Change master password can only be done via the vault, bug disguised as feature?

Your website states “Since all of your data is fully encrypted before it ever leaves your device (…)”. Your website also states “Your master password can only be changed from the web vault”. Does this compute?

I also posted on twitter if they/you would like to continue the discussion where more people notice it:

:sweat_smile: catchy title!

Hopefully, you saw the twitter reply, but in short - the web vault runs an actual local vault on your machine that handles the heavy lifting. Truly - your data is never sent unencrypted.

2 Likes

I dont really understand how I then can log in to the web vault on a machine where I have not installed my local bitwarden app. Tried to understand from the bitwarden docs.

The web page instantiates a javascript version of the vault in your web browser, and that’s what you’re logging into with your email + master password.

Ah, ok. So if I view the developers options web console thing one can verify and not trust? If so, cool, and thanks for your answers.

BTW; If this isnt described on in your docs I think it should be? That being said, I might not have looked closely enough.

Yep, you can check it out in the dev console and verify the source of the script.

As far as the docs go - I’m not sure exactly what you were needing, but we have a few docs that cover the encryption models and data:

https://bitwarden.com/help/article/what-encryption-is-used/
https://bitwarden.com/help/article/how-is-data-securely-transmitted-and-stored/

1 Like