Fido2 is one of the more secure types of 2FA with a security key and up until now it wasn't supported on mobile. Not sure about the other
https://bitwarden.com/help/article/setup-two-step-login-fido/
Bitwarden will hash the password. This creates a fixed length of 256 characters every time. Bitwarden takes the first 5 of them and sends them to the haveibeenpwned servers and that server reports back all hashes that start with those 5 characters. Those set of hashes are sent back to your Bitwarden where they're compared. If one matches in full the hash of your password then its safe to assume your password has been in a breach.
The comparing happens at your computer and your full length of password is never sent over, only the first 5 characters to narrow it down.
The data stored on your local device is encrypted with your master password. It is only decrypted when you unlock your vault and then it resides in RAM, not local storage.
https://bitwarden.com/help/article/data-storage/
That said, hacker with access to your device could capture you master password. So only install software from trusted sources, don't click on links, etc.
Regarding the usage of [email protected], in the event that your email leaks or the website you're using your email at is breached (and most of them if not all do no encrypt emails), it would be pretty easy to get your main email just by removing anything between the + and the @.
Some websites, when sending emails or when signing up, straight up don't accept or ignore the plus sign when submitting it to their database.
I would highly recommend, as I have made the switch a few days ago, to use real alias emails through SimpleLogin.io or AnonAddy.com (both open-source and can be self-hosted) where you create aliases there either through your own domain name (easier if you decide to switch services later) or theirs. If the email ever leaks or starts getting spammed, you would easily disable it.
There are other services similar to those two but most are not open source, cannot be self hosted (Firefox Relay for example) and with limitations.
I suggest you take a look at services like that and see what may fit your needs in additions to other features that may be interesting.
Yes your vault is stored locally so if Bitwarden exploded you would still have access to your data in the app / extension etc. You can also periodically do exports. Finally, it’s open source so subject to being forked or maintained by the community in the event the company went under or something however unlikely it is
Yes if you self host you will utilize docker containers. Deployment instructions here - https://bitwarden.com/help/article/install-on-premise-linux/ No support for raspberry pi currently but believe that is something they’re supposed to be releasing.
I remind folks self hosting is a privacy feature not a security feature. Unless you’re a very talented IT professional, letting Bitwarden & Azure handle securing the servers etc is prob the best :-) I self host a test instance for learning / practice etc. but “daily drive” the cloud offering
If OP has good 2FA on the vault (like a Yubikey), I would argue that it's ok to use Bitwarden for your TOTP seeds.
And I do strongly encourage 2FA on the Bitwarden account. SMS has known weaknesses, email relies on the security of the email account, and TOTP means relying on another app, since you obviously can't use Bitwarden for THAT.
You might also appreciate this Bitwarden blog post.
Here you go: https://bitwarden.com/blog/building-a-strong-security-stack/
While there are some great recommendations in there I wouldn’t suggest you ever go 100% off of one resource, it’s usually good to poke around and see what others say about these.
whoops, that was our mistake. It should be gone soon. The best way is to follow our github repos (for the absolute most granular info) - and then checking out the release notes mentioned above on bitwarden.com/help. You can also subscribe to status.bitwarden.com via RSS and get notified of any issues/updates/releases, etc.
Bitwarden uses zero-knowledge protocol, all the data is encrypted before it leaves your computer. You don't need to care at all if all data is public while in transit as it is encrypted. Nobody can read your data.
Check this:
> 1. Does free version of BW support 2FA (Authenticator or similar, not harware device)
Free supports TOTP and email for 2FA.
>1. Does free version of BW have password challenge (security checkup) to check for duplicate account passwords, weak passwords, etc?
That's only at the premium level.
>1. Are you able to subscribe to Premium 1 month at a time or only for the full year?
No, it's a full year for $10. When you factor in the per-transaction costs for a monthly payment and how cheap it is, I think that's fair.
>1. Are you able to share usernames/passwords on free version or is that only premium?
Not entirely sure what you're asking? At the free level you and your partner can share a single "collection". Read this and see if this is what you want. If it's more than two of you, or if you need more than one collection, you'll need a paying plan.
>1. What is the purpose of the 'Free org' account? What is sharing a collection mean?
See the previous answer.
