Greetings,
Is it normal to be asked to select pictures of vehicles by type for the CAPTCHA for every single login (including in browser extensions)? I don’t run into that often elsewhere with Google’s CAPTCHAs but, I see Bitwarden is using a different system. I am just trying out Bitwarden so far and, it is already getting annoying. I confirmed that there are no browser security extensions installed in the test browser. Anything else to adjust? Or does it just do that every time?
Hi @evermorian, you may be seeing this a lot if you’re trying Bitwarden on different platforms with new devices. You can also check to see if your vault is set to lock, or log out on vault timeout.
Using any privacy or ad-blocking extension that supports domain-level whitelisting (e.g. uBlock Origin) will work as expected: just make sure to whitelist hcaptcha.com.
Captcha is new and annoying. Not a feature.
Require Mfa but eliminate this crap.
…just make sure to whitelist hcaptcha.com .
Blacklist you mean!
Captchas serve only to infuriate your users and, in the context of a password manager are even more completely and utterly pointless than they are on websites.
The whole point of a password manager is to remove the friction from using secure passwords on websites I visit. I already have a complex master password I can use to login to my Bitwarden account. I don’t need a stinking Captcha thrown at me as well.
So, as a precaution against the the possibility of being annoyed by a Captcha on login, I’ve now set my vault to never time-out on all my devices. Result: My Bitwarden vaults are now far less secure than they were before you added this pointless Captcha nonsense.
Please remove it!
This hCaptcha is super annoying!
It has basically been implemented badly.
nothing wrong with a captcha, but 1 wrong password should not require the captcha to be refreshed, it has been determined by the UI that the person is not a bot (seemingly) and so an incorrect password does not change that fact, a whole page refresh is required…
SUPER ANNOYING!
@NZTechArc Welcome to the forum!
To my knowledge, the hCaptcha requirement is only triggered after 9 consecutive unsuccessful login attempts, and the requirement is removed again after the next successful login. The purpose of the hCapthca is to rate-limit brute force attacks, so it makes sense that the challenge must be completed for each password attempt. Personally, I have never had to complete an hCaptcha challenge to access my Bitwarden accounts.
Is it possible you have another client configured on another device (maybe rarely used) that has a bogus/old password configured and is routinely trying to login?
Because, similar to @grb’s experience, I never experience the challenge in normal use. I’ve triggered it numerous times accidentally (but understandably) during testing or development, but that’s it.
OK cool, so my experience is because I was trying to remember my Password on a new device and not getting it correct. (eventually I went back to old device to re-learn my PW, without interruption by hCaptcha - maybe this should be documented in the Forgot PW help section)
but the reason I got my password wrong was because of this hCaptcha solution:
first attempt I was legit wrong password, second attempt I used the correct password.
now the error message received on second attempt was not an incorrect UN or PW error message, no it was an captcha expired, but it was NOT OBVIOUS! so then I moved onto other PW attempts not realising my second attempt was actually correct, but now I am off on a wild goose chase.
So if the hCapcha was required after every attempt then fine, but allow the user the ability to actually do the hCaptcha.
Currently: PW wrong, hCaptcha still looks fine, instead the hCaptch should be reset after invalid PW, forcing the user to hCaptcha. (instead it requires a page refresh) the user would know and be able to retry the PW that never actually failed.
It is 100% badly implemented, the worst implementation of any captcha I have ever seen.
and on top of that, the hCaptcha itself is SUPER ANNOYING solution for end users, fill out 2 pages of selections
also update the docs to advise how hCaptcha work so that I can read about how to deal with this in the Forgot PW help section.
come on this is not rocket science.
Having now spent hours trying to get access because of hCaptcha.
I have realised I need a better password hint.
guess what cannot change it without changing my password.
SUPER ANNOYING!
I can do this all day, it feel like I am, I thought PW managers were meant to improve our lives.
You should choose master password that you can remember (i.e., a passphrase), but also write it down on a securely stored emergency sheet, for those cases when memory fails.
As for the login workflow when Captcha is activated, the best implementation from a security standpoint is to just message “login failed” if either the username, password, 2FA, or Captcha is incorrect. Currently, Bitwarden doesn’t go that far.
Point has been missed.
Peoples memory fail, it is a fact, especially early days of having a new PW manager.
and the UX of this implementation is just wrong.
sure “Login failed” message is fine. but open up the hCaptcha, so that it can be processed again, currently its status shows verified, yet on next accurate login it does fail.
It is broken, plain and simple.
Is this via the web client (i.e. https://vault.bitwarden.com/) or what mixture of clients are you using (e.g. web, desktop, browser extension, Android, iOS, cli, etc.)?
Bitwarden should implement the newer type of captcha where you drag a puzzle piece to its location. The more common type which Bitwarden uses has seen its best days and needs to be retired from the internet. ‘Click on all the stop lights’. Fail. ‘Click on all the buses’ that now randomly refreshes to show new images as you keep on clicking. Fail. ‘Click on all the boats’ as it randomly refreshes new images. Finally Success. Just a ridiculous nuisance.