Did Bitwarden remove recovery codes option?
Yesterday, I changed my masterpassword in my personal computer and saved this new password in Bitwarden secure notes and also saved it in my Chrome browser. Then I set up pin to unlock it like I usually do, but seems like I forgot to untick the option which allows you to unlock your Bitwarden Chrome extension with PIN without asking a master password. So, today I arrived to my office and decided to login. Opened my phone and thought I would retrieve my password from Bitwarden app from secure notes where I saved my password, but seems like Iâm logout from there too and my fingerprint isnât enough, still asking for a master password. I have recovery code saved and thought I would be able to login with my recovery code, but I donât see such option anymore, nor in my phone, nor on website vault. What happened? We donât use recovery codes anymore? I have stored so many valuable info there⌠I donât want to delete my account.
To make it short: I have recovery code, I have access to 2 step verification app. The only thing I donât have is master password and Iâm logged out on all devices. How do I login?
Unfortunately, the recovery code provided by Bitwarden serves only the purpose of disabling the 2FA on your account. There is no method for by-passing your master password. Without your master password, your only option is to start over with a new account. If you are logged out of all Bitwarden apps on all devices, then there is also no mechanism for retrieving your vault data. I hope that you have been making backup copies of your vault, or else you have truly lost everything.
If I understand you correctly, you wrote you saved your new password also in your chrome browser?! Then you still should have your passwordâŚ
But for Bitwarden: maybe it would be better to write explicitly of â2FA recovery codeâ in the complete vault and not at least at one place only of ârecovery codeâ⌠(in German here you see only âWiederherstellungscodeâ - it wouldnât hurt to replace it with â2FA-Wiederherstellungscodeâ or something like that, to reduce the (avoidable) confusionâŚ)
The phrase âtwo-step loginâ is used four times on this tab. Furthermore, when the button is pressed, the display of the 2FA recovery code looks like this:
I think it is pretty clear that this recovery code is to be used only for recovering from a loss of access to the account 2FA.
I agree completely. And then I studied psychology⌠and some people tend to overread it a few times - and donât read the long explanation (which I think is really good!) - and just read what âpops outâ⌠And in doubt that is âah, there is the ârecovery codeâ for my vaultââŚ
To double down on it: yes, everything perfect! But consider to also change it to âView 2FA-Recovery Codeâ. The best mistake is the mistake that canât happen.
Hey guys, fortunately, I got access to my Bitwarden. Seems like I saved my new Bitwarden masterpassword in the Microsoftâs OneNote and it saved me, otherwise I was losing everything and no, I donât make backups of my vault. I donât know how to do that and to be honest, didnât even know if Bitwarden had this feature.
No, I usually save my password in my Chrome browser too, but not the passwords of very important websites like Bitwarden, Google, Microsoft and my bank account passwords arenât stored in Chromeâs password manager for better security.
Glad to hear you were able to get back into your vault. To protect yourself from future data loss, it is recommended to do the following:
Create an Emergency Sheet and store it in a secure location (using a security envelope, if you wish); at a minimum, this emergency sheet should contain your username, master password, and 2FA recovery code â and, if applicable, the password(s) for any encrypted backup files.
Regularly create backups of your vault data. There are different approaches to this, but there are two ways that I personally would recommend. One method (password-protected exports) is described here; if you use this method, remember to document your backup file password on your Emergency Sheet. An alternative method is to regularly create a copy of the contents of the folder %LocalAppData%\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb (which contains the local vault cache used by your Chrome browser extension â assuming you are on a Windows system); for example, create a ZIP archive and copy the folder contents into the ZIP archive.
I would like to say this was totally not clear to me, until i read this thread.
My expectation was:
i have my password
i have enabled 2FA for my account
i have saved my recovery code
=> Now, if something goes wrong and i forget either my password OR the 2FA code, i can enter the recovery code instead and all is good.
IMO the documentation does not make that clear at all.
FTR, i am a developer (Java/Kotlin/backend currently) and am i used to reading documentation. I also read almost all the documentation from BW before making an account, and this was still unexpected to me.
@bw-admin do you think itâs possible to update the wording on this topic in the documentation, to make it explicit that recovery codes will not save you from password loss, only from 2FA loss.
This is exactly how I thought too, that since I had recovery code and had 2FA enabled, I would be safe even if I lose my password. On other websites I have used recovery codes to gain access back to my account, donât remember which websites they were, maybe Google⌠And I thought same would be with Bitwarden.
