Help - Changed Iterations and can not log back in?

Hopefully you still have your LastPass export or a recent backup of your Bitwarden vault. I would suggest getting in touch with tech support, in case there is anything they can do to diagnose or fix your problem.

Is at least one of your devices a computer with a modern CPU and adequate RAM? Did you increase the KDF iterations gradually, in increments of 50,000, as recommended on the KDF iterations page?

As noted in this comment on Github, when a login fails due to a “device being unable to cope with their current PBKDF iterations settings”, the error message still just says “Username or password is incorrect”.

Thanks, I changed all of my passwords from Last Pass so that doesn’t help and of course I didn’t download my vault before making the change. I did not increase gradually so this seems to be just a big mistake on my end. I wanted to see if I had any chance of getting this resolved before starting to recover passwords.

The only way I see to contact support them since I am currently a free customer is through their Web Form which I filled out but haven’t heard back. All of my systems are newer with lots of memory so I don’t think that would be an issue… I will try when I get home on my gaming system with a GPU just to see…

This is a total long shot, but if you have the app installed on your phone, try to reinstall the app.

They will get back to you, but premium users get priority support, so it may take a day or so (especially with the recent influx of LastPass users).

I tried that and when I put in my user name and password it seemed like it was going to work, popped up for me to confirm that I am human then gave me the same error but never asked me for my 2FA so I don’t know…

I also tried on a gaming PC that I have with lot of power, same thing…

Sounds like a good plan. I would also suggest trying to log in using different browsers, in case there is some kind of browser limitation that is causing the 600k PBKDF2 iterations to fail.

In addition, keep an eye on this other recent thread, which could be related to your issue:

 
Finally, I wouldn’t totally discount the possibility that you may not be using the correct username/master password combo.

P.S. If you ever logged in using the Chrome browser extension, please see the advice I gave here. If you find your keyHash value and you know most of your master password, you may be able to get the rest using brute-force guessing.

I know the hCaptcha is triggered after 9 failed login attempts, but I suppose that doesn’t tell us whether the logins failed because the master password (or username) was wrong, or because the master key hash couldn’t be computed.

Ok so getting the Verify I am a human makes sense as I have tried multiple times on my phone, my PC and now a few other PCs. I’ve tried Chrome & FireFox. i do have my Master Password written down at home, I will double check but it is passphrase that I remember.

Anyway the link you send I don’t see any steps to try and recover. Do you know of any / which browsers might be worth trying.

Also I have the Bitwarden App on my Windows PC that was working fine but now I am getting the same thing from it as well.

If it is important to you to try to get your vault back, I would try any browser you haven’t already tried (Chrome, Firefox, Edge, etc.).

The suggestion in my P.S. was to use Steps 4-6 of the method described in this bug report to see if you are able to find the value of the keyHash parameter for your cached vault (which you may be able to do if you had ever logged in to Bitwarden using the Chrome browser extension). If you do find this value, I can point you to some other instructions for how to use brute-force guessing to determine what your master password is.

I found the instructions you mentioned, I have Chrome and I am using the extension, I have the logfile and I see lots of info in it.

It would save me a ton of pain to try and recover my vault so anything you can do to help but I do wonder if it is the iterations that is causing this? Would it happen even with the Bitwarden Application on a Windows computer?

Search for keyHash and save the value somewhere, in case the .log file gets wiped (in fact, save a copy of the entire .log file somewhere safe). Check the kdfIterations value as well, which presumably will equal 100000.

Next, go to this page, and use your browser to save the HTML file (source code) of that page. Then use any text editor (e.g., Notepad) to edit Line 481 of the HTML file, changing the third argument of the pbkdf2 function from 1 to 2, so that it looks like this:

self.masterKeyHash = await pbkdf2(newValue.arr.buffer, self.masterPasswordBuffer, 2, 256)

(note that the second to last number at the end of the expression should read 2 instead of 1). Save the HTML file, and then open the edited HTML file in any browser that has Javascript enabled. The form should look just like the original web form, but the original web form will not give you the correct values for the purposes required.

On the modified form, enter your email, the kdfIterations value from the .log file, and your Master Password (the way you remember it). Compare the Master Password Hash that was calculated on the webpage to the value of keyHash that you copied from the .log file. If they match, then you have entered the correct Master Password. If they don’t match, you can keep guessing until you get a match.

If you are unable to guess your Master Password using the above method, but if it there is only part of the password that you are unsure of, then you can automate the brute-force guessing process using a tool like Hashcat.

I increased KDF from 100k to 600k and then did another big jump. I had never heard of increasing only in increments of 50k until this thread. If that was so important then it should pop up a warning dialog box when you are making a change. That seems like old advice when retail computers and old phones couldn’t handle high KDF.

Do you still have your LastPass export? I can see you have changed your passwords. But, if you have the export, that’s 80% of your recovery. The final, laborious 20% will be resetting your passwords yet again. But, that’s better than starting from scratch.

Signing in from a different device like your gaming computer will be important to rule out hardware issues like keyboards, and then software issues browsers, extensions, etc.

Glad you have written down your master password to reference. I used a complex password for years and then one day it stopped working. I eventually figured out I had forgotten a small portion of it. Odd.

Hope you get back in and trust the first thing you will do is an export of your vault once you’re back up and running.

Good luck!

So here is where I am at… I get home, I disconnect the Network Connection from my main PC, I turn it on and I go in to my Chrome Extension and I say to export my vault and it asks for my Master Password, I use the one I’ve been trying to use and it works and I was able to export my vault. I reconnected my Network Connection and of course I was logged out and I use the same password and it doesn’t work.

I checked the Chrome KeyHash and it is the same as the one at work but as I said I can not log in, get the same error. So now it looks like I have my Vault backed up… It seems like my option now is to delete my vault and start over again since clearly something got messed up in the process?

Great to hear! Did you export the csv file or encrypted json? If json, did you do it via master password (linked to only your BW account and your current encryption key) or via setting a new personal password (not key or account dependent)? Would suggest to do this via csv (if you have a secure computer) or via the encrypted personal password so you can pick a new password for the export and it’s not dependent on your current account in any way. Slightly safer.

Unless you are in a great hurry, I might still suggest waiting until you get a response from Tech Support (perhaps @bw-admin can escalate your case?).

Export/import is not entirely lossless, so it would be better to fix the issue if one can be found on the back end. In addition, there is at least one other user who might benefit if the root cause if this issue can be found. If you do decide to pursue this with Tech Support, it would be a good idea to refer them to this thread.

What type of export did you create? You should choose a password-protected encrypted JSON for best results (not account-restricted JSON, and not CSV).

2 Likes

I haven’t heard back from Support yet and can wait for a response and would love to know what the heck happened especially seeing that my KeyHash is the same in the logs and I am / was using the Passphrase that I knew was the right one.

I did a CSV and a JSON but not protected one for the exports. This is better than nothing for sure. I feel a little better but NOT happy that this happened and would love to know what the heck did happen. I don’t like backing up my vault but I guess I will have to from now one.

Routinely backing up your vault is considered a best practice. There are various approaches to this, and some can be implemented with relatively little friction.

Good to hear you will give support a chance; I would be interested to hear if there is a resolution. Did you get an automated response when you submitted the contact form?

I did get an automated response from support but as mentioned no response since. I will update and referred to this post as well. If I don’t hear back by tomorrow I will probably move on. I would be interested in the way you mention backing up the vault. If you can point me to that I would appreciate it.

This should help you with backups:

1 Like

Thanks for your patience, one of the team is reviewing and will follow up.

1 Like