>1. How do you export passwords from Lastpass if you are locked into the mobile app?
I just saw someone else answer this! Sign up for their premium trial, export your vault, and then cancel the trial.
Are you asking about how to make the switch? Start here.
I don't understand your question about $36/year. That's the LastPass price. Bitwarden has a $10/year premium subscription, but there's no need to buy that right away.
Here is an article from their site for where on the system is stored - https://bitwarden.com/help/article/data-storage/ You can delete these files & directories for your respective system and clients
As others have said though , the data is encrypted and useless without your master password.
You know that Google Authenticator can export your 2FA codes?
I mean you have already pointed it out.
So why this post? I mean.. you need to do the backup manually for the other apps too.
https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&hl=en
​
​
>In the Authenticator app, tap More More and then Transfer accounts and then Export accounts.
>
>Select which accounts you want to transfer to your new phone, and then tap Next.
>
>If you transfer multiple accounts, your old phone may create more than one QR code.
Bitwarden offers several forms of 2FA: The free options are either email (they email you a 6 digit code), or TOTP which requires some kind of Authenticator app (to generate a 6 digit code based on the time of day).
In premium there are additional methods like Duo, Yubico OTP, and FIDO2/Webauthn.
You can have multiple forms of 2FA enabled at the same time as well, for redundancy. Technically that’s a slight decrease in security but for the average user it’s negligible and in your case—concerned about not locking yourself out while traveling—it’s probably a good idea.
In any case, once you enable some form of 2FA you should immediately store your 2FA Recovery Code in a safe place. This code will disable 2FA on your Bitwarden vault, enabling you to login in again in the event that you’ve lost your primary form of 2FA.
So back to your question, which I assume is referring to a TOTP (Time-based One Time Password) using an authenticator app: depending on which app you’re using, and what devices you’re using them on, there are ways to have backups. Some apps enable you to backup to the cloud, for example.
You can search this subreddit for about a gazillion discussions on TOTP apps. The short version is for iOS: Authy, Raivo OTP (open source), or OTP Auth (also works on macOS). For android Aegis or Authy. I don’t use windows, so I can’t recommend a desktop app, but there surely are some.
If you haven’t already, check out: https://bitwarden.com/help/article/setup-two-step-login/
And: https://bitwarden.com/blog/basics-of-two-factor-authentication-with-bitwarden/
Also verify your Vault Timeout Action in Settings is set to Log Out, not Lock.
If worse comes to worse, login to the web vault and go to Settings and at the bottom click on "Deauthorize Sessions". That will log you out everywhere and reset any "Remember me" settings, forcing a relog and 2FA again.
All the things you mention plus individual (or zipped together) copies of any important document/txt/pdf files from my PC, just as an off-site backup and for access should I need them.
I’ve heard of one person saving their wedding photos there, as well.
Also, with the Send functionality, you could put pretty much any file under 500MB that you want to securely share with someone else.
Hi!
You'll just create an Organization and select the Family plan. Then you'll invite members to your Family Organization.
Here's some helpful documentation:
https://bitwarden.com/help/article/getting-started-organizations/
Not sure if this only applies to self-hosting (that’s what I do, so I’m just backing up the whole instance), but there is an option to use the CLI: https://bitwarden.com/help/article/export-your-data/
Great question!
The cloud is the system of record. If you edit an item that is “out of date” the app will let you know that you need to sync before editing.
There’s more info on syncing here: https://bitwarden.com/help/article/vault-sync/
>Bitwarden uses end-to-end encryption for all vault data. Only your email and master password can decrypt your vault. Bitwarden does not have the ability to see any data in your vault.
>
>Since your data is fully encrypted before ever leaving your local device, no one from the Bitwarden team can ever see, read, or access your data. Bitwarden servers only store encrypted and hashed data. This is an important step that Bitwarden takes to protect you. To put it simply, your data is encrypted at the moment it is stored on your device and remains that way until you view it with your unique email and master password combination.
If you’re willing to do the work, you can accomplish something similar already with a combination of Custom Fields (Just create a text field named Yubikey and set it to “Yes”) and Advanced Searches (>fields:Yubikey to show ones you set, >-fields:Yubikey to show ones where the text field does not exist).
