Anyone who access to your mail can delete your vault?


can you confirm me that anyone that have access to your mail can go here Bitwarden Web Vault and ask to delete your vault ?
It’s a bit freaking no ?

You are correct. There is a mechanism for users who have forgotten their master password to send a request to Bitwarden to delete the account so that they can create a new one and start over. Obviously, the request does not require a master password prompt (can’t if it was forgotten), so an email confirmation is sent instead. I am not sure how else this could be managed.

When deleting an account in this way, 2-step authentication should be required. Of course other than the email code. For example, enter the code from authy or authorization with the U2F key.

Even forgetting the master password, we should rather still be able to access 2FA

Another option is to add a contact password. In the bitwarden settings one could add the “password to contact Bitwarden service” and require this password when deleting an account, for example.

What if you forget that password too and even you lost access to 2fa :unamused:. (2fa isn’t even mandatory currently)
Then that email id is blocked forever ??

Ofcourse there wouldbe much better way to solve this.

but at least you should put a delay like minimum 2 days before account deleting is done.

1 Like

In my opinion, it is better to require additional verification of the type of code from authy, authorization with the U2f key or possibly a password to contact the service. Of course, all as an optional setting to be turned on in the settings.

In addition, there should be a delay, e.g. 7 days, and an email and push notification for all logged in during this time.

By the way, I always wondered why Bitwarden does not offer a push notification in the smartphone application when logging in to a new device.