How To: Master Password Problems and Best Practices

Problems with master passwords frequently arise here in the forums, so I thought I would try to collate all the advice I have learned from the community about what to do if your Bitwarden password isn’t working and best practices.

Quick Background

The master password to your Bitwarden account is required in the cryptographic process that generates the key to encrypt and decrypt your vault. Bitwarden never saves a copy of your master password, for security reasons, so they can’t even access it if you wanted them to.

This leads to two issues:

  • If you have lost your password, you can’t ask to have it reset – you are now locked out.
  • Even if you have a device that’s currently logged in to your account (e.g., you unlocked Bitwarden on your phone with a fingerprint), you can’t export your vault contents without the master password.

My Master Password Doesn’t Work!

If you believe you remember your password, but it is not working, try typing it into a text editor so you can see each character and make sure it is perfect (capitals matter, and every character must be exact).

  • Compare against a copy you wrote down or saved digitally when you created it, as recommended (if you did that).
  • If it seems right, paste it into your Bitwarden login (don’t type it again).

If that didn’t work, here are some possible solutions to get you logged in again:

  • Ensure that you are logging in to your account with the correct email address – the correct password is not going to work if you enter the wrong email at login!
  • Use a private/incognito browser session to try logging into the Bitwarden web vault at https://vault.bitwarden.com
    • If this works, but other methods did not, something may be corrupted in your device’s local Bitwarden profile. You can try resetting it by uninstalling Bitwarden, rebooting the device, and reinstalling again.
  • Change your keyboard – some international keyboards may present different characters from what you would expect, and this applies to both physical and virtual (e.g., iPhone) keyboards.
  • Try a different device – smartphones are especially notorious for ‘auto-correcting’ what you type, particularly things like replacing straight-quotes with curly-quotes (i.e., “smart-quotes”).
  • Type out all plausible combinations of your password in a text editor and copy-and-paste them in one at a time.
    • Common problems include easily mistakable characters, like a capital ‘O’ and a zero character, or a one (1) character vs. a lower-case L (l) or upper-case ‘I’ character.
    • Straight quotes (double, single) vs. curly/smart-quotes or back quotes are another common issue, as are confusion with the apostrophe vs. back-quote characters.
    • Watch out for leading or trailing spaces – they are hard to spot and cause all kinds of confusion if they are saved within your password.
  • If you have designated an emergency access contact, ask them to takeover your vault so you can change the password and regain entry
  • If you previously exported an unencrypted backup (or a password-encrypted backup using the Bitwarden CLI), you might consider deleting your account and restoring from the backup file
    • Best to create a new, temporary Bitwarden account first to be sure you can import the information
    • Note that Bitwarden JSON-file backups capture more information than CSV-file backups; however, even JSON backup files do not contain file attachments, items in your Trash folder, or your password histories, so you will lose those.
  • If none of these suggestions have worked, you may want to investigate the possibility that someone has found a way into your Bitwarden account and locked you out - you will have received email notifications from Bitwarden if anyone logged into your account from an untrusted device. See more details below.

Suggested Best Practices:

Here are my suggestions for master passwords:

  • Create a unique and strong (i.e., at least 13 characters long and unguessable) password for your vault – it should be memorable, however, so you might consider a passphrase instead of a password if that helps.
    • You can lock your vault after logging in with your password to secure it, especially if you want to avoid frequently typing your long master password. Unlock options include a device-specific PIN code or biometrics (e.g., fingerprint, FaceID), which are convenient.
  • Create a master password that does not contain easily confused characters, like capital ‘O’ vs a zero (0) character. Also avoid spaces or any special characters that do not appear in the Bitwarden password generator.
  • If you haven’t done so already, write/print out your master password on a piece of paper and hide it somewhere secure (e.g., a safe, someplace nobody would think to look, etc.)
    • Test the password you saved to ENSURE you wrote/printed it out correctly!
    • Create a password hint that only you will understand which gives you an obvious clue about where to find the password you stored in a hidden place.
  • Alternatively, you could store the password digitally on a USB flash drive and store that somewhere secure, like a safe or security deposit box. You could also encrypt it somewhere, such as within an encrypted volume or on an encrypted flash drive, but you have to be sure not to forget the PIN/password (storing it in Bitwarden won’t help if you get locked out!).
  • Enable two-step login (a.k.a. two-factor authentication, 2FA, multi-factor authentication, MFA, etc.) to protect your vault - a somewhat different topic but covered well here, with some more tips from me here.
  • Set-up emergency access for someone you trust (or even yourself, I suppose) so that they have the privilege to takeover your account if something goes wrong.
  • Frequently backup your account using the Export feature in Bitwarden.
    • Note: If you have lost your master password and are locked out of your Bitwarden account, you will not be able to restore an encrypted Bitwarden export file. So, you are forced to restore from an unencrypted export. This is the type of backup file you should generate with the Export tool.
    • Save unencrypted backups to a secure location, such as an encrypted removable drive (e.g., a BitLocker encrypted removable drive on Windows) or an encrypted volume (e.g., a VeraCrypt volume or an encrypted disk image (.dmg) file if on MacOS).
      • If you are managing organizational vaults, remember that you have to backup your personal vault and your organizational vaults separately!
      • If you have attachments saved in your account, you must download those manually – they don’t get exported into the JSON file.
        • You can easily locate all your vault items with attachments in Bitwarden by entering the following search expression:
          >attachments:*. (*note: the leading > character, which is necessary)

If anyone has some additional tips to add, corrections, or additional links, please respond to this thread and I will incorporate them into the guidance above. Thanks!

