Bitwarden doesn't use recovery codes anymore?

I’ve read through this thread with interest.

There is merit in rewording in places to emphasize what the recovery code is for, though I got it when I read it at the time I set up my account. However, no matter how strong, short/long, there will still be people who don’t take it in and who make assumptions.

I have mine printed on paper and also stored in secure vaults on memory sticks and online.

It sounds like someone is trying to hack your Bitwarden account all the time, hence your reluctance to print out such sheets. I’d be worried about that.

If someone is trying to hack your email accounts and so on regularly then that would not affect access to your Bitwarden account, unless you were using that particular email account to get 2FA codes when you log in to Bitwarden. I’m assuming that your account is backed up in a form that you can restore it to an account with a different email address if your email address is taken over.

I do have Bitwarden setup to email 2FA codes to an account if I request it during logon. This is as a result of my profile of risk of access to the account against security. The email account it goes to is a Gmail account not in regular use. It does have Advanced Protection turned on, which minimises the chances of an attacker being able to take it over.

I don’t trust Google or Microsoft (directly) with storing anything important. Google in particular had a long history of spying on users, in order to profile them and sell the profiles. If a product is “free” then you, or your data, is the product being sold.

Anything important which I store on them is very heavily encrypted, before it leaves my device. That is exactly what Bitwarden does, before it stores passwords on Microsoft servers.

I have accounts with both Google and Microsoft, but I am careful about what ends up on them.