How many tries do I have?

Hi,

I forgot my password for one of my older BW accounts. I’m… pretty sure I know the combination of words I used to create it, but I don’t remember the capitalization, separator, etc. And I didn’t write them down and I can’t find the one-time codes.

So I was wondering how many times I can try to guess my password before the account is locked.

I crreated a Python program that generated all the combinations of what Ithink it could be and ther are over 1000 of them. So I was thinkng of writing a program that tries the passwords once per minute and let that run.

But 1) I’m not sure that’s kosher, so I might have to do in manually. Ugh. and 2) I don’t know how many tries it’ll take. I would probably try the ones I think are most probable first and if they don’t work, then I’d create the automated password thing if I’m allowed.

I’d rather do that than recreate my account, but if that’s the only way…

L

Your method will be indistinguishable from a hacker trying dictionary/brute-force attacks on an account.

After too many tries, BW will throw really ugly (aesthetically) CAPTCHAs at you, and after that, they will start IP-blocking you.

If you have a backup, that might be a better way to get the info back.

Yeah, I kinda expected that which is why I checked first.

Hmmm, I’ll check for a backup but don’t I still have the problem of being able to login to the BW server?

L

If you have a plaintext backup, you can delete the old account without a password and recreate another account with the same email importing the backup.

If you have an non-account-restricted encrypted backup, you will need to know the backup password.

I am not sure about account-restricted encrypted backup; you may not be able to recreate an account.

An account-restricted encrypted json export will be useless after the account is deleted. Even if you create a new account with the same email afterwards.

It will also be useless if the account is not deleted but the master password is changed rotating the account encryption key:

change-mp1074×1052 102 KB

This is due to the way Bitwarden encrypts the vault:

When an account is created, the account encryption key is randomly generated and used to encrypt the vault.

This account encryption key is then encrypted with a key derived from the master password. This becomes the protected account encryption key (aka. the protected symmetric key). Which is stored in the vault (in Bitwarden servers and in logged-in clients vault copies).

The account encryption key is not included at all in account-restricted encrypted exports, so the only way to decrypt them is by having the protected account encryption key in your vault (which you won’t if you deleted the account, or rotated that key after saving those account-restricted encrypted exports).

Btw, I found a bug importing an account-restricted encrypted export: passkeys are not imported (one more reason to avoid this kind of exports).