Hi all, after upgrading to PBKDF2 all saved passwords are gone, not even password history. Both on the phone and in the browser extension. I also downloaded the app, no passwords there either. I have not made any backups. What can I do?
I’ve logged out of all accounts and tried logging in again, cleared data and app cache on my phone, also reinstalled the extension, app on pc. Nothing helped
@anon7200363 Welcome to the forum!
Please provide some information about what operating system and browser you are using.
Also, what happens if you log in at https://vault.bitwarden.com (or at https://vault.bitwarden.eu, in case you have a .EU-hosted account)?
Finally, are you 
% certain that you have only ever registered for a single Bitwarden account? If there is a second account, perhaps you are logging in to the wrong one.
I am using Linux Fedora Workstation and the Vivaldi browser. I’m pretty sure I only have one account. If I follow this link, I am logged in to my account, but there are no passwords and no password history. https://vault.bitwarden.com
There is no account at this link https://vault.bitwarden.eu
Just now also tried following this link and logging into the account via Firefox browser https://vault.bitwarden.com The problem is the same, everywhere is blank
I would suggest contacting support, but to be honest, I don’t think chances are great that your vault can be recovered. It seems like the vault was accidentally purged.
If you think you may have previously used a Bitwarden app or browser extension other than the ones you have already checked (perhaps on a device that you don’t frequently use), then there is a small chance you may be able to get your data back. To check for this possibility, first disconnect the device from the internet (e.g., by disconnecting any Ethernet cables and placing the device in Airplane Mode to disable WiFi). Then look for Desktop apps, mobile apps, and browser extensions that may still be logged in from before when your account changes were made. If you find any such dormant apps/extensions and are able to unlock them, then you can export the locally cached vault copy (and use the the export to repopulate your cloud vault). Again, it is extremely important to prevent the device from accessing the internet while doing this.
Why should I delete everything myself and then write here like a fool that my passwords are missing? I didn’t delete it myself, you can check there, they disappeared themselves after logging in to the account. I just changed the KDF algorithm and tested different settings, my settings were not saved with a certain number of iterations, I went there again and changed the value, I didn’t even check the folders with passwords, and then when I needed a password, I found out that everything was empty.
And there are no more devices that I haven’t logged into bitwarden yet, the only option is to contact support. The problem is not on my side, why is there a small chance of restoring the vault?
Sorry to be the bearer of bad news, and hopefully my prognosis was completely wrong. Good luck with your support request.
I can’t check anything. I’m just another Bitwarden user like you.
1 Like
Thank you so much for the help
1 Like
I can’t help directly either but to figure out what went wrong here some clarification questions:
Hi all, after upgrading to PBKDF2 all saved passwords are gone, not even password history. Both on the phone and in the browser extension. I also downloaded the app, no passwords there either. I have not made any backups. What can I do?
PBKDF2 is the default, did you mean upgrading to a higher number of pbkdf2 iterations, or maybe upgrading to argon2?
By “all passwords are gone”, do you literally mean just the “password” field, or the entire login entry. Since the password is connected to the login entry, if the login entry is gone, so is the password history.
Since you are on Linux, I’ll assume you are a somewhat more technical user. Could you open your browser console before logging into the web vault, and then look for a request to “api/sync?excludeDomains=true”. In the http response, there should be an array “Ciphers”:. Is this empty? DO NOT POST THE HTTP RESPONSE IN THIS FORUM. If it is not empty it might be that the entries are still there, but undecryptable for some reason.
Hi. I have been increasing the number of iterations in PBKDF2 to test how my system works with this as well as android phone, and also went to argon2 to check there performance. I have lost all entries, completely everything, as if I didn’t add anything, no saved maps, no logins and passwords. Just checked the excludeDomains parameter, the Ciphers array is empty there
Wrote to support that the api/sync request returns an empty array of ciphers
Thank you very much for your help, what could cause this to happen? Is there a bug on the backend that caused data loss?
Also asked them if there are backups for data recovery, do they have that?
Sorry, only Bitwarden support would know that.
Well, if i recall correctly (not entirely sure anymore), several years ago there was a bug that could make vault entries un-decryptable when changing KDF if the web vault crashed/was closed/lost internet connection in a very unfortunate moment. However, that was fixed long ago, and I would have expected the entries to still be there but un-decryptable. In this case, it seems to be something else, since all ciphers seem to have disappeared.
Thank you so much
I thought about this a bit more, and I have a theory of what might have happened. Did you change the KDF again and/or checked rotate key after the vault was empty but before checking the HTTP JSON response?
My theory: [I have not tested this in the clients, but from my knowledge of the code it should be possible]: After changing the kdf parameters, the web vault failed to sync for whatever reason, and your local copy of the vault is empty. At this point it is fixable, by logging out and back in again. You try to fix things by rotating the key again, but this causes the web vault to overwrite the server-side copy of the vault with your local (empty) vault. You log in and out again, but now the remote copy is also empty.
I hope that you continue to explore this, because it would be a serious bug if you are correct.
FYI, I was just doing some testing in the Web Vault, and happened to get a situation in which the vault appeared empty on login (which seems to be something happening with increased regularity to various users since the December updates). In any case, I thought I would try to reproduce the vault erasure scenario that you hypothesized, so I went to change the KDF settings (while the Web Vault was still empty, without logging out and back in). When clicking the “Change KDF” button and confirming with the master password, all that happened was that I received the error message “Failed to Fetch”. I tried this a few times with the same result, and then logged out (interestingly, I also received the “Failed to Fetch” error when attempting to log back in, so I had to Ctrl+F5 before I could log in). When I logged back in, the vault contents had reappeared.
Do you know what triggers the web vault to appear empty? I have never had that bug happen to me, though I mainly use a self-hosted installation.
It’s intermittent, so hard to diagnose. Issue #5770 on GitHub has some more information and error messages from the browser console.
Edited to Add: At least one user experiencing this appears to be self-hosted.
Okay, so after some investigation, I did manage to completely corrupt my vault:
By blocking the HTTP request to sync, and then doing an encryption key rotation. This is a bug [that requries very specific, unlikely but possible circumstances] that I feel should probably be addressed too, but seems to be something different.
However, the web vault only rotates the encryption key, if you change your master password, not if you change your KDF settings.