Can even make it more specific. If you set the field for all entries to Yes or No, you can show them with:
>+fields:Yubikey +Yes
Or
>+fields:Yubikey +No
That user is wrong
https://bitwarden.com/help/article/data-storage/
Also see their article on encryption. Your encrypted data is stored on their servers, cached to your phone and decrypted with your master password locally. You can log out of all your devices and delete all your apps and your data is still available at vault.Bitwarden.com ( the cloud )
You can do that easily with the Bitwarden CLI and PowerShell. Once you're logged in, just run this command:
bw list items | ConvertFrom-Json | Where-Object { $.login -and $.login.password.Length -le 8 } | Select-Object name
The Teams and Enterprise plans have Event Logs which will show when a shared password in an Organization was used by someone. Other than that, AFAIK, Bitwarden does not show when passwords were last used, only when a password or custom field was last changed.
A cursory search of the forums does not show any posts for something like this, but if you'd like to see it added to Bitwarden you can create a feature request for it in the Feature Request forum section.
I can recommend open source Joplin. It supports end-to-end encrypted notes and is available for Windows, OSX, Linux, Android and iOS.
Using Bitwarden for notes feels a bit clumpsy if you have a lot of them.
Everything in your 'vault' is encrypted but there is your Bitwarden account data itself such as, but not limited to, your name, email, billing data, IP address etc. stored on their servers which isn't encrypted. This is no worse than LastPass. In fact it's better because I think LastPass stored quite a bit outside of the encrypted storage such as URLs equivalences etc. when I last checked.
Ah-HAH! The .pux format is not as arcane as we had feared. It is a zip file with some metadata, the file attachments (great idea. BTW), and a JSON file.
The good news is that JSON files are quite legible and easy to work with. This is actually the preferred export format for Bitwarden. The bad news is that massaging the JSON for importing into Bitwarden requires a small matter of programming 😶
Bitwarden says what's needed, but they don't offer a lot of constructive help on how to make those changes.
Bless up. This is amazing. I didn't realize you can also do the same to auto copy TOTPs. Here's the documentation page if people want more info.
1 and 2. Agreed. Some things in Bitwarden aren't as intuitive. LastPass is ugly indeed, but they did a good job with navigation using the keyboard instead of the mouse.
Despite the several issues with Bitwarden, notably the ones mentioned in 1 and 2, I still use Bitwarden. I think it's still the best free password manager. With BW, you can access your vault from an unlimited number of devices for free (with LP, either PC only or mobile only). Also, BW is open-source. Their philosophy surrounding cybersecurity seems much more transparent and genuine. BW can generate great passwords, even strings of words. Just to name a few advantages. Searching BW vs LP can give you a better idea.
If your email and/or password was leaked in any of the breaches currently on have I been pwned then it will come up as compromised. If you used the same password(s) across multiple sites, and say one of them exists on the have I been pwned site then they should all be flagged as compromised.
>does it require a paid account or something?
Yes. Any paying plan will suffice, including the basic $10/year.
>can anyone give me a couple of product recommendations for similar options?
Any FIDO2/WebAuthn certified token will suffice. I can give a personal recommendation for the Yubikey 5 NFC. My son uses a Google Titan. Hopefully others can talk about others.
>the procedure for using something like a Yubikey on an iPhone
I think your best choice there is NFC. Others may have had success, i.e. with cabling converting from Apple's proprietary connector to USB, but I don't know a lot about that.
>I don’t store any payment info in BW or on any service currently either but I guess I might do at some point if I feel confident enough about the setup.
How can we make you feel more confident? I mean, a good master password plus a hardware security token is a pretty damn good setup.
>I do occasionally need to share login credentials or other sensitive info in either direction with a couple of people
Not for immediate consideration, but Bitwarden supports the notion of an "organization", which contains one or more "collections", which are shares with other Bitwarden users. You can create a single organization with one collection and with limited sharing when you sign up for the premium tier. For sharing with more people, you would have to sign up for a Family plan or even a Teams subscription, but that is probably overkill for you. Look here for more information.
Do you just need to share passwords with one person? Bitwarden allows you to have one organization, with up to two collections. You invite your partner to the organization, and you have all the organization features.
