Hi - I changed my iterations from 100k to 600k on the website and once I did I got logged out of my account and can not log back in on any device. I know what my Master Password is, I had to use it to make the change. Any suggestions?
“On any device” they are not Just “locked” are they?
Make sure in any app or extension to do a full log out.
I am fully logged out and I can not log in to the Web vault either. All of them give me an error saying “An error has occurred” user name or password incorrect, try again. I know both of them seems like something got corrupted and of course I did not backup my vault. Anyway to recover it?
Hi - I changed my iterations from 100k to 600k on the website and once I did I got logged out of my account and can not log back in. I know what my Master Password is, I had to use it to make the change. Any suggestions?
It’s there any chance that you have an incorrect master password? Is it written down anywhere?
Our mind can play tricks on us sometimes.
I am 100% sure of my Master Password, I used it to log in to the Web Based Vault to make the change and also it asked for my password when I made the change. I recently moved over from Last Pass so this is all fresh to me and can not believe it seems like I am locked out of my vault for whatever reason.
There is this known issue:
However, I doubt it applies to your situation.
Hopefully you still have your LastPass export or a recent backup of your Bitwarden vault. I would suggest getting in touch with tech support, in case there is anything they can do to diagnose or fix your problem.
Is at least one of your devices a computer with a modern CPU and adequate RAM? Did you increase the KDF iterations gradually, in increments of 50,000, as recommended on the KDF iterations page?
As noted in this comment on Github, when a login fails due to a “device being unable to cope with their current PBKDF iterations settings”, the error message still just says “Username or password is incorrect”.
Thanks, I changed all of my passwords from Last Pass so that doesn’t help and of course I didn’t download my vault before making the change. I did not increase gradually so this seems to be just a big mistake on my end. I wanted to see if I had any chance of getting this resolved before starting to recover passwords.
The only way I see to contact support them since I am currently a free customer is through their Web Form which I filled out but haven’t heard back. All of my systems are newer with lots of memory so I don’t think that would be an issue… I will try when I get home on my gaming system with a GPU just to see…
This is a total long shot, but if you have the app installed on your phone, try to reinstall the app.
They will get back to you, but premium users get priority support, so it may take a day or so (especially with the recent influx of LastPass users).
I tried that and when I put in my user name and password it seemed like it was going to work, popped up for me to confirm that I am human then gave me the same error but never asked me for my 2FA so I don’t know…
I also tried on a gaming PC that I have with lot of power, same thing…
Sounds like a good plan. I would also suggest trying to log in using different browsers, in case there is some kind of browser limitation that is causing the 600k PBKDF2 iterations to fail.
In addition, keep an eye on this other recent thread, which could be related to your issue:
Finally, I wouldn’t totally discount the possibility that you may not be using the correct username/master password combo.
P.S. If you ever logged in using the Chrome browser extension, please see the advice I gave here. If you find your keyHash
value and you know most of your master password, you may be able to get the rest using brute-force guessing.
I know the hCaptcha is triggered after 9 failed login attempts, but I suppose that doesn’t tell us whether the logins failed because the master password (or username) was wrong, or because the master key hash couldn’t be computed.
Ok so getting the Verify I am a human makes sense as I have tried multiple times on my phone, my PC and now a few other PCs. I’ve tried Chrome & FireFox. i do have my Master Password written down at home, I will double check but it is passphrase that I remember.
Anyway the link you send I don’t see any steps to try and recover. Do you know of any / which browsers might be worth trying.
Also I have the Bitwarden App on my Windows PC that was working fine but now I am getting the same thing from it as well.
If it is important to you to try to get your vault back, I would try any browser you haven’t already tried (Chrome, Firefox, Edge, etc.).
The suggestion in my P.S. was to use Steps 4-6 of the method described in this bug report to see if you are able to find the value of the keyHash
parameter for your cached vault (which you may be able to do if you had ever logged in to Bitwarden using the Chrome browser extension). If you do find this value, I can point you to some other instructions for how to use brute-force guessing to determine what your master password is.
I found the instructions you mentioned, I have Chrome and I am using the extension, I have the logfile and I see lots of info in it.
It would save me a ton of pain to try and recover my vault so anything you can do to help but I do wonder if it is the iterations that is causing this? Would it happen even with the Bitwarden Application on a Windows computer?
Search for keyHash
and save the value somewhere, in case the .log file gets wiped (in fact, save a copy of the entire .log file somewhere safe). Check the kdfIterations
value as well, which presumably will equal 100000
.
Next, go to this page, and use your browser to save the HTML file (source code) of that page. Then use any text editor (e.g., Notepad) to edit Line 481 of the HTML file, changing the third argument of the pbkdf2
function from 1
to 2
, so that it looks like this:
self.masterKeyHash = await pbkdf2(newValue.arr.buffer, self.masterPasswordBuffer, 2, 256)
(note that the second to last number at the end of the expression should read 2
instead of 1
). Save the HTML file, and then open the edited HTML file in any browser that has Javascript enabled. The form should look just like the original web form, but the original web form will not give you the correct values for the purposes required.
On the modified form, enter your email, the kdfIterations
value from the .log file, and your Master Password (the way you remember it). Compare the Master Password Hash that was calculated on the webpage to the value of keyHash
that you copied from the .log file. If they match, then you have entered the correct Master Password. If they don’t match, you can keep guessing until you get a match.
If you are unable to guess your Master Password using the above method, but if it there is only part of the password that you are unsure of, then you can automate the brute-force guessing process using a tool like Hashcat.
I increased KDF from 100k to 600k and then did another big jump. I had never heard of increasing only in increments of 50k until this thread. If that was so important then it should pop up a warning dialog box when you are making a change. That seems like old advice when retail computers and old phones couldn’t handle high KDF.
Do you still have your LastPass export? I can see you have changed your passwords. But, if you have the export, that’s 80% of your recovery. The final, laborious 20% will be resetting your passwords yet again. But, that’s better than starting from scratch.
Signing in from a different device like your gaming computer will be important to rule out hardware issues like keyboards, and then software issues browsers, extensions, etc.
Glad you have written down your master password to reference. I used a complex password for years and then one day it stopped working. I eventually figured out I had forgotten a small portion of it. Odd.
Hope you get back in and trust the first thing you will do is an export of your vault once you’re back up and running.
Good luck!
So here is where I am at… I get home, I disconnect the Network Connection from my main PC, I turn it on and I go in to my Chrome Extension and I say to export my vault and it asks for my Master Password, I use the one I’ve been trying to use and it works and I was able to export my vault. I reconnected my Network Connection and of course I was logged out and I use the same password and it doesn’t work.
I checked the Chrome KeyHash and it is the same as the one at work but as I said I can not log in, get the same error. So now it looks like I have my Vault backed up… It seems like my option now is to delete my vault and start over again since clearly something got messed up in the process?