Help - Changed Iterations and can not log back in?

My question is really for future reference, since I have a backup being done daily on both my work and home PC that I can roll back version of files I was wondering if this would be a good “backup” solution just in case something happens again down the road. I have the app on my home PC but since I had to import my Last Pass Vault from the Web and got the Chrome Extension I haven’t really used the app at all so if there was a way to pull it out of the extension that would be ideal otherwise I will have to make backups of the Vault manually or at least log in to the app occasionally.

I was able to export my vault as mentioned but it seems like being able to get the secure version of the file gives more info such as dates?

Finally yes I followed the directions provided, I could only get the Hash generator to work on Firefox, chrome wouldn’t do anything with it. I did change that value from “1” to “2” and confirmed that it saved properly. Putting in my Known Master that worked on my home system (before reconnecting to the Internet) did not give me the same hash that I have in both log files from my Work and Home PCs and worked on my home one before reconnecting back to the Internet.

I am not Self-Hosting BW, I am using the Cloud Based version, I have the App on my main home desktop, my Cell Phone and use the Chrome Extension at home and on my personal PC at work (not a work owned device).

I don’t think the backups from synology ABB will cover you since you’re not the one hosting the data synology is. There wouldn’t be a copy of your vault in the local browser program folder. And even if you were to revert anything, you would just be reverting the local computer. The changes made to bitwarden are server side since it’s hosted by them.

**with regard to having a backup copy of your vault

Ok but isn’t there a local copy of the Vault even with the Browser Plugin? Seems like you can access things even if you are offline? So I was wondering / thinking if that is backed up there could be a way to revert back if something got hosed like happened to me.

@BostonPete Did you read my response above? Did you try my suggestion?

Sorry I missed part of your response and I just tried it and guess what it worked!!!

This is what I did…

1. I went to my restore portal, I downloaded all of the files from the “nngceckbapebfimnlniiiahkandclblb” folder.
2. Disabled my network connection
3. Closed Chrome
4. Went to the nngceckbapebfimnlniiiahkandclblb folder created an “Old” Folder
5. Moved all of the files out of the folder and in to the Newly Created Old Folder
6. Copy the files from my back up from Saturday to the nngceckbapebfimnlniiiahkandclblb folder

Fired up Chrome and the Extension Showed the lock on it, I was able to log in using my Master Password and there was everything… I was able again to export my Vault.

Step #4 was important, I didn’t do this the first try and it didn’t work so moved all of the files out and tried again and it did work!!!

Also worth noting is that the backup I had of that folder had a total of 10 files Files in it since the issues there are only 8 files.

So once again I verified that I 100% know my Master Password and it no longer works accessing the Web Vault and the only changes I made was to the Iterations.

Thanks for the update, and I’m glad you were able to access your backed up data.

In addition, you have verified that you remember your master password as it existed on Saturday before you made the changes to your account settings. This could be important for aiding with the diagnosis of the problem — I hope you will give this trouble shooting process a little more time, even though you have recovered your data, since it could potentially help others (and it could help Bitwarden discover an esoteric bug in their codebase).

I have an important question, that you didn’t answer yet: you said above that the “Master Password Hash” value computed by the cryptography code did not match the keyHash values found in your .log files. Could you please confirm that you did edit Line 481 of the HTML code as instructed before trying this? In fact, the easiest way to confirm that this was done correctly would be to open your modified HTML file (assuming you did edit it) and check that the initial value of the Master Password Hash is xeEM0qT2Ggke5xqd7P1qSitei7O4SE2l5UrKreMw9vk= (for the default inputs of [email protected], password123, and 100000 iterations); if the initial Master Password Hash is k0RkDBmMolfrjoHHCPODs93Fgk+v+AzDCsnxVemZiUA=, then the required modification if the HTML file was not done (or not saved), and it the hash is anything else, then the modification was done incorrectly. Note: Make sure you are looking at the “Master Password Hash” (the second result on the cryptography form), not the “Master Key” (first result shown).

After we make sure that you are able reproduce your stored keyHash value, I will give you instructions for how to give Bitwarden tech support a piece of information that will allow them to determine (with “zero knowledge”) if the master password stored on their servers is different from the master password that was working until Saturday.

EDIT -

Disregard for now… This doesn’t seem to be working on this computer. It isn’t changing anything when I change any of the values like it was the other day.

Hi - I did make the modification of the line 481, the only change I am making is the 1 to a 2 correct?
Can you confirm what I am supposed to see once I make the modification as what you have above isn’t clear to me… If I am getting the hash below this means I did the modification correctly or incorrectly? This is what I am seeing using the defaults on the page with 100k iterations (also default).

k0RkDBmMolfrjoHHCPODs93Fgk+v+AzDCsnxVemZiUA=

The hash shown at the bottom of your post indicated that your edit didn’t take, for some reason (this is the hash value that you get when the final iteration value is 1 instead of 2).

Yes. At the end of line 481, you should (originally) see “…1, 256)”. This must be modified to read “…2, 256)”.

