Did Bitwarden remove recovery codes option?
Yesterday, I changed my masterpassword in my personal computer and saved this new password in Bitwarden secure notes and also saved it in my Chrome browser. Then I set up pin to unlock it like I usually do, but seems like I forgot to untick the option which allows you to unlock your Bitwarden Chrome extension with PIN without asking a master password. So, today I arrived to my office and decided to login. Opened my phone and thought I would retrieve my password from Bitwarden app from secure notes where I saved my password, but seems like I’m logout from there too and my fingerprint isn’t enough, still asking for a master password. I have recovery code saved and thought I would be able to login with my recovery code, but I don’t see such option anymore, nor in my phone, nor on website vault. What happened? We don’t use recovery codes anymore? I have stored so many valuable info there… I don’t want to delete my account.
To make it short: I have recovery code, I have access to 2 step verification app. The only thing I don’t have is master password and I’m logged out on all devices. How do I login?
Unfortunately, the recovery code provided by Bitwarden serves only the purpose of disabling the 2FA on your account. There is no method for by-passing your master password. Without your master password, your only option is to start over with a new account. If you are logged out of all Bitwarden apps on all devices, then there is also no mechanism for retrieving your vault data. I hope that you have been making backup copies of your vault, or else you have truly lost everything.
If I understand you correctly, you wrote you saved your new password also in your chrome browser?! Then you still should have your password…
But for Bitwarden: maybe it would be better to write explicitly of “2FA recovery code” in the complete vault and not at least at one place only of “recovery code”… (in German here you see only “Wiederherstellungscode” - it wouldn’t hurt to replace it with “2FA-Wiederherstellungscode” or something like that, to reduce the (avoidable) confusion…)
I agree completely. And then I studied psychology… and some people tend to overread it a few times - and don’t read the long explanation (which I think is really good!) - and just read what “pops out”… And in doubt that is “ah, there is the ‘recovery code’ for my vault”…
To double down on it: yes, everything perfect! But consider to also change it to “View 2FA-Recovery Code”. The best mistake is the mistake that can’t happen.
Hey guys, fortunately, I got access to my Bitwarden. Seems like I saved my new Bitwarden masterpassword in the Microsoft’s OneNote and it saved me, otherwise I was losing everything and no, I don’t make backups of my vault. I don’t know how to do that and to be honest, didn’t even know if Bitwarden had this feature.
No, I usually save my password in my Chrome browser too, but not the passwords of very important websites like Bitwarden, Google, Microsoft and my bank account passwords aren’t stored in Chrome’s password manager for better security.
Glad to hear you were able to get back into your vault. To protect yourself from future data loss, it is recommended to do the following:
Create an Emergency Sheet and store it in a secure location (using a security envelope, if you wish); at a minimum, this emergency sheet should contain your username, master password, and 2FA recovery code — and, if applicable, the password(s) for any encrypted backup files.
Regularly create backups of your vault data. There are different approaches to this, but there are two ways that I personally would recommend. One method (password-protected exports) is described here; if you use this method, remember to document your backup file password on your Emergency Sheet. An alternative method is to regularly create a copy of the contents of the folder %LocalAppData%\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb (which contains the local vault cache used by your Chrome browser extension — assuming you are on a Windows system); for example, create a ZIP archive and copy the folder contents into the ZIP archive.
I would like to say this was totally not clear to me, until i read this thread.
My expectation was:
i have my password
i have enabled 2FA for my account
i have saved my recovery code
=> Now, if something goes wrong and i forget either my password OR the 2FA code, i can enter the recovery code instead and all is good.
IMO the documentation does not make that clear at all.
FTR, i am a developer (Java/Kotlin/backend currently) and am i used to reading documentation. I also read almost all the documentation from BW before making an account, and this was still unexpected to me.
This is exactly how I thought too, that since I had recovery code and had 2FA enabled, I would be safe even if I lose my password. On other websites I have used recovery codes to gain access back to my account, don’t remember which websites they were, maybe Google… And I thought same would be with Bitwarden.
