Do not use the master password for account login

Currently the master password is the same as the account login/sync password. And the only way to register an account is online. So when registering and logging in, you are sending the master password to the server. The account and syncing should use a separate password that can not be used to decrypt the vault.

No, you are not.

2 Likes

ok, thanks for clarifying. glad they already had this in mind

Bitwarden does have a Security White Paper that goes over how all this works.

2 Likes

As already explained, the master password is never transmitted to the servers. In addition, if you wish to use a separate password to decrypt (unlock) the apps on your devices, you can enable the option “Unlock with PIN” (on non-mobile devices, the “PIN” can contain any time of character, so it is in effect an alternative password).

Closing this request as implemented (already existing feature).

1 Like