When you have opened the modified HTML file in a browser, it may be a good idea to examine the source code of the page (e.g., using Ctrl+U in Chrome) to confirm that the change that you had made on Line 481 is still there. Then check that the “Master Password Hash” value is xeEM0qT2Ggke5xqd7P1qSitei7O4SE2l5UrKreMw9vk= (before you enter anything in the input fields of the form). If all of this checks out, then enter the number of kdfIterations from your log file, as well as your email and master password.

In any case, all of the above is just to make sure that everything makes sense, given your previous statement that the “Master Password Hash” didn’t match your stored keyHash (which doesn’t make sense). However, if dealing with the above is too much trouble, we can just skip this, and make the (now pretty safe) assumption that you have an accurate value of the master password as it existed on Saturday.

What I would like you to do, is to go back to Bitwarden’s Interactive Cryptography Tool (the original one, not the one that you modified), and type in the number of kdfIterations from your log file, as well as your email and master password. Then record the resulting value of the “Master Password Hash” (if entering your master password on a website that is not the web vault login feels sketchy to you — I wouldn’t blame you — then just save the HTML file on your computer, do not modify it, and open it in a browser after disconnecting the internet). Repeat the above after setting the “Client PBKDF2 Iterations” value to whatever the new value was that you hade attempted to set o Saturday; record the second “Master Password Hash” value as well.

Please send the two resulting Master Password Hash values to the tech support representative, and ask them whether they can check if your stored master password hash (in the database) matches either of these two values (after they apply the server-side hashing). @bw-admin - do you think they can do this for debugging purposes? Even if tech support is unable to disclose what the outcome was, performing this check could reveal whether there is a bug in the code (e.g., if one if the two hashes produces a match with what is stored in the database, then you’ll know that @BostonPete’s login credentials did not change, and that he should not get an error when logging in).

Hi - I can not for the life of me get the downloaded web page to run on my PC at home, it works on the page online, I download it from both Chrome and Firefox and it will not show any changes to any of the values for whatever reason. I thought I got it working at work and will double check when I go in this afternoon.

Also Support responded to my inquiry on Sunday morning at 09:24am EST, I replied back with the info they asked for at 10:18am and haven’t heard anything since then.

I am more than willing to help as it seems like others are having the same or similar issues but I will need to get a vault up and running soon as I can not wait many more days without having easy access to my passwords. I know I could create a new account with a new e-mail but don’t want to do that at this point.

That said once I delete my Vault I assume I just create a new one using whatever Master Password I want?

If you’re not too concerned about typing in your current master password into the online version of Bitwarden’s interactive cryptography tool, then I would suggest that you just use the online form with your real login email and master password, and copy down the value of the “Master Password Hash” that you get both for the old number of KDF iterations and the new number of KDF iterations.

As I had proposed above, please send those two hash values to Bitwarden’s tech support, and ask them to validate these against the hash stored in their database for your account (they would have to run the server-side iterations first, but I assume they will be aware of that). Let them know that you plan to delete your account in the near future, so that they are aware that there is a short time window available in which to check the hash values. I’m still hoping to get some word from @bw-admin that tech support will play along. It may be a good idea to give them a direct link to my response here (https://community.bitwarden.com/t/help-changed-iterations-and-can-not-log-back-in/49958/51).

Yes. And go easy on those KDF iterations. You will get more protection by simply adding a single-digit number to your passphrase (if you randomly select which word to append the number to, and randomly select the number).

Thanks @grb I’ll check in with the team.

Can you send an email to the support team and include a link to your comment here as a reference?

I’ve already done that and just did it again maybe 30 minutes ago asking for an update and providing the link to this thread as I haven’t heard back since their initial response on Sunday morning.

Thank you

Did you provide them with the two hash values?

Yes

I got the following reply back from Troy a little while ago…

This is Troy from Bitwarden’s support team. I just wanted to let you know that we are actively investigating the situation and I expect to have more information soon. In the meantime, I am currently reviewing the information you have shared with us over email and in the community forum post, as well as internal discussions between my colleagues regarding the matter. I will update you as soon as I have more information.

Can I change my e-mail address after I create a new vault? I really didn’t want to do this but might since it does seem like there is some kind of an issue.

Yes, actually, that is no problem. There is a “Change Email” form in the middle of the “My Account” Page under Account Settings in the Web Vault.

That’s a good idea, that way you can keep your old account open for a bit longer to help with the troubleshooting, while setting up a new account initially under a different email.

This is more than likely what I am going to do for now. Someone from Engineering just reached out to me and asked me not to delete the vault while they try and troubleshoot this.

Thank you to all for all of the advice, I hope that my pain helps figure out what happened. I will keep you posted if / when I hear anything else.

4 posts were merged into an existing topic: Master pass stopped working after increasing KDF

What is the best method to import a vault? I have all 3 of the possible files, I have the CSV, JSON and Password Protected JSON. Does one give you more than the others?