Should i bw concerned at all or change my master password after this?
I was logging into the web vault and accidentally pasted my master password into the email field and pressed enter to submit. I got the 'Input is not an email address" error and realized what I did. I logged in correcly afterwards but I’m wondering if I should worry.
How much gets sent to bitwarden during login? I know passwords are encrypted locally before being sent but what about email fields? Any potential third party services that might have info from that source or am I vastly overthinlong it?
This scenario was discussed recently in this thread.
The upshot is that the check for a valid email address (which actually only checks whether the entered string contains a @ character) occurs locally in the client app. No data is transmitted to Bitwarden’s servers (or elsewhere on the internet) unless there was an @ character present in the Email Address field when you hit Enter (or clicked Continue).
You might be be concerned about copying your master password to the system clipboard, though. Every process running on your computer has access to the clipboard contents at any time, and many popular apps have been caught routinely snooping on users’ clipboard contents. Unless you happen to have malware on your device, any clipboard scraping taking place would most likely be for the purpose of tracking and advertising, but it is possible that some big marketing database now contains a copy of your master password. If that database is ever compromised, and if the data thieves figure out that they are in possession of your master password, you could be in trouble at some point in the future.
Ah that’s good to know! No @ symbols so I should be fine then.
And I’ll take note of that clipboard tip. This was on Windows if that makes it any better or worse. I didn’t even realize that clipboard snooping was a thing. I guess security > convenience still holds true.
I may change it for peace of mind after taking all that into consideration.
If you do change you master password, take the following precautions:
After logging in to the Web app, before taking any other actions, peruse the contents of your vault to ensure that there is nothing obviously amiss (i.e., missing items, or items with “blank” content).
Before changing the master password, go to Tools > Export Vault in the Web app, specify the “.json (Encrypted)” file format, and the “Password Protected” export type, then follow the prompts to create a Password Protected backup of your vault contents. This is prudent, because on occasion, the vault can become corrupted during the password change process. If you have a Premium account, it is also recommended that you enter the search string >attachments:* to locate any vault items that have file attachments; download copies of these files if you do not already have backup copies available elsewhere.
Generate a random 4-word passphrase to use as your new master password (using Tools > Generator in the Web app, or using a third-party tool like the Little Password Helper).
Write the new master password down on a fresh Emergency Sheet, but don’t yet change the password in the Web app.
Get your 2FA reset code, and accurately transcribe it onto your Emergency Sheet.
On all of your devices, fully log out of all Bitwarden apps and browser extensions (except for the Web app client that you’ve been working in to complete the steps above). It is not sufficient to just lock the app or close it; you must completely log out.
Having taken all of the above precautions, go to Settings > Security > Master Password. Enter your old master password, then manually type in your new master password (twice) by transcribing it from yourr Emergency Sheet. Also, I would recommend changing your master password hint to “See Emergency Sheet”. Click Change master password, and wait for a success message.