Change password without knowing the Master one

Ask the Community Password Manager
,
1

Hi guys,
I hope you can help me.

A few months ago, I decided to change my Bitwarden Master Password due to multiple brute-force attacks on my account. I have two-factor authentication enabled so this prevented any successful breaches.
But I neglected to record the new password…
So currently, I can access my account only through an authorized device, but I’m unable to change the master password or export my data for account migration. :sweat_smile:

How can I fix this situation?

Thanks,
Riccardo

2

@a3liu Hi!

Short first answer (no time), but I just saw your post and wanted to provide some first hints:

  1. Deactivate the internet connection on the device where you still have access, so that you don’t lose access here. (PS: and don’t log out here!)
  2. If you can’t export, copy/write down every vault item manually.
  3. Without the master password it is “game-over” - somehow remembering it would be your only chance. (PS: no, the master password can’t be “circumvented” somehow… no, Bitwarden can’t restore or change it… that is all by design and for security…)
  4. Start a new account and delete the old one afterwards. (if you have access to the email address, the account can be deleted without master password)

Possibly not the complete list (others may add something) - but I think in short your situation…

Good luck!

3 Likes
3

Once you move to your next vault, maybe you can use some of these to not have the problem again.

  1. Never neglect your emergency sheet, write your password down before you change it, write your recovery code down.

https://passwordbits.com/emergency-sheet.html

  1. You can store your master password in BW, but you will need to protect your device well and lock your BW often.
  2. You can put where you keep your emergency sheet in the Bitwarden password hint which can be emailed to you if needed.
  3. You can have your loved one keep your master password, without telling them your BW email address/alias.
  4. You can use Shamir secret sharing algorithm to split your password and have your friends keep separate parts.

https://simon-frey.com/s4/

  1. Make regular exported backups. This will keep you sane and help in starting over.
1 Like
4

@a3liu Welcome to the forum!

:warning: Please urgently follow the advice provided by @Nail1684 above — you are currently at high risk of permanently losing access to all of your vault contents. In particular, for the device where you can still use Bitwarden:

  1. Disconnect the device completely from the internet (remove any Ethernet cables, and disable WiFi).
  2. Do not log out of Bitwarden. If the Bitwarden app thatyou still have access to happens to be the Web Vault app, then do not close the browser tab that contains the Bitwarden Web Vault.
  3. Attempt to export your vault contents, in the form of an unencrypted .json file. You will be prompted for your master password — please try both your old and your new master password. If the Bitwarden app that you still have access to happens to be a browser extension or the Web Vault app, then there is an advanced technique for disabling the export function’s master password requirement.
  4. If the export didn’t work (because the master password was not accepted), go through your vault items one-by-one, and manually copy all information that you wish to keep.
  5. If the export did work, and if your working Bitwarden app is anything but a mobile app, then type >attachments:* into the Bitwarden search bar, to find all vault items with file attachments. Manually download each attachment that you wish to keep, if you have not already done so.

Let us know when you have completed the above. After you have secured a copy of your vault contents (or if you would rather lose data than have to manually copy everything), we can try a risky maneuver to get access to a browser extension or web vault, which would make it possible to create a proper .json export and search for file attachments (in case you were not able to do so while completing the above instructions).

To make it easier to provide advice, please also let us know:

  • What kind of app (Desktop, mobile, Web Vault, browser extension, or CLI) is still authorized?
  • Was this app authorized using the new master password (before you forgot it), or did it remain logged in with the old master password after you did the password change?
  • What is the operating system, and what kind of web browser do you use?
  • Do you have a Premium subscription, and if so, have you ever uploaded any files into Bitwarden?
  • Do you use features like Send or Emergency Access?
5

Hey guys!
I was lucky: I recovered my master passoword! :star_struck: :heart_eyes: :smiling_face_with_three_hearts:

Now, I’ll proceed to update the BitWarden item on the app, and write it on the emercency sheet! <3

Thanks guys

1 Like
6

Glad to hear that you’re in business again.

Just to avoid misleading future readers of this thread, what you meant is that you remembered your new master password (or were able to somehow reconstruct it by retracing the steps you had taken to generate the password), correct?

By design, there is no mechanism available in Bitwarden to “recover” one’s master password when it has been lost/forgotten (nor will Bitwarden’s customer support be able to assist with such attempts).

1 Like
7

You are right:
I found the password used as master in a note.
I didn’t recovered properly.

When you lost your master password, there’s not change to export/download your data or change email/password…
So, dont’è forget your master password!

Thanks for all the steps showed by you and the others.

Riccardo

8

Write it down on a (securely stored) paper Emergency Sheet, as advised by @Neuron5569 above. In addition, don’t forget to write down (or print) your 2FA reset code.

9

Maybe a short simplified (yeah, looking at you @grb :sweat_smile:) explanation, why a master password is different than an ordinary password (I think, people often don’t see that or forget that - and maybe interesting for later readers):

  1. A master password doesn’t only make it possible to “log in” to the Bitwarden account, as we know it from almost every others passwords/accounts…
  2. A master password for a password manager also is the major part in encrypting the password vault. And since (in our case) Bitwarden doesn’t know our master password (“zero knowledge”)… our master passwords can not be changed easily (see next paragraph)…
  3. … Because changing the master password would require decrypting the vault first - and for that the current master password is needed but Bitwarden doesn’t have it (“zero knowledge”)… then it could be encrypted with a new master password… So, the current master password is needed for changing the master password, which is the problem then when you don’t have your master password any more. :man_shrugging:

And that is why a master password is not similar to an ordinary password, which (the latter) can be resetted/changed by the related services…

(as I said, of course a simplified explanation… and maybe not very eloquently expressed… maybe I revise that when my language skills come back to me)

1 Like
10

Just a minor technical correction:

Changing the master password only requires decrypting the Protected Symmetric Key (unless you are also rotating the account encryption key when changing the master password).

1 Like