I donât want to use Emergency sheet, because when something bad happens, like someone tries to hack my account and login in my email or etc, I immediately change my password and I donât want to keep printing new password sheet all the time. Plus, if I wonât be home, I wonât be able to login in my Bitwarden or even my email without that sheet, which is something I donât want. I think Iâll be fine, by having my Bitwarden, Google and Microsoft passwords in Bitwarden, Google keeps and Microsoft Onenote. Itâs not easy to hack those websites, but if I get notification about login attempt by someone, Iâll change passwords. Plus, itâs not easy to hack them, since I have enabled 2FA on all 3 websites.
The wording âTWO-STEP LOGIN Recovery Codeâ (emphasis in the original) was not sufficiently explicit?
Iâm not doubting that this didnât adequately convey the purpose of the codes to you, I just want to understand what your thought process was when you saw this labelling.
To be clear, the emergency sheet is only for your Bitwarden login credentials. If your Bitwarden account gets hacked, you will have much more important things to worry about than the inconvenience of having to print a new emergency sheet.
That doesnât make sense. If you are currently able to log in to your Bitwarden account (without an emergency sheet), how is the creation of an emergency sheet going to prevent you from logging in the same way you are doing now?
You know that hackers donât have to use the login forms and 2FA to steal your information, right? If the servers are compromised, all of your information can just be copied directly from the servers.
In any case, the point of the emergency sheet is to have a separate record of your Bitwarden master password, username, and 2FA recovery code available outside your Bitwarden vault, to prevent you from getting locked out of your account. Whether you store the information on paper or digitally, and your choice of storage location, primarily affect the security of your vault â and this is an individual decision that you have to make by analyzing your personal threat model.
as I said before: in doubt, someone will only read âview recovery codeâ (which âpops outâ) and overread the rest.
And on second thought, the explanatory text can (not must, but can!) be misleading as well. There is written: âA recovery code allows you to access your accountâŚâ Of course there follows the part, that â⌠in the event you can not use your normal 2faâŚâ, but trust me - some people will stop reading after â⌠to access your accountâŚâ.
But instead beginning the sentence with âA recovery code allows you to access your accountâŚâ I think it would be better, for example, to write âA recovery code replaces only your normal 2FA / second step⌠it does not replace your first step (master password)âŚâ
Also, to be double, triple, quadrupel⌠safe (by the way: maybe this is warranted, because your complete collection of passwords is nothing you want to lose), the last sentence could be more explicit as well: âWe reccommend you write down or print the recovery code (besides your master password, which you still need for login with the recovery code) and keep it in a safe place.â (or something like that)
I meant, if I for example start a new job at a new place and I get new computer, I defnitely will need password for the sites I frequently use and I will need Bitwarden extension there and to access Bitwarden, I will need masterpassword, which in case of emergency sheet will be laying in my home, but if I have stored that password in my Microsoft account, Google Keep or Bitwarden app in my phone, I can easily get access there. So, I think I prefer to store that password on those 3 websites. Plus, Google, Microsoft and Bitwarden servers are very hard to hack. I never even heard that someone hacked their servers.
That is not an âemergencyâ. The emergency sheet is for emergencies (like memory loss, loss of your 2FA devices, etc.). FYI, recommended practice is to memorize your master password (so that your emergency sheet is not needed unless youâve experienced some kind of memory loss, temporary or permanent).
I have very bad memory, canât memorize it, especially if I use random generated symbols and letters for my masterpassword.
If Iâm not logged out from Bitwarden app, I can retrieve it, my masterpassword is in my Bitwardenâs secure notes.
Itâs possible to be logged out from both platforms, but with 0.01%. Letâs say my phone got damaged and not functional anymore, I still have access to my home desktop computer and work desktop computer. Home computer has Google and Microsoft and Bitwarden all logged in and work computer has access to my Bitwarden Chrome extension, but is protected with PIN. So, itâs very unlikely that I lose access to all devices at the same time, unless some devastating earthquake happens or something like that which is unlikely to happen.
Right now, passwords of Google, Microsoft and Bitwarden along with their recovery codes are stored in Bitwarden, Google Keeps and OneNote.
How did the developer in you imagine how the recovery password would enable a reset of your master password? This is a zero knowledge environment precisely making the master password absolutely crucial.
My thought process is (still using is, even though now i have the correct explanation) that 2 step means: the combination of pass + generated code. They go together. Therefore, i expected that the ârecovery codeâ for the â2 step authâ allows me to re-login independent of pass or generated code.
I dont know how else to explain it, you know? It just wasnât obvious.
Is my explanation above enough? You may consider a âlong-time brain fartâ if you want. But that is what i believed.
