My question is, the person or a bot that are trying to login, do they know password or they know only my email?
I changed my master password earlier when I got this email. I have very strong password which are random letters, numbers and symbols. I just checked the strength of it and website says - “It would take a computer about 2 quattuordecillion years to crack your password”. Additionally I have enabled 2FA where I’m getting generated codes every minute in my Google Authenticator.
I checked my email if it has been in a databreach and website says - " Pwned in 15 data breaches and found no pastes". But my personal email address is well protected too with 2FA security.
You probably already know it. When the adversary tries to log in unsuccessfully too many times, BW will rate-limit the logins by throwing in the CAPTCHAs (and sending you the emails). If it was you who caused the CAPTCHA, logging in successfully would clear the CAPTCHA, definitely on your end, but it’s unclear if BW will stop throwing CAPTCHA at the other ends or not.
You mentioned in another post that you already have a strong password and TOTP 2FA, unless you get phished or get malware on your devices, I don’t think you have anything to worry about, except for the annoying and worrying emails.
BTW, password strength testers may not be good indicators of how strong your passwords really are: it’s either a hit or a miss. The best passwords that everybody will agree on are randomly generated passwords. For the sake of easy memorization, passphrase maybe the best to go. The “experts” on Reddit recommend 5+ word (BW diceword list) password, but maybe for kids, 4+ would be OK. Here’s the approximate cost calculator for cracking diceword passwords: Passphrase Cracking Calculator - Password Bits
You shouldn’t have to worry about your vault being breached (given that you have a strong — and presumably unique, not re-used) master password, as well as 2FA.
However, if you get tired of the notification emails, or of the requirement to solve a CAPTCHA to log in to your vault (a requirement enforced by Bitwarden to slow down the brute force attack), then your only option is to change the email address used for logging in to your Bitwarden account. Since you have gmail, you don’t need to actually set up a new email account in order to get a new email address for your Bitwarden vault, you can just use a “plus address” variation of your current email.
There’s nothing to set up, really. If your email address is [email protected], then go into your Bitwarden Web Vault and change your login username from [email protected] to something like [email protected]. For Gmail accounts, you can also use an alternative form of the domain, and set your Bitwarden login username to [email protected]. You may need to verify your email with Bitwarden after changing what you’re using for your login.
In either case, any email notices that Bitwarden sends to your new username email (be it [email protected] or [email protected]) will get delivered as usual to your Gmail inbox for the [email protected] account.
You’ll need to use your new username email when logging in to Bitwarden, and the hackers will now not even know your username, let alone your master password and 2FA code. Moreover, the notices about failed logins should stop.
Bumping this, as no one has seemed to answer your question. Bitwarden does not include where in the login process the attacker failed. I think it would be important for a user to know if an attacker is using the correct password, as this would indicate that your password has been keylogged, screen capped, phished, or obtain by other means, and is now leaked and being used by the hacker community. This knowledge would help prevent damage to other non-MFA enabled accounts. I suppose an email from Bitwarden validating successful password use on a failed login attempt could be intercepted somehow and inform the attacker that they indeed have a correct password, and if you use it anywhere else, they may find access to other accounts without MFA, but that is why you should never reuse passwords. Also, if they have access to your email, they can reset the password without knowing it anyways.
This is not accurate. The notification message from Bitwarden is different if the login failures are due to an incorrect master password or due to an incorrect 2FA. Obviously, if it is the email address that is “incorrect”, then there will be no notification, because there would be no way of knowing which email address is the “correct” version of the incorrectly entered email.
Not if your master password is unique (which it should be).
This is not true when it comes to your Bitwarden account. They could delete your Bitwarden account, but they would not be able to reset the master password.
