If someone gets access to my e-mail can they just reset my passwords anyway

Insofar as I can always reset my individual account passwords via a “forgot password” operation that works via e-mail, does that mean that someone who gets access to my e-mail can defeat the security of Bitwarden with any provider that uses my e-mail address as a userid?

Hi Bob - welcome!

If you are speaking about your Bitwarden master password, no - it doesn’t work this way. You can never reset that password via email.

https://bitwarden.com/help/article/master-password/
https://bitwarden.com/help/article/forgot-master-password/

If you are referring instead to your individual passwords stored in your BW vault, that will depend on the website/app/provider. A good suggestion is to enable two-factor authentication on your accounts where possible, so that one would need more than just access to your email to takeover an account. There are free options to do this (e.g., Google authenticator, Authy), and Bitwarden has a convenient built-in authenticator for premium customers.

1 Like

Depending on your email provider, go passwordless for your email if possible. Additionally enforce MFA if there is a login attempt with your password. Make sure to have more than one possibility to factor into your account, just in case lets say the the authenticator app doesn’t work.

As said before, you can’t get your bitwarden password sent to email, but plenty of others. This is why protecting your (main) email account is very important.

But for crying out loud, try your fallback scenario in a real-world setting. Say, switch your smartphone off and try to get into your email. Why? Because I know cases where people secured themselves out of their email account after losing their smartphone.

1 Like