Account recovery options

This is a hypothetical situation regarding account recovery that will help me understand my options. Is deleting my account and starting a new one my only option if the circumstances are as follows? : Only one device with Bitwarden- forgot master passcode, no password hint, no 2FA, no emergency access, no biometrics.

Assuming your also logged out then I think losing your master password is fatal, I don’t see any other option but to abandon that account, start again with a new account and hope your backup isn’t encrypted with the same password.

What is my ā€˜backup’ if I have to delete my account and create a new one?

There are various approaches to creating vault backups. Here is one that I recommend:

At a regular frequency (weekly, monthly, biannually, etc., depending on how frequently you make changes to your vault contents), log in to the Web Vault (vault.bitwarden.com) and do the following:

  1. Click on Tools in the top menu bar.
  2. Click on Export Vault in the left-hand navigation menu.
  3. In the dropdown menu under File Format, select the option .json (Encrypted).
  4. You will now see two options for Format Type: select Password-Protected (it is very important that you don’t select Account-Restricted).
  5. Choose a strong password for the backup (use the Bitwarden Password Generator if you like), and enter it into the input fields File password and Confirm file password. If the scenario you are protecting yourself is data loss due to a forgotten Master Password, then you should obviously not use your Bitwarden Master Password as the backup password.
  6. Click Confirm Format.
  7. When prompted (in a window titled Confirm Vault Export), enter your Bitwarden Master Password (not your backup password).
  8. Click Export Vault button. You should see a green alert box in the upper right corner of your browser window, with the message ā€œVault data exported.ā€
  9. Go to your Downloads folder, and look for a file named something like bitwarden_encrypted_export_20230612204532.json. Move this file to any location where you will be able to access it later. The file is encrypted, so you do not have to worry about hiding the file.

You can store a copy of the backup file password in your Bitwarden vault, to make it more convenient to create additional backups in the future. However, you still run the risk of forgetting the backup file password, just like there is always a risk of forgetting your Master Password. If you have forgotten both, then your scenario still leads to loss of all your data. For this reason, you should always make at least one Emergency Sheet, stored in a secure location, which contains the following information (at a minimum):

  • Your Bitwarden email address.
  • Your Bitwarden Master Password.
  • The 2FA Recovery Code for your Bitwarden account.
  • Password(s) to your vault backup file(s).

Here’s my backup process, just to show some ideas…

I created an encrypted disk/volume using TrueCrypt. Once a week, I export my BW vault, in both JSON & CVS formats. I store them in the encrypted volume. I keep them all, just adding the latest two each week.

Usually, just to be safe/paranoid, I dismount the volume so it’s not visible. Only mounting it when I add the latest files.

Of course, everything is predicated on NOT forgetting a Master Password.

Just so you’re aware, the above work flow will leave behind unencrypted secrets that can later be recovered from your device hard drive (especially if it is an SSD).

Could you elaborate please?

Thx.

Due to the way that JavaScript implements file saving, all export operations write the exported data first into a temporary file (.tmp) located in the default Downloads directory, then copy the file to its specified destination, renaming it with a .csv or .json extension and the specified name, and finally delete the .tmp file from the Downloads folder. Deleted temporary files can be recovered using various ā€œundeleteā€ utilities, or other data recovery tools. This is especially the case with SSDs, which create multiple copies of any saved data during wear-leveling operations.

If you also save the .csv and .json in the Downloads folder before moving them to the TrueCrypt volume, then you have further compounded the problem by allowing a second copy of the unencrypted file to be saved to the hard drive. However, please note that the problem with the .tmp file still exists even if you export ā€œdirectlyā€ to the TrueCrypt volume using ā€œSave Asā€.

1 Like

Thanks, appreciate the detailed explanation. Very informative!

1 Like

@astrohip I note your using TrueCrypt.
You could use TrueCrypt (now VeraCrypt) to encrypt your SSD and then I think you’re fully secure. This includes the system drive. Even deleted temporary data is encrypted even on an SSD.

1 Like

Thanks Doc. I prefer not to encrypt the entire disk, although I understand the option.

I’m willing to live with the slight risk that @grb pointed out. It would require someone to have access to my laptop, plus know I dl my BW vault, plus know to look for deleted files. Too obscure a case for me.

However, as always, it’s better to understand the risks.

1 Like

A less drastic approach to mitigate the issue that I had mentioned is to go to your browser settings and change the location of your default Downloads folder (e.g., the ā€œLocationā€ setting under chrome://settings/downloads), so that it points to a folder on your encrypted volume. You can even define a separate browser profile dedicated to making Bitwarden vault exports, and change Downloads folder only for that profile (saving you the trouble of changing the Downloads folder back to its original location before dismounting your TrueCrypt volume).

1 Like

Interesting idea! I’ll play around with it.