Sorry to hear that, @Larry54. I was hoping you could figure out what password you had been using.
It may be a bit late, but I have been working on collating all the advice from the community regarding lost, forgotten, or otherwise problematic passwords in one thread. I completed it today and have posted it here, in case it is of any help to you:
Cheers!
This line from your new collation of advice describes exactly the situation I am in: “Even if you have a device that’s currently logged in to your account (e.g., you unlocked Bitwarden on your phone with a fingerprint), you can’t export your vault contents without the master password.”
MS Edge was logged into my previous Bitwarden account when my vault login stopped working for reasons I do not know. So Bitwarden works fine on Edge, but I had to create a new account for my other browsers.
Thanks very much for all your efforts.
Larry
I have exactly the same issue. Before creating a new master password I wrote it down on paper and then changed it accordingly. Sometimes it works, other times it just doesn’t. There seems to be no known pattern that I can distinguish to determine when it will or won’t work.
Access on a new device can only be done with 2FA via an authenticator app that I have on my phone that’s always with me and no info has been sent about new devices being used, and no one has access to any of my devices.
Hey @Rutger_vans if this is related to a self-hosted installation, please update your server which can throw incorrect credential warning due to depreciated API.
Otherwise, I’ve help many users around this issue by using a trusted end to end encrypted messaging app (such as Signal) to send the master password from a device where you are able to get in, to the device where you are having trouble and copy/pasting it.
Hi @bw-admin, I mainly us the Chrome plugin, and the Android app, though I also have the issue for web. Up until I changed my password recently I never had any issues.
My suspicion is that it has something to do with being logged into BW in more than one place. Because when this happened the first time I was still logged into 1 device but couldn’t get into the others. I thought perhaps I made mistake setting up the new password and tried a very large amount of variations but nothing worked. Then, to my horror at the time, I was logged out at the last device I was still logged into. But when I tried to login it then did work, on multiple devices and everything went fine for a week or so.
Now Im also still logged into 1 device with vault timeout set to never, but as you might understand, I’m very reluctant to give my theory a try in case I’m wrong and can’t get in at all anymore.
Hey @Rutger_vans you can be logged into multiple clients simultaneously, did you have a chance to try my method above?
A week ago I decided to become a premium member because this is a fine tool that I’ve been using a couple of years after ditching LP. Right after I completed the subscription process I realized it was about time I changed my master password. Using the chrome add-on, same way I always had, I invoked the generator but this time I decided to go for a passphrase rather than a scrambled password I normally use.
I hit the ‘generate button’ a few times until I found one phrase with the words that I liked. Hitting the ‘copy’ button I immediately pasted the passphrase to a text file I keep with important words on my desktop. Right after that I went to a second computer, opened an incognito window on Chrome and logged in with the new passphrase. This was the only time the passphrase allowed me into my account. I went to my vault on the web, which I was logged on on the first computer, tried using the ‘reused password check tool’ and got asked for the master password.
I entered it many times, as I figure you guys already did, thinking how can this be possible, I am doing nothing wrong. Tried 3 different computers with 3 different browsers on each.
After a while I got kicked out from the first computer Chrome addon and from my Android, but fortunately the Chrome addon on the second computer was still logged in. So I went through all of the 396 passwords and pasted everything to a spreadsheet.
Now I am unable to delete my account because I am the sole owner of the organization. Support instructed me to reply with a specific sentence to confirm I want to have the account deleted and it has been almost 12 hours I emailed them, No answer from them and I am stuck.
Hey @Guibao there are also steps outlined here if you haven’t already reviewed that doc: https://bitwarden.com/help/delete-your-account/
How about if instead you create backups on a regular basis ?
For details see the official help page here:
and this absolutely great article started by @dh024:
I had this exact same issue happen to me once on LastPass. Out of the blue. Tried everything, of course, starting with caps lock. Eventually, I wrote down my complex Master Password on paper, tried it, it still didn’t work. It was only a couple of days later, in the middle of the night, as my brain was working away at the issue in my sleep, that I realized that after a couple of years of using the same password, I had changed one character for some odd reason. I woke up and wrote it down on paper again. Compared it to what I had written a couple of days before and they were different by that single character. I could now sign back in again. From then on I have done three things:
Good luck!
Hi @bw-admin, I tried the copy/paste from a device where it works to the ones where it didn’t work and that didn’t help unfortunately. Since I use the chrome extension I assume that the self-hosted part wasn’t applicable, is that correct?