Start here: https://bitwarden.com/help/article/getting-started-organizations/
I believe this feature was added after the Cure53 audit. You can download the report from this page and read more about it.
Mainly you would do it if you had reason to believe your key was compromised, as it would be possible to decrypt your vault even after a password change were such a thing to occur.
SHA-256 is a hash function, AES-256 is an encryption function
A hash is a one-way function. Given the output, there is no way to figure out the input unless you give it the same exact input and it matches the output.
Encryption is a 2-way function. You can get back the original by using decryption.
Usually, for password protection, we want to use Hash functions as we don't want anyone to break the decryption key and reverse our password. Calculating a hash from the right input is trivial. Trying to brute force can be made to be very painful, using the right combo of hashing functions and parameters.
​
Bitwarden goes into more detail here https://bitwarden.com/help/article/what-encryption-is-used/
Bitwarden's desktop applications and browser extensions decrypts your vault when you unlock it. This is all kept in memory. I believe your Master Password and username are kept in the memory as well when it is unlocked. When the app or extension is locked then the data, including your Master Password, is cleared from memory. As far as I know, this is something that 1Password, LastPass, and Dashlane do not do.
**EDIT**
I found this which you may appreciate: https://bitwarden.com/help/article/data-storage/#on-your-local-machine
URI's should not contain www
. This is so that when you enter https://google.com
it works for anything.google.com
as well, and not just www.google.com
.
This is a helpful guide for URI's and how matching works, like the default 'base domain' matching in this example. https://bitwarden.com/help/article/uri-match-detection/
It's not ideal.
Use Bitwarden's passphrase generator and shift through the words and use that to help you make a sentence. You want to avoid personal things and go with words you don't use often. The more odd, funny, or fake the sentence the better.
Using the passphrase generator here are some examples I came up with.
Keyboard shortcuts for auto fill in browser extension
People coming from last pass especially are upset about the auto fill on page load that they are used to not being the same in bitwarden but I prefer the Shortcuts heavily
This feature is already available in the web vault.
>Vault Health Reports are available for Premium users, including members of Paid Organizations (Families, Teams, or Enterprise).
More details about this feature here: https://bitwarden.com/help/article/reports/#reused-passwords-report
Yeah you can use it anywhere. They have extensions for Chrome, FireFox, Safari, Edge, Opera, Brave, Vivaldi, Tor. Mobile apps on iOS and Android. Desktop apps for Windows, Mac, Linux. Even command line stuff if that's your fancy.
And if all else fails you can just go to vault.bitwarden.com.
When you sign up to a website it will prompt you to save your login info. You can also generate random letters/numbers/symbols for a more secure password.
Q: What is the Browser Extension asking permission for?
A: On installation, the Browser Extension will ask permission to access your clipboard in order to use the scheduled clipboard clear function (accessed in the Options menu).
When this optional feature is enabled, clipboard clear will clear any Bitwarden entries made by or filled on a configurable interval. Access to the clipboard allows Bitwarden to do this without removing a clipboard item not associated from the Bitwarden application by checking the last-copied item again the last-copied item from your Vault. Please note, this feature is off by default.
They have access to your encrypted data, since they host the servers you store it on.
But they do not have access to your plain-text passwords.
See here and here for more information, or check the other "Security" related FAQs in the help section for more detailed explanations of how your data is encrypted before it is sent to their servers.
Depends which direction you are talking, but something I use a lot is privacy.com for credit card security. Having an individual card for every online purchase is so nice, makes money management easier too since they graph everything for you.
That sounds like a bug, but keep in mind that anyone with access to the desktop can view the note anyway as it has already been decrypted.
> Master password re-prompt is not an encryption mechanism. This feature is an interface-only guardrail that a sophisticated user may find ways to work around. We recommend never leaving your Vault unlocked when unattended or on a shared workstation.
https://bitwarden.com/help/article/managing-items/#protect-individual-items
Ah, ok, this is starting to be interesting. There is a provision for custom fields, but it's designed for text fields, not drop-downs.
That notwithstanding, you might be able to add a custom field with the label of your drop-down and set the value of that custom field. Based on my knowledge of how DOM and HTML form submission operate, that stands a chance of succeeding.