3 Likes

Like you I have seen this question (password doesn’t work) a lot. It’s great that you took the time to formulate a comprehensive response.

I would suggest to login to the email associated with the account (assuming you can get access to that email) in order to see if there are any unexpected logins from new device (which might be an indication of malicious account takeover). I realize that account takeover is probably a much less common scenario than the others (and mentioning the scenario could induce a degree of unnecessary panic in some cases), but perhaps could be at the end of the list.

Edit - I recall there can be more than one email associated with an account, but I don’t remember all the details. Maybe it’s only an option to use a different email if you are using email as a 2FA option.

Edit 2 - It may be that a bad guy who gains control of your account would avoid changing your password in order to minimize the potential of tipping you off to the breach. But on the other hand, he may change your password to lock you out in order to make it harder for you to gain back control of things from him.

Thanks for this @bw-tinkerer - I wasn’t really thinking about this scenario, so I am glad you brought it up. Given that you are the first to respond and your message is right below my list for everyone to see, I think this is a perfect place to mention the possibility of an account takeover and lockout. I’ll add a link to this above. Cheers!

If you have a local copy of your vault, and if you remember some information about your master password (or if your master password was weak), then you may be able to use brute force to recover your password based on hashes that can be recovered from the vault.

There is an old Reddit post that explains how to do it. If using the keyHash value as done in that post, please note that the number of iterations in the final PBKDF2-HMAC-SHA256 hashing must be changed from 1 to 2 due to a recent modification of the hashing process used for the Master Key Hash stored in local vaults. For those so inclined, there are even cracking tools from HashCat to facilitate brute-forcing of Bitwarden master password.

1 Like

Hello,

My password and hint lost. can I recovery my account?

Thank you

Hello

Unfortunately not, due to Bitwarden’s Zero Knowledge encryption there is no way to grab that data without the decryption key which is derived from your master password.

If you have a premium account you may have set up emergency access with a trusted person. Do you know if you have done this? If so you’ll be able to ask them to recover your account and once the time has elapsed you can get it back.

If you have neither your password or emergency access contact then you are able to recover your account but not the content within so as long as you have a backup you’ll easily be able to re-import those passwords.

Sorry to be the bearer of bad news.

1 Like

Your hint can’t really be “lost”. As long as you know your account email, you can request the hint to be emailed to you.

1 Like

I assume Lahiru means they don’t know the answer to the hint rather than not being able to retrieve it.

1 Like

Possible, just making sure we cover all the bases. :slightly_smiling_face:

1 Like

not created hint brother. sorry not loss. I’m really stress now. I have google email account.

Please help :sleepy:

Have you checked all of your devices to see if there may be one where there is a Bitwarden app (mobile, desktop, or browser extension) that is still logged in to your account? Before checking (i.e., before opening any of the Bitwarden client apps), ensure that you have disabled internet access for the device (because if you have an old login session, Bitwarden may automatically log you out).

If you find something, then if the client is also unlocked (or unlockable by biometrics, etc.), you can at least start to copy your login items. If you you have a client that is logged in but locked, then there is a very small chance that you may be able to break into (crack) your vault and recover your data that way.

2 Likes

Unfortunately there is nothing that can be done. If you have a backup then you can import in to a recovered account.

One of the advantages and disadvantage of Bitwarden is that it is Zero Knowledge. Meaning only you have the ability to unlock that data but if you forget your password they key can’t be generated to decrypt your vault.

If the ability to recover your vault in case you forget your password then Bitwarden may not be the product for you as Bitwarden prioritises security over convenience.

1 Like

no brother. I have bitwarden, norton password manager and safeincloud but, i can’t recovery all dude.

Good point, hadn’t thought of that.

1 Like

All already lost. can’t recovery

I’m very sorry, but then you have no recourse than to start over.

1 Like

Bitwarden stopped accepting the Master Password I had used for years. Since then, I’ve been unable to login to the Vault on most of my browsers. Fortunately, on Edge I had set the Vault Timeout set to ‘Never’. I should add that I’m working on a big desktop computer that no one else uses, that’s why I’m comfortable setting the Timeout to ‘Never’.
Is there any easy way to get my Logins transferred to Bitwarden on my other browsers? The idea of doing it manually one-by-one is pretty daunting!
Any help you can offer would be appreciated.
Larry

I have never heard of this happening before, so I believe it is much more likely that some sort of error is involved with entering the password. Sometimes this is due to user error not remembering a capital letter or missing a punctuation character, or sometimes it can occur if you are using a different keyboard (physical or virtual), especially when international or other special characters are involved.

Unfortunately, if you don’t remember your password, there is no way to export your vault. Your only option is to copy and paste each item manually.

1 Like

I’m not expert, but two things come to my mind: Account hijacking and user error.

To check on account hijacking, review your email to see if any there’s any emails from bitwarden about a new device logging in recently.

To check for user error, try typing your master password into a notepad document without looking (use your muscle memory). Then look closely at it. Does anything look unusual / out of place? It could be upper vs lower case. Non-standard characters (like ä) can also be problematic since minor changes in your system software / hardware might affect the way they are interpreted.

If you don’t figure out what happened, personally I would think about changing your account credentials on critical accounts after you save whatever it is you need to save (in case your bitwarden account was somehow hacked).

Thanks for your suggestions. I’ve tried pretty much everything, and nothing worked. So, I’ve created a new account, and now I have to go through the tedious process of adding my contacts to it one by one!
Larry