I’ve just changed my master password, increased the KDF iterations and added 2FA to my account, but now I can’t login in neither the iPhone nor the Android apps. It keeps popping a “Username or password is incorrect. Try again.” error, even though the password is 100% correct.
Logging in to the web vault and the browser extension worked fine, I’m only having this issue with the mobile apps.
I have already tried doing what’s recommended in similar issues posted here, like clearing the apps cache and data, restarting the devices, rotating the account’s encryption keys and re-installing the apps, but none of them worked.
Did you verify that the mobile apps are connecting to the correct server (bitwarden.com or bitwarden.eu), depending on where your account was registered?
So, it just worked. I think there’s a bug in how the mobile apps treat some special characters during the login.
When trying to login in my mobile browser, it displayed an error message that was different from the one in the mobile apps, something like “your password is invalid”, not “your password is incorrect” like before.
Because of that, I thought it could be an issue with one of the special characters I had used in it. Changed my password once again, this time removing the ã character. And it worked on all platforms.
So I think there’s some bug with either the login or the reset password screens
If the ã character should be allowed in passwords, then the mobile apps are not allowing it in the login section;
if it shouldn’t allow it, then the “Change master password” in the web version is.
You might get away with a Unicode password if you are sticking to a single OS/Browser, but things will rapidly go haywire if you use multiple operating systems or browsers.
A huge complication with Unicode is that it has many encoding schemes and multiple ways of composing characters, each of which can make the in-memory representation of a Unicode string different. A string encoded in UTF-8 will not look the same in-memory as the same string encoded in UTF-16. Since password algorithms are using the “in memory” representation as input to an encryption method, everything breaks down if different encodings are used when typing the password. And, since there is no single “standard” normalization process, things most often fall apart when you are using multiple devices.
This is not just a Bitwarden bug (although they could do more to mitigate the impact, as you suggested). It can impact any password, not just Bitwarden’s, so even if Bitwarden were to somehow “fix” it, you still would be bitten by the problem on some random website.
As you discovered, the safest approach is to stick with the original 95-character ASCII set (or less, as the Bitwarden generator does) so that you avoid this whole mess. If you want a stronger password, the safer approach is to increase length and/or randomness.
Another lesson to take from this is that changing Master Passwords, encryption, and anything else that touches your whole vault at once is a risky activity and should be preceded by first creating an export of your vault so you have something to fall back on if things had gone even more haywire.