Good luck,
I'm afraid the only way to log in without your 2FA is by using your recovery code. Even if you contact Bitwarden, they cannot disable 2FA or unlock your account. Maybe check if you have another device that's logged in and write all the passwords down?
How are you performing the search?
Make sure you use the <strong>>notes:</strong> part
More information: https://bitwarden.com/help/article/searching-vault/#construct-a-full-text-search
I wondered the same.
https://bitwarden.com/help/article/emergency-access/
Looks like Step 3 is where the Emergency contacts public key is used, locally, to encrypt your own master key. Then that is stored. Public/Private key encryption has been around and proven for a long time (PGP/GPG encryption). You can encrypt with a public key, and ONLY The private key would be able to decrypt.
The confirmation step, after they accept, appears to be there so that the encryption of the thing that provides access is only created (trusting no one) on the grantor's device.
I agree, but ccleaner is malware/spyware and bleachbit only uses a single pass when overwriting files, it’s lead developer tries to justify this with stupid reasoning imo.
I’d recommend eraser or dban instead
> You should make sure you remember your email, master password, and your 2fa recovery code. Perhaps print them out and store them somewhere safe? Or keep them in an encrypted archive and make sure you have a copy offsite. > > I would also highly recommend backing up your vault occasionally, just in case. You can search this Reddit for how to do that (depends on your OS and device a bit).
For the latter, I would recommend exporting the vault to an encrypted VeraCrypt container. You can then backup the container like a regular file (external disks, cloud storage, etc).
> I use it for notes and such too. For some reason it is a lot easier than an actual note taking app for me...
Can recommend open source Joplin. It supports end-to-end encrypted notes and is available for Windows, OSX, Linux, Android and iOS.
It is amazing.
Check out pricing plans here. You can create a free organisation for sharing.
https://bitwarden.com/pricing/
As for "throwing money away" I now gladly pay $10 a year for a Premium account in order to support this project. I used pay a lot more to LastPass.
ah I think the answer is bitwarden wants you to attach these as files instead: https://community.bitwarden.com/t/remove-increase-1000-character-password-field-limit-length/1165/2
>also you can’t export the vault from your mobile device right?
Actually, yes! Every client (Browser Extension, Desktop, Mobile, CLI) has this functionality.
See the documentation for more details: https://bitwarden.com/help/article/export-your-data/#export-a-personal-vault
I came from 1P. Considering their latest business practices, I am glad I did the change.
Why do you want to self-host? Just get premium, it is very cheap (10 USD per year).
Advantages are, it is hosted in Azure cloud. You don't need to keep an eye on your host security and there is no maintenance. Even though it is hosted on Azure, your data is safe. Not even Bitwarden staff can read your data.
Main differences between Free and Premium are TOTP and Security Keys, at least for me. For detailed comparison check https://bitwarden.com/pricing
Hi - and thank you for the kind words!
HIBP is as safe as it gets, it's made by Troy Hunt, cybersecurity expert of some repute. Bitwarden's own breach report uses and recommends it.
Good on you for being skeptical.
Yes. The “Hide Passwords” feature, as the FAQ mentions, just makes it harder for the average user to see the password in plain text. But anyone with a little know-how can still see the password if they are motivated to.
Btw, this is true for ANY password manager that has a hide password feature because there is no way to prevent someone from accessing the elements of a web page by other means.
https://bitwarden.com/help/article/releasenotes/#2021-05-11
Custom Fields for Keys: Custom Field values have been upgraded to support up to 5000 characters, allowing storage of keys like RSA 4096-bit SSH keys (see here for details).
https://bitwarden.com/help/article/custom-fields/#custom-fields-for-keys
Because the most current version of your vault lives in the cloud, you need internet access in order to make any changes to your vault. Without internet access your vault is essentially “read only.”
2FA is only needed for authentication, i.e. logging in. Logging in is what downloads the latest copy of your vault to your device.
It’s important to understand the difference between logging out vs locking your vault when not in use. If you did not log out but only locked your vault, then you still have a local encrypted copy of your vault on your device. You can unlock this and see all of your entries but if you are not online then, again, you cannot make any changes to your vault. But you can access your various logins, notes, identities, cards, etc.
Dumb suggestion, but go to another app where you can see what you are typing and enter your password. This will tell you if your keyboard is acting up.
