Login to community with bitwarden.com account

Seems counter intuitive that I have to create a new login for community.bitwarden.com or can use others e.g. github but cannot use bitwarden.com.

It would be great if bitwarden.com supported Discourse SSO. Given that bitwarden.com already knows my email address (required for subscription) one would suppose it would be trivial for it to also store a ‘community (or SSO) password’ (assuming one would be necessary).

Doesn’t seem counter intuitive to me:
Facebook, Google, Yahoo, Twitter and GitHub are all authentication providers, meaning that you can “Log in with [provider]” on websites that support them. Logging in to a website with an authentication provider means that this provider will share some data about you with the service that wants to log you in.

I wouldn’t trust any service that wants me to log in with my password manager…

I wasn’t suggesting that bitwarden.com should federate, but it is annoying to need two accounts!

So hypothetical situation to think about. There is an not-publicly-known vulnerability in Discourse, which allows an adversary to gain full access to the host which also allows said advisory to impersonate any user. With such an ability, this adversary could now potentially gain access to your vault.

While having two separate logins, one for the vault and another for the community forums might be a small annoyance, I think it is a far better idea than someone gaining access to your vault.

This issue is based off of a misunderstanding of how Bitwarden Login works and How the Bitwarden Community Login works.

It would be better to call Bitwarden “LOGIN” something else, since it is not even near the same process.

But yeah if you called it “DECRYPTION” or something. Normal people will be like “huhhhhh how do I login?”

Bitwarden could not implement something like OAuth without adding more authentication info to their databases, which would lower security of your vault.

So yeah… why not store your bitwarden community login in… Bitwarden?

So because I use github.com to login here anybody who compromises community.bitwarden.com can compromise my github account… We both know that’s not how this works.

For avoidance of doubt, I equally wasn’t saying that bitwarden shouldn’t federate. I completely failed to propose a solution.

So when I login to bitwarden.com using my bitwarden.com username and password I am not actually logging in? Hmmm.

Traditional site login:

1. User sends username and password to server.
2. Server checks username and password if they match.
3. They match, so server generates a session token (or cookie) and sends it to the User.
4. The User sends this token with every request to remind the Server that this User is in a logged in state.

Bitwarden:

1. User takes a pbkdf2 hash with 5000 iterations of their password as key and their normalized email address as a salt. This is the decryption key. It is not sent, but stored in memory for now.
2. User hashes the decryption key along with the email one more time, this hash is called the identifier.
3. User sends the Server the identifier.
4. Server sends back the “Protected Key”.
5. The User uses the “decryption key” to decrypt the “Protected Key”. This reveals the “master key”.
6. The User uses the master key to decrypt all items in their vault. It requests the items based on the identifier, decrypts them real fast, and shows them to the user.
7. When you “lock” Bitwarden it deletes the master key but keeps the Protected key, email, and all the encrypted data saved. When you re-enter your password to unlock it , it re-decrypts the Protected key.

Also, Bitwarden’s servers don’t even know which email address (user) is requesting the encrypted data… it only sees the identifier. (Which you could only know if you know the username and password.

In order to add some sort of OAuth2 based single-sign-on feature Bitwarden would have to decrease privacy of accounts so that it can associate identifiers with email addresses.

Not impossible… but yeah, not desirable either.

tl;dr Bitwarden “looks” like it’s logging in… but it isn’t.

Having done a little research I have edited my feature request with additional detail.

You could store your password for the community in your Bitwarden vault.

That would be kind of the same.

Not the same at all, with SSO Discourse wouldn’t have access to my credentials (reducing my exposure).

Touché! Good point!

Not the same at all, with SSO Discourse wouldn’t have access to my credentials (reducing my exposure).

So you would rather increase exposure of your password vault in order to decrease your exposure of your community account…

Rather than leaving the password vault as is and adding one new random string that is unrelated to your password vault or any of the other passwords contained in it, and exposing that new completely random unrelated string.

That makes no sense.

I do not agree that supporting SSO would necessarily decrease the security of my vault.

Anyway - it seems a fairly redundant debate in the sense that the topic has no upvotes so nobody but me really cares. C’est la vie.

Have an awesome week!

i was trying to accomplish this just now and i never got a prompt to add the community.bitwarden.com subdomain to my vault after i clicked create account. made a report here: Didnt get prompt for adding account on these community forums