How To: Master Password Problems and Best Practices

Problems with master passwords frequently arise here in the forums, so I thought I would try to collate all the advice I have learned from the community about what to do if your Bitwarden password isn’t working and best practices.

Quick Background

The master password to your Bitwarden account is required in the cryptographic process that generates the key to encrypt and decrypt your vault. Bitwarden never saves a copy of your master password, for security reasons, so they can’t even access it if you wanted them to.

This leads to two issues:

  • If you have lost your password, you can’t ask to have it reset – you are now locked out.
  • Even if you have a device that’s currently logged in to your account (e.g., you unlocked Bitwarden on your phone with a fingerprint), you can’t export your vault contents without the master password.

My Master Password Doesn’t Work!

If you believe you remember your password, but it is not working, try typing it into a text editor so you can see each character and make sure it is perfect (capitals matter, and every character must be exact).

  • Compare against a copy you wrote down or saved digitally when you created it, as recommended (if you did that).
  • If it seems right, paste it into your Bitwarden login (don’t type it again).

If that didn’t work, here are some possible solutions to get you logged in again:

  • Ensure that you are logging in to your account with the correct email address – the correct password is not going to work if you enter the wrong email at login!
  • Use a private/incognito browser session to try logging into the Bitwarden web vault at https://vault.bitwarden.com
    • If this works, but other methods did not, something may be corrupted in your device’s local Bitwarden profile. You can try resetting it by uninstalling Bitwarden, rebooting the device, and reinstalling again.
  • Change your keyboard – some international keyboards may present different characters from what you would expect, and this applies to both physical and virtual (e.g., iPhone) keyboards.
  • Try a different device – smartphones are especially notorious for ‘auto-correcting’ what you type, particularly things like replacing straight-quotes with curly-quotes (i.e., “smart-quotes”).
  • Type out all plausible combinations of your password in a text editor and copy-and-paste them in one at a time.
    • Common problems include easily mistakable characters, like a capital ‘O’ and a zero character, or a one (1) character vs. a lower-case L (l) or upper-case ‘I’ character.
    • Straight quotes (double, single) vs. curly/smart-quotes or back quotes are another common issue, as are confusion with the apostrophe vs. back-quote characters.
    • Watch out for leading or trailing spaces – they are hard to spot and cause all kinds of confusion if they are saved within your password.
  • If you have designated an emergency access contact, ask them to takeover your vault so you can change the password and regain entry
  • If you previously exported an unencrypted backup (or a password-encrypted backup using the Bitwarden CLI), you might consider deleting your account and restoring from the backup file
    • Best to create a new, temporary Bitwarden account first to be sure you can import the information
    • Note that Bitwarden JSON-file backups capture more information than CSV-file backups; however, even JSON backup files do not contain file attachments, items in your Trash folder, or your password histories, so you will lose those.
  • If none of these suggestions have worked, you may want to investigate the possibility that someone has found a way into your Bitwarden account and locked you out - you will have received email notifications from Bitwarden if anyone logged into your account from an untrusted device. See more details below.

Suggested Best Practices:

Here are my suggestions for master passwords:

  • Create a unique and strong (i.e., at least 13 characters long and unguessable) password for your vault – it should be memorable, however, so you might consider a passphrase instead of a password if that helps.
    • You can lock your vault after logging in with your password to secure it, especially if you want to avoid frequently typing your long master password. Unlock options include a device-specific PIN code or biometrics (e.g., fingerprint, FaceID), which are convenient.
  • Create a master password that does not contain easily confused characters, like capital ‘O’ vs a zero (0) character. Also avoid spaces or any special characters that do not appear in the Bitwarden password generator.
  • If you haven’t done so already, write/print out your master password on a piece of paper and hide it somewhere secure (e.g., a safe, someplace nobody would think to look, etc.)
    • Test the password you saved to ENSURE you wrote/printed it out correctly!
    • Create a password hint that only you will understand which gives you an obvious clue about where to find the password you stored in a hidden place.
  • Alternatively, you could store the password digitally on a USB flash drive and store that somewhere secure, like a safe or security deposit box. You could also encrypt it somewhere, such as within an encrypted volume or on an encrypted flash drive, but you have to be sure not to forget the PIN/password (storing it in Bitwarden won’t help if you get locked out!).
  • Enable two-step login (a.k.a. two-factor authentication, 2FA, multi-factor authentication, MFA, etc.) to protect your vault - a somewhat different topic but covered well here, with some more tips from me here.
  • Set-up emergency access for someone you trust (or even yourself, I suppose) so that they have the privilege to takeover your account if something goes wrong.
  • Frequently backup your account using the Export feature in Bitwarden.
    • Note: If you have lost your master password and are locked out of your Bitwarden account, you will not be able to restore an encrypted Bitwarden export file. So, you are forced to restore from an unencrypted export. This is the type of backup file you should generate with the Export tool.
    • Save unencrypted backups to a secure location, such as an encrypted removable drive (e.g., a BitLocker encrypted removable drive on Windows) or an encrypted volume (e.g., a VeraCrypt volume or an encrypted disk image (.dmg) file if on MacOS).
      • If you are managing organizational vaults, remember that you have to backup your personal vault and your organizational vaults separately!
      • If you have attachments saved in your account, you must download those manually – they don’t get exported into the JSON file.
        • You can easily locate all your vault items with attachments in Bitwarden by entering the following search expression:
          >attachments:*. (*note: the leading > character, which is necessary)

If anyone has some additional tips to add, corrections, or additional links, please respond to this thread and I will incorporate them into the guidance above. Thanks!

2 Likes

Like you I have seen this question (password doesn’t work) a lot. It’s great that you took the time to formulate a comprehensive response.

I would suggest to login to the email associated with the account (assuming you can get access to that email) in order to see if there are any unexpected logins from new device (which might be an indication of malicious account takeover). I realize that account takeover is probably a much less common scenario than the others (and mentioning the scenario could induce a degree of unnecessary panic in some cases), but perhaps could be at the end of the list.

Edit - I recall there can be more than one email associated with an account, but I don’t remember all the details. Maybe it’s only an option to use a different email if you are using email as a 2FA option.

Edit 2 - It may be that a bad guy who gains control of your account would avoid changing your password in order to minimize the potential of tipping you off to the breach. But on the other hand, he may change your password to lock you out in order to make it harder for you to gain back control of things from him.

Thanks for this @bw-tinkerer - I wasn’t really thinking about this scenario, so I am glad you brought it up. Given that you are the first to respond and your message is right below my list for everyone to see, I think this is a perfect place to mention the possibility of an account takeover and lockout. I’ll add a link to this above. Cheers!

If you have a local copy of your vault, and if you remember some information about your master password (or if your master password was weak), then you may be able to use brute force to recover your password based on hashes that can be recovered from the vault.

There is an old Reddit post that explains how to do it. If using the keyHash value as done in that post, please note that the number of iterations in the final PBKDF2-HMAC-SHA256 hashing must be changed from 1 to 2 due to a recent modification of the hashing process used for the Master Key Hash stored in local vaults. For those so inclined, there are even cracking tools from HashCat to facilitate brute-forcing of Bitwarden master password.

1 Like