What part of the world do you live in? Maybe Bitwarden is just down at your location.
I read this article: https://bitwarden.com/help/article/forgot-master-password/#:~:text=Unlike%20most%20services%20that%20you,just%20authentication%20(logging%20in).
It talks about having a designated Trusted Emergency Contact established using Emergency Access and getting in contact with them to regain Read or Takeover access to your account. I didn't know that option existed so you probably don't have it setup either.
I don't know of any ways to recover a master password. You may just have to wait until the maintenance is finished.
>I recreated an account with the same main password as the last account
Does not matter, your vault is encrypted with a random key itself derived from your password. Your password does not encrypt your data directly. See u/Proximus88 comment about BW encrypted export limitations.
https://bitwarden.com/help/article/emergency-access/
> Google Authenticator
Yeah, that’s a dealbreaker for me. If your phone dies or gets lost then you’re in for some hurt. Hopefully you have your 2FA recovery keys backed up for each site. But I consider that a tedious practice that most people are not likely to do, which makes Google Authenticator not a great option in my opinion. Authy might be a better choice. Or aegis. Or if you’re on iOS OTP AUTH or Raivo OTP.
Everyone has different needs, but I very much prefer to be able to backup my 2FA seeds (the shared secrets).
Premium is an upgrade for features associated with your account or your personal vault.
Organizations are for sharing. You can create an Organization and share between two people for free. If you want to share with more family members you can upgrade the Organization to the “Family Plan” for up to 6 users, which includes Premium for all 6 users.
The way Bitwarden does sharing is different from other password managers.
Check out the About Bitwarden Plans FAQ for more information
When you enter your 2FA there is a “Remember me” checkbox.
But, probably more to your situation is the difference between “Locking” and “Logging Out”. It will not prompt you for your 2FA when you lock your vault, but it will when you fully log out (provided you have not checked the “Remember Me” checkbox).
Personally I’ve never heard of anyone doing that with a password manager, however it’s entirely up to you as everyone needs to feel comfortable with the level of trust that they have with a tool/service.
Security is at the core of Bitwarden’s business.
Some info at https://bitwarden.com/help/security, the FAQs and specifically the first 3 on the list go some way to answering your question.
Also make sure you’ve enabled 2FA for your account.
Also :
>CleanMyMac & AppZapper
Use https://freemacsoft.net/appcleaner/ ; it's free and best in class. Don't use the shareware crapware you mentioned.
Do you have Bitwarden premium ($10/year)? You need to have premium in order to setup and use 2fa with Yubikey, U2F, and Duo. If not, get premium and then you can setup using the tutorial.
Hm, not sure about that. These canvas blockers seem to generate a lot of false positives. I'm more concerned that bitwarden.com is using external CDNs to fetch CSS and Javascripts. It's potentially unsafe.
I recommend Aegis if you are on Android. It is open source and supports backups.
As for moving 2FA codes to Bitwarden, it is up to you. It is a convenience feature that most passwords managers have and there is plenty of discussions about it. I would recommend you go through them and decide for yourself what is best for you. The main take away from those discussions is that you will still benefit from increased protection of TOTP but you will lose the second factor because anyone who has access to your vault has also access to your TOTP codes.
Whatever you end up deciding, make sure you have 2FA enabled and have a unique and strong password for your Bitwarden account.
What? We use nginx as a reverse proxy, with an HTTPS connection all the time on our servers at work.
What about this doesn't work for you?
I've been using Privacy.com for years now and it's great! It's my default purchase method when buying one off items online, my kids extracurricular activities because those things Boy Scout, yearbook companies etc always sell your data. For regular bills, like my utilities I don't use it because I want to be able to track those expensive via my bank account and if there's an issue I feel like it'd be easier to dispute and take care of versus Privacy.com where I use address generators and fake names for purchases.
https://bitwarden.com/help/article/biometrics/
Unlock with Biometrics is supported for Windows via Windows Hello using PIN, Facial Recognition, or other hardware that meets Windows Hello biometric requirements
>It's all bitwarden fault, they never made it clear that changing MP will log me out from all devices.
>Similarly, they told me that I can't recover my account if I lost my MP. If I know that then I will never create a random password for my account.
