I changed the password on one of the websites where I have an account using the “lost password” process of the website.
Of course at some point Bitwarden offers to save the new password, which I accepted.
Then:
try to login on the website
credentials on login form auto filled using Bitwarden blue shield icon (I don’t use auto fill on page load)
login refused …
tried a couple times
then went to check the password stored into Bitwarden
here I could see that the password stored is not the correct one, it’s a sequence of alphanumeric characters. Looks like an hexadecimal string, not the correct password at all !
After that:
I manually deleted the entry from the Bitwarden vault
did a manual login on the website, typing the correct password.
saved into Bitwarden again
observed same problem again… for some reason the password gets improperly stored or captured.
I then came to this Bitwarden community website for support, and created an account to be able to post this topic.
I stored the account password in Bitwarden when I was offered to save it.
This time the password is stored ok, so it’s not every password that gets “corrupted” on save.
I checked what happens if I manually modify the password value in the “strange” website entry of the vault. My modification is well saved and the password can be used once updated into the vault.
I’m using Firefox v128.0.3 and Bitwarden extension v2024.6.3.
Bitwarden server version is 2024.7.2.
I don’t know what went wrong, but this sounds to me like BW captured the wrong value, possibly because the website did something “non-standard” on the password. So what you did didn’t work on one website, but worked on another website.
Having BW capturing the credentials from the form is not always a sure thing, so it’s usually recommended that:
Adding a new account:
Goto the registration page
Open BW side-bar; on FF, its Shift-Alt-Y
Click the + button
Generate user name (or email)
Generate a random password (do this for security)
Click save
Ctrl-Shift-L to fill in the info in the registration form
You will have to fiddle with this with sites that use both username/email. But the gist is, save your registration info in Bitwarden first, and have Bitwarden fill in the registration form for you.
Changing the password is slightly more tricky. This is what I do, but maybe others will have something simpler:
Goto the password change page
Open the sidebar
Drag-and-drop the old password from the sidebar into the current password field
Generate a new random password in Bitwarden and save.
Drag-and-drop the new password from the sidebar into the new password fields.
Remember that Bitwarden remembers you last 5 password plus the current one. Look at the bottom of the entry and you’ll see “Password history.” Clicking on the number will show the previous passwords just in case you need them.
Some websites use background scripts to manipulate the contents of input fields as you are typing, or when the form is submitted. It seems that the website where you had the issue might have replaced the typed password with a computed hash. I have seen other reports where the typed password is literally replaced by a series of bullet characters (●) or asterisks (*), so that these characters are what is transferred into your Bitwarden vault.
The solution, as indicated by @Neuron5569, is to stop using the failure-prone password saving prompts (go to Settings > Notifications and disable the two options “Ask to add login” and “Ask to update existing login”). It is easier and safer to create the vault entry first in the browser extension, and then use auto-fill to transfer the information into the online web form (account registration or password change form).
Personally, I use methods that are very similar to those described by @Neuron5569above, descriptions of which I have previously posted in this forum.
Thanks a lot for the fast replies, and for relevance too !
I can indeed imagine a script to prevent passwords stealing by malicious extensions that would compute a hashed pwd on the browser side, or something similar, in the age we live in.
I’ll for sure adopt a different approach in the future, based onto your suggestions !
The procedure below assumes that you have the website’s account registration form open in your browser, and that your Bitwarden browser extension is currently unlocked:
1.Open the browser extension (click Bitwarden icon at the top of the browser, or press Ctrl+Shift+Y).
2. Click (or the “Add a Login” link).
3. Type the desired username (or generate a random one).
4. Click the icon the in Password field (generate password).
5. Click Select in the upper right corner.
6. Click Save in the upper right corner.
7. You will now see the new vault item listed at the top of the browser extension’s “Tab” page →click on the website name (which will transfer your username and password to the website’s account registration form.
8. In your browser, submit the account registration form to the website server.
Changing a Password:
The procedure below assumes that you have the website’s password change form open in your browser, and that your Bitwarden browser extension is currently unlocked:
1.Open the browser extension (click Bitwarden icon at the top of the browser, or press Ctrl+Shift+Y).
2. Open the vault item in the browser extension (click the “View” icon).
3. Copy the old password to the clipboard.*
4. Click “Edit” in the upper right corner.
5. In the password field, click to go to the password generator.
6. Click “OK” at the warning prompt about overwriting the password.
7. Click “Select” in the upper right corner.
8. Click “Save” in the upper right corner.
9. Click the “Auto-fill” button (below the displayed item details).
10. On the website’s password change form, delete the contents of the “Old Password” field and paste in the old password from the clipboard.*
11. Submit the password change form to the website server.
*Depending on how quickly you can complete Steps 4–10 and what setting you have for the clipboard timeout option, you may find that the old password has been cleared from the clipboard by the time that you need to paste it. In this case, you can retrieve the old password from the Password History (which stores the 5 most recent passwords).
Unrelated Rant: Step 6 in the above password change procedure is an unnecessary annoyance, but it is a requirement that Bitwarden has implemented. If you agree that this extra confirmation step is superfluous and should be eliminated, please vote for the following feature request:
icon at the top of the browser, or press Ctrl+Shift+Y).
(or the “Add a Login” link).
icon the in Password field (generate password).