Any thoughts on using UTF-8 in master password? I tested some Japanese characters with Bitwarden, it seems to be working great. I was able to unlock my vault successfully on browser extension and phone. Of course should have a back up of the vault in case unlock fails.
I unfortunately currently cannot find that topic anymore (but @grb did; see here. Thank you!) but there was someone who used a character that was not part of the collection the Password Generator offers. As a result of that they could not log in on a certain device. So before you start using Japanese Characters I would recommend that you create a new test-account to try this out on all kinds of devices with all available apps and extensions. When done you can easily delete that test-account:
In my case I tested: Android App, iOS App, Firefox Extension, Web Vault (Firefox, Chrome and Safari). But again, I would recommend anyone who is doing this backup their vault in PLAINTEXT format, just in case got lock out
This is the thread @Peter_H was referring to (the offending character was a "):
The thread below also has a relevant discussion about the issue:
I believe that this is mainly an issue for various quotation marks (', ", `, ´, ‘,’,‛,“,”,‟) that may be auto-corrected into a different form preferred by the device you are typing on.
Another issue is that if traveling, you may find yourself using a keyboard that cannot produce the required characters (although some would argue you should never type in your master password on a device that isn’t yours, anyway).
With these caveats in mind, as long as one has access to at least one device on which it has been confirmed that a login can be successfully completed using a master password containing non-ASCII characters, it should be fine to stray from Bitwarden’s “standard” set of 71 characters. However, as noted by @JoshM, it would be prudent to back up the vault before attempting this.
I think one of the most important things about a secure master password, is not to confuse yourself, or the user themselves. A lot of times we try too hard to play with bunch different characters and unknowingly get ourselves into trouble.
I use Japanese characters as an extended protection for my password. I usually have my Japanese chars stored somewhere easy to access (like in Bitwarden itself, Google Pswd Mgr, Apple Keychain etc.) and just copy and paste it into the master password field and then type the traditional password. For example: “MySuperSecretASCIIPassword_123” + “[Pasted Japanese Characters]”. Usually copying and pasting UTF-8 characters reduces chance where I am gonna mess up the UTF-8 characters. Plus I don’t really care if a friend knows the Japanese part of the password, because they still don’t know the ASCII part of the password nor they have access to my encrypted vault files that give them access to try to break it with unlimited tires.
The reason I decided to use UTF-8 character sets is because of what happened to Lastpass, in the worst case, same thing happen to BW. I want my password able to with withstand brute force attack and future-proof, since there is no way for a user to delete their encrypted vault from the hacker’s hand. A 16 chars ASCII random password is considered as safe with today’s standard, but given a hacker 50+ years and furutre technologies to break it open, would 16 chars ASCII random generated password with PBKDF2 still as safe? Sure, the user can change their login password over a weekend, but not everything is changable, like let say someone stores their social insurance number in BW. Once the vault is break open, the hacker will have access to a lot of personal data that is not changable.
The hacker who stole Lastpass vaults, are not likely have access to users’ Google/Apple account at the same time, so if the user setup their password like this, the hacker will have a much tougher time to break their vault open. And most of the users are probably not worthy enough for the hackers to perform a sophisticated social engineering attack on.
As for traveling, yes, no one should unlock their vault in a device that is not trusted. I usually bring my personal devices for traveling instead of internet cafe. There is just too much risk to login to the BW vault on an untrusted device. The bad actor can export the vault without the user’s knowledge once it is unlocked and/or just remotely take away the control and the user won’t even be able to lock their vault. If bringing personal computer is not possible, the user should create a temporary BW account and share only a limited set of passwords they need for travel purpose.
Above are just my thoughts on Best Practices on Master Password and where I am coming from for using UTF-8 passwords.
Again I elaborate this one more time, in case someone did not ready previous posts. Please backup your vault in plaintext and setup proper emergency access before trying anything I mentioned above.
[Solved] Bitwarden Mac app does not accept correct Master Password.
This might be helpful for some. My Bitwarden Mac app suddenly stopped recognising the Master Password. Every single character and my email address were correct, and worked on my iPhone app, and on the Bitwarden web vault. (For safety, first I exported an encrypted copy from the web vault.) On the Mac app, I then logged out and logged in again. For unknown reasons, the Mac app then accepted the Master Password. Mac app version 2024.5.0.