Lol. They clearly advised me to write my master password down when I signed up.
https://vault.bitwarden.com/#/register
> The master password is the password you use to access your vault. It is very important that you do not forget your master password. There is no way to recover the password in the event that you forget it.
So it is mentioned when you sign up, also in the email you get when setting up your account.
Also mentioned here: https://bitwarden.com/help/article/master-password/
> Bitwarden is a zero knowledge solution. This means that the team at Bitwarden, as well as Bitwarden systems themselves, have no knowledge of, way to retrieve, or way to reset your Master Password. Don’t forget your Master Password! Bitwarden won’t be able to reset it or recover your Vault data if you do.
> [...]
> As described in the About Your Master Password section, Bitwarden has no knowledge of, way to retrieve, or way to reset your Master Password.
> If you’ve already lost your Master Password, there is unfortunately no way for anyone to recover the account or the data stored in your Personal Vault unless you’re enrolled in Organization Master Password Reset or have a designated trusted emergency contact. You will need to delete your account and start a new one.
This might not be the answer you're looking for but BW has some advanced search functionality which could help you in locating those entries: https://bitwarden.com/help/article/searching-vault/
Also getting a JSON dump of the vault and sorting the entries by the last updated timestamp could help. A tool like JQ can be used to achieve that.
I learned from support they are aware of the issue: https://github.com/bitwarden/mobile/issues/1624
Also, here’s a workaround in the meantime: https://bitwarden.com/help/article/auto-fill-ios/#keyboard-auto-fill
What format(s) can Dashlane export? CSV?
https://bitwarden.com/help/article/import-data/
Also, search through this subreddit for Dashlane as there seem to be a few posts about this.
Here’s one but there are several others, too: https://reddit.com/r/Bitwarden/comments/p47u2e/dashlane_csv_t_ojson_json_not_being_imported/
The captcha is at the API, so it cannot be disabled at the client, but it is configured to only prompt if the API detects non-human behavior. Are you experiencing this prompt often?
If so, please reach out to our cs team so we can assist. The captcha is new, so it may need some tuning 😎
Welcome to the command line!
I can’t really even tell which OS that is in your gif but in whichever OS you need to open command prompt / terminal.
If that’s Windows then right click on that directory and open command prompt there. Then you should be able to play around with it. Start with: bw --help
Please see the FAQ regarding Organization User Types.
“Owners” have complete access to all Collections in an Organization. Perhaps you meant to make her a “User” if you wanted to limit her access and abilities within the Organization?
Edit: Organizations are how you share passwords. Your (and Her) personal vaults are completely separate from any Organization (shared) vault.
Actually the vault is NOT stored on local disk (desktop OSes, android, iOS) in an unencrypted state. The only place where it resides unencrypted is RAM (to show you your stuff on screen), and of course if (and only if) you manually export json/csv. That encrypted vault (on disk) is then re encrypted by the OS using full disk encryption. Since iCloud will back up only whatever is on disk and NOT the RAM, it's just backing up the encrypted vault file. It's clearly explained here "Decrypted data is stored in memory in the following locations and is never written to persistent storage"
It's as useless as it sounds, if you want true encrypted backup just login to the Desktop app and backup data.json it creates (https://bitwarden.com/help/article/data-storage/), then if something happens you can decrypt that json using https://github.com/GurpreetKang/BitwardenDecrypt
You'll have to download extension for your browser from https://bitwarden.com/download/. Then login to the extension and you should be able to fill with the hotkey Ctrl+shift+L (might be different; check extension settings)
Well of course it’s up to you. But I would still highly recommend that you use 2FA.
Probably 90% of people on this subreddit (it’s mostly enthusiasts here, so that’s a skewed number) have a strong password never used before unique for Bitwarden and ALSO use 2FA.
Your vault is protected by three things: your master password, your email address, and your 2FA. The more layers of security you have, the better. The master password is certainly the most important but the other two are also important.
It really depends on your use case. Will you be using bitwarden on your own devices? How often will you be adding new devices? Will you logout every time you close you vault, or will you just lock your vault?
