I’ve been using BW for a while now, and really love it.
I have been trying to export my data, but (stupidly) have forgotten my updated master password.
I have a device still logged in and operational, and continue to use that.
It seems utterly ridiculous to me that I am unable to export without the Master Password, as I am logged in and able to review/copy all my data already.
Therefore, I would suggest that the Master Password NOT be required for an export IF you are already logged in.
The idea behind needing to type the Master Password to export the vault is to make sure that if someone steals your device with your Vault logged in, they can’t just export your entire vault immediately and access all your passwords.
However, I don’t think having an option would hurt, just have the default set that you need the Master Password to export.
I think you are basically screwed unless you can remember that master password.
Someone from BW can probably tell you how many tries you have to guess your master password, and if it simply locks you for an hour or a day if you exceed the limit for guesses.
Otherwise, you are going to have to import your old data again from whatever source or backup you have.
The good news… I’m confident you will never do this again. You will always save your master passwords, and zip/encrypt that text file with some password you can never forget.
Pedantic explanation: I’m not a dev, but it only seems like you have access to all the data. Everything is encrypted except individual logins for a URL that is in the address window at the time. Your master password is only ever stored in an encrypted state. They might even be using Homomorphic Encryption that allows both your password and the login database to always remain encrypted but still allow the password to be used to decrypt individual logins. Crazy stuff. While they could design the system to allow the download without a password, I doubt they will do it as it defeats the whole purpose of their service’s end-to-end encryption. You are essentially asking for there to be no security.
Thanks for the replies, guys…
I disagree that this ability would be a security risk, as I currently have access to all the data - it just becomes an extremely tedious matter to go through each entry in turn - and really increases my risk, as I’m going to write that data down or store it somewhere that isn’t as secure as the safe.
I believe this is a convenience matter, not a security one.
As a matter of interest, I do have a recent backup (just before I changed my master password) so not a huge inconvenience to start over again - but I can definitely see it being useful one day in the future.
Knowing how many :guesses" I have would be useful too, good point… I have had quite a few cracks at it, and I have not been threatened or locked out yet…
Making this an opt-out feature may be the something everyone can live with.
It might be 1/10000 chance that this might help in some way, but nevertheless I think users MUST be asked for the masterpassword when exporting a vault. The main reason is basically why not…
To repeat myself - the security it adds is very tiny, but it’s undeniably there. And how often do you have to export a vault? The inconvenience this adds is basically non existent. It’s even helpful in a way, which leads me to your case:
Forgetting your master password and asking to remove this feature so you can export your vault instead of writing down everything on paper?? It’s like forgetting the keys to your house and then asking the door manufacturer to stop making doors with locks. You forgot your master password (The only thing you had to remember) and even have a way to retrieve your passwords (some people didn’t), yet you are unhappy how bitwarden does things. No offense (maybe a little)
I do this every week to have a backup that is up to date. However, I do not mind to enter my password every single time.
The issue arose after changing the master password. Perhaps doing this could be combined with the offer to export your data. On the other hand: I do not see the profit in changing the master password; unless of course it was leaked.
I was thinking about asking why he did that, but was like nah
Once you’ve fully restored it, best advice is to save your master password in the vault as well.
I use it for when i log into the web vault.
If you have TOTP/U2P on as well, it will be as safe as it can be inside the vault.
I have a compromise. When you set up a Bitwarden account, there is a note that tells you to save your master password in a secure place.
Just saying. Adding a feature to prevent someone from making an obvious rookie mistake is not a good policy.