I don’t want to use Emergency sheet, because when something bad happens, like someone tries to hack my account and login in my email or etc, I immediately change my password and I don’t want to keep printing new password sheet all the time. Plus, if I won’t be home, I won’t be able to login in my Bitwarden or even my email without that sheet, which is something I don’t want. I think I’ll be fine, by having my Bitwarden, Google and Microsoft passwords in Bitwarden, Google keeps and Microsoft Onenote. It’s not easy to hack those websites, but if I get notification about login attempt by someone, I’ll change passwords. Plus, it’s not easy to hack them, since I have enabled 2FA on all 3 websites.
To be clear, the emergency sheet is only for your Bitwarden login credentials. If your Bitwarden account gets hacked, you will have much more important things to worry about than the inconvenience of having to print a new emergency sheet.
That doesn’t make sense. If you are currently able to log in to your Bitwarden account (without an emergency sheet), how is the creation of an emergency sheet going to prevent you from logging in the same way you are doing now?
You know that hackers don’t have to use the login forms and 2FA to steal your information, right? If the servers are compromised, all of your information can just be copied directly from the servers.
In any case, the point of the emergency sheet is to have a separate record of your Bitwarden master password, username, and 2FA recovery code available outside your Bitwarden vault, to prevent you from getting locked out of your account. Whether you store the information on paper or digitally, and your choice of storage location, primarily affect the security of your vault — and this is an individual decision that you have to make by analyzing your personal threat model.
as I said before: in doubt, someone will only read “view recovery code” (which “pops out”) and overread the rest.
And on second thought, the explanatory text can (not must, but can!) be misleading as well. There is written: “A recovery code allows you to access your account…” Of course there follows the part, that “… in the event you can not use your normal 2fa…”, but trust me - some people will stop reading after “… to access your account…”.
But instead beginning the sentence with “A recovery code allows you to access your account…” I think it would be better, for example, to write “A recovery code replaces only your normal 2FA / second step… it does not replace your first step (master password)…”
Also, to be double, triple, quadrupel… safe (by the way: maybe this is warranted, because your complete collection of passwords is nothing you want to lose), the last sentence could be more explicit as well: “We reccommend you write down or print the recovery code (besides your master password, which you still need for login with the recovery code) and keep it in a safe place.” (or something like that)
I meant, if I for example start a new job at a new place and I get new computer, I defnitely will need password for the sites I frequently use and I will need Bitwarden extension there and to access Bitwarden, I will need masterpassword, which in case of emergency sheet will be laying in my home, but if I have stored that password in my Microsoft account, Google Keep or Bitwarden app in my phone, I can easily get access there. So, I think I prefer to store that password on those 3 websites. Plus, Google, Microsoft and Bitwarden servers are very hard to hack. I never even heard that someone hacked their servers.
That is not an “emergency”. The emergency sheet is for emergencies (like memory loss, loss of your 2FA devices, etc.). FYI, recommended practice is to memorize your master password (so that your emergency sheet is not needed unless you’ve experienced some kind of memory loss, temporary or permanent).
I have very bad memory, can’t memorize it, especially if I use random generated symbols and letters for my masterpassword.
If I’m not logged out from Bitwarden app, I can retrieve it, my masterpassword is in my Bitwarden’s secure notes.
It’s possible to be logged out from both platforms, but with 0.01%. Let’s say my phone got damaged and not functional anymore, I still have access to my home desktop computer and work desktop computer. Home computer has Google and Microsoft and Bitwarden all logged in and work computer has access to my Bitwarden Chrome extension, but is protected with PIN. So, it’s very unlikely that I lose access to all devices at the same time, unless some devastating earthquake happens or something like that which is unlikely to happen.
Right now, passwords of Google, Microsoft and Bitwarden along with their recovery codes are stored in Bitwarden, Google Keeps and OneNote.
How did the developer in you imagine how the recovery password would enable a reset of your master password? This is a zero knowledge environment precisely making the master password absolutely crucial.
My thought process is (still using is, even though now i have the correct explanation) that 2 step means: the combination of pass + generated code. They go together. Therefore, i expected that the “recovery code” for the “2 step auth” allows me to re-login independent of pass or generated code.
I dont know how else to explain it, you know? It just wasn’t obvious.
Is my explanation above enough? You may consider a “long-time brain fart” if you want. But that is what i believed.