For most setups you may hardly ever need to enter your 2FA. For example, if you are using bitwarden on devices you trust, you can click a little box when you login “remember me” and then 2fa won’t be needed on that device when logging in again (unless you deauthorize all sessions).
https://bitwarden.com/help/article/twostep-faqs/
Also, 2FA is only needed to log in but not to unlock. So if you’re staying logged in most of them time, it also won’t be an inconvenience.
So, in general, it is highly recommended. But only you can assess your situation.
I don’t believe there is a “button” per se, but I recently discovered a handy keyboard shortcut: CTRL + SHIFT + L , which auto fills the fields. You can read more about it here: https://bitwarden.com/help/article/auto-fill-browser/#using-keyboard-shortcuts
Bitwarden was the last thing I took to self hosted (after Nextcloud, Gitlab, Mail, Media) because I couldn't quite justify it, but eventually I ended up doing it
- my data, even if Bitwarden as a company disappears, suffers a prolonged, unmitigated ddos attack, Microsoft kicking them out of Azure because of some stupid reason - or if my internet disappears (yes, i know the clients cache data but that's not the same).
- smaller attack vector, I am sure there are hoards of groups trying every leaked password combination on bitwarden.com all day long.
- It was my entry point into learning docker properly ... yeah, that reason doesn't apply to others.
But it is marginal as a benefit I have to admit.
You will need 2 accounts as part of an organization, your account and the company account, and put the shared passwords in a collection. This help article should have all the info you need to get started.
https://bitwarden.com/help/article/getting-started-organizations/
Why? If support could recover your account it would defeat the purpose of 2FA. See their help page https://bitwarden.com/help/article/lost-two-step-device/
I read Fastmail's privacy policy and it sucks donkey balls. They are saying they will share literally everything and use analytics on top of that. Lovely.
https://www.fastmail.com/about/privacy/
Good thing is, only 1Password is using it for integration, and I am not gonna use it.
It is supported here in the US. The following extensions are available for me: uBlock Origin, HTTPS Everywhere, Decentraleyes, Dark Reader, Privacy Badger, Ghostery, AdGuard, FoxyProxy, NoScript, Bitwarden, Search by Image, YouTube High Definition, Privacy Possum, LeechBlock NG, Tomato Clock, Web Archives, Video Background Play Fix, Google Search Fixer.
You need to install the Android App and can set up Auto-fill login.
https://bitwarden.com/help/article/forgot-master-password
The encryption that keeps it secure in the first place means BW has no access to it. This is the article from their site on losing your master password.
Emergency contact backup or being an Organization Master account are the only ways.
Are they really injecting pop-ups into your web page?
If they are doing that, they are trading a slick UX against the real problem that they will absolutely break access to many login forms.
Even the very limited reflection used by Bitwarden, where it merely looks for DOM elements, can need a lot of help in order to deal with outlier web pages. Genuine pop-ups, actually MODIFYING the DOM on the web page, would be a nightmare. I mean, it might kinda sorta work most of the time, but it could completely screw up the rest of the time.
They said in last Friday's Vault Hours video they're updating the web interface early next year to be more responsive and fresher.
As for updates, they just released emergency access at the start of this year. If anything, they're doing more than most password managers do. I find Bitwarden far from "stale".
Your master password is used to derive your vault's encryption key. It would seem that when using a pin the pin is used to encrypt the encryption key. So what Bitwarden says holds true. Obviously it would be much easier to brute force a pin of a few digits than a long, complex master password.
It's a trade off of security for convenience. Obviously one should consider their personal threat profile. Are you a crypto millionaire storing your keys in this wallet? Maybe think long and hard about that. Are you just a humble LrZ3TMt4aQ93FrjfBG76 who's tired of trying to remember the password to that one website work requires him to use once a year? Then maybe you'd be fine with a PIN. Provided your devices are secure and you use them responsibly.
You said > Your master password doesnt leave your machine, not even in hashed form.
I don't think you are correct about the hashed form. From their whitepaper, page 9
> Next, Bitwarden uses Password-Based Key Derivation Function 2 (PBKDF2) with a default of 100,000 iteration rounds to stretch your Master Password with a salt of your Email Address. The resulting salted value is the 256 bit Master Key. A hash of the master key is sent to the server upon account creation and login, and used to authenticate the user account.
If I'm mistaken, can you point me to info about that? It's possible I misread something.