idk what else to tell you.
using a password manager without 2FA is insanity, glad they’re doing it
Insanity is doing such a drastic chance on less than 3 days notice, a change that could potentiallt lock out people that aren’t very tech savy, and only found Bitwarden by a techy friend’s recomendation, or just happened to see it on their phone’a app store.
Absolute Shitshow 🤡
3 days notice lmfao, Fuck Bitwarden
Keepass all the way!
Edit: And its not really a 3 day notice. The first real email notice I got was Jan 30 morning at EST, just a few hours ago. February is like less than 48 hours. Wtf
Insanity is when you lose or can’t access your 2FA device and you’re locked out of your account.
That’s what recovery codes are for.
Sounds like a second password then.
…which you keep in a separate secure location in case you lose your 2FA device.
Why can’t I keep my password in a secure location then?
obviously you do but it can be leaked, phished, or hacked in other ways. a second “factor” such as possession of a token device is a safeguard against that.
you can actually read about all this many places online, it’s nothing new: https://en.wikipedia.org/wiki/Multi-factor_authentication
From the wikipedia link you posted:
Account recovery typically bypasses mobile-phone two-factor authentication
It also lists more advantages than disadvantages.
shit, why can’t i just keep the secondary password instead of relying on notoriously insecure sms, or notoriously privacy invading email?
why am i forced in some instances to rely on third parties?
I can’t believe people are arguing about and downvoting this. Especially for a service that holds all of your passwords, it’s the highest priority thing for you to secure.
Me losing my devices is much higher on my threat model than someone trying to brute-force my Bitwarden password.
/1. we’ve covered this already. that’s why recovery codes exist.
/2. losing your device is not a threat to your accounts saved in bitwarden, you’d just have to reset your passwords. it sucks, but that’s not a security threat.
/3. there’s way more than brute-force attacks out there.
This is being purposefully obtuse. Choosing to force users to memorize a recovery code increases the likelihood of lock outs.
There is a real risk of account lockout, especially for those of us who travel frequently. Lockouts are a significant risk when you need to carry all your belongings and devices.
There are also some of us who also think about what happens to us when we are incapacitated and a loved one needs access to our passwords. In a situation, it’s important to balance security vs expediency to access critical information. This new policy disrupts that.
At the very least, I wish Bitwarden would have given us more time to force this policy. I have to scramble to make changes to my estate planning documents and get in contact with my lawyer to change my advanced healthcare directives.
Choosing to force users to memorize a recovery code
now who’s being purposefully obtuse.
Never underestimate the human capacity for short-sighted laziness.
Recovery codes.
insanity is also relying on a single 2FA device, ffs
- Have multiple factors
- 3-2-1 vault backups
- Setup emergency access if you have a person you trust
- Keep at least one device with BW synced at any moment, so you have offline access
Where do you store your 2FA recovery codes?
On my home PC. Same with the 2fa export of aegis.
“What if you can’t access blah”There’s a limit to interoperability, if you want access to everything everywhere even when you lose access for whatever reason, you will have to concede security.You could save a keepass file with secure notes of both the bitwarden 2fa and recovery codes and save it in drive or whatever, you don’t need passwords nowadays to access the Google account.“But what if I lose access to my phone?”Well you are fucked, what else do you want? I guess you could print the recovery keys and store them in a secured box at home.Edit: I read further down that your comment was meant to incite other to actually think and do stuff. Sorry if I came of rude.
On Bitwarden!
Well thats a good way to lock yourself out of your account!
Well, not really. Vault is cached on your devices, so if you have it unlocked or available on one of them you can always use it to check your 2FA.
By the way, it was a joke. I also use Aegis as a backup.
two places:
\1. secure location in your home (physical copy in a safe or a digital copy on an encrypted disk)
\2. in case of a disaster like a home fire where you lose the 2FA device and local backup: in a remote location such as an encrypted file in a cloud service or at a trusted friend/family’s house.
I know the recommendations. Im suggesting that everyone take a look at those practices and be sure to have them implemented.
If you’re not printing out the codes on paper and sticking them in a safe deposit box as a remote backup, you’re absolutely risking it.
ok, sorry for answering what appeared to be a genuine question.
Nah you hit the nail on the head. I 100% agree with you. Sorry if I came off brash.
Sorry, basic question here. I’m running vaultwarden, I host my own vault that bitearden apps access. I don’t think my vault has a mail server, how fucked am I?
You’re good. Self hosted vaults are not affected by that
I also host my own vaultwarden and don’t have a mail server. I was able to put SMTP settings in vaultwarden so it’s able to send the email out.
@ForgottenFlux I lost one of my pair of hardware keys last week. Waiting for replacement to arrive - #Bitwarden will be the first thing I register it into
Is it possible to change emails on the account? I haven’t found how…
You can also register a MFA app and lock recovery codes in your PC.
This has been announced with enough time, you still have time to download another app like aegis or whatever. This is only for new logins however, you will still have access to bitwarden wherever you are already logged on.
This is the first I’m hearing of this, but, honestly, I’m all for it. I have Aegis and will add this mfa step, but needed to change email anyway and this was a great reminder of that.
It is possible here I think : https://vault.bitwarden.com/#/login
Edit: after logging in : settings -> my account (if I recall correctly)
The link to this web page is available on the app : settings -> about -> Bitwarden web vault
And this changes the username to the new email, too?
Yep so you have to “switch user” after that on computer and mobile where your old email is remembered.
Sweet! As long as I don’t lose access, I’m good. I’ve been trying to do that for a while, since I lost access to my old email (my own stupid fault), but couldn’t figure out how to do it on the app… because you can’t haha I’ll have to try that through the webapp! Thanks!
Edit: it worked! Thanks so much!
