Master pass stopped working after increasing KDF

Ask the Community Password Manager
, ,
1

Went to change my KDF. After being prompted for and using my yubikey, the vault immediately signed out (didn’t get any sort of confirmation). I knew all my devices would get signed out but I was surprised by the lack of any sort of confirmation. However, going to log back in, my master pass no longer works. I enter it every day. I toggled the reveal icon and made sure I was typing it correctly. It’s a pass phrase that’s really hard to screw up. And yet…

Now, this wouldn’t be the absolute end of the world (still a major pain in the ass) if I could still log in on another device to download my data before deleting this account and opening a new one, but because I changed my KDF, this is not an option as all my devices were immediately logged out.

Am I completely out of luck?

2

Hey @ddejohn can you confirm where you have tried to login and what you changed it to? It is recommended to only change iterations of 50,000 at a time as indicated in the UI to ensure compatibility with your devices.

For official support, contact the team at https://bitwarden.com/contact/

3

Do you get an error message (e.g., “incorrect username/password”), or does the login form just freeze/crash?

What kind of devices do you have?

4

I’ve attempted login on my PC in Firefox, Edge, and Chrome, and in private windows in all three; on my phone using the app, but not any browsers; and on my girlfriend’s PC, where no Bitwarden extension has ever been installed and where the Bitwarden website has never been visited.

I can confirm that I changed the KDF from a multiple of 50k to a multiple of 50k. But it was not an increment of 50k.

5

An “incorrect username/password” error. No freezing. Like I said, my master password is an easy to remember passphrase that I’ve been using for months. I concede that there’s a non-zero probability that I legitimately forgot one of the words in it (I’ve used variations on this pass phrase, but I know for a fact that I know all but one of the words by heart) but I strongly doubt that.

6

I did email them but I have very little hope:

Hi Devon,

Thank you for contacting Bitwarden. I’d be happy to help.

There are probably a lot of users that change their KDF iteration recently, but we haven’t seen a similar report before. Did you also change your master password before that? Please try your credentials on another device using another Internet connection. If you’re still receiving the “Incorrect username/password” error message, it means they don’t match what we have in our database and the only option is re-create the account.​

Kind regards

It’s looking like I’m SOL. Even if, on the extremely small chance that somehow my master password was changed/corrupted, it’s not like I’d have any recourse right? I’m fucked no matter what, I think.

The only thing I can think of is that I remember that when I was changing the KDF, I was prompted for my yubikey, but instead of the normal Windows popup instructing you to touch your yubikey, there was a text input field which was filled in when I touched the key. Is there any way I misread what I was being prompted for (there was a stock photo of a person inserting a hardware key into their laptop), and that I somehow managed to change my master password to what my yubikey entered? I can’t imagine that’s possible since there wasn’t a “confirm new password” step where I would’ve had to do it again, as far as I remember. Up to that point I thought everything was normal and wasn’t really paying attention to what I was doing, because I didn’t think any of this would happen.

7

I would assume them to have backups. They might be able to restore a previous version of your vault.

8

It doesn’t seem like the increased KDF iterations are the culprit, so the above appears to be the most likely possibility.

Also, to cover all the bases, are you sure that what you were using every day to unlock your vault was actually your master password, and not a “PIN” (which can also take the form of a passphrase, if you set it up that way)?

9

Looks like somebody recently experienced something very similar:

10

Oh, are you self-hosting a Vaultwarden server?

11

I am not, I was merely pointing out the similar experience. I do not understand the solution in that thread, and wasn’t expecting it to apply to my situation as I am not self-hosting. I was hoping to add a data point that corroborates my own experience (i.e., change KDF → get locked out).

12

I have increased my KDF twice in the last few days and I have experienced no issues. I assume many others have changed theirs as well.

13

It’s only similar on the surface. There are many reasons errors can occur during login. In the thread that you linked, the issue was that OP was running third-party server software that is not a Bitwarden product, and attempting to use a Bitwarden client app to log in to their self-hosted server that was running incompatible software.

In the meantime, did you try to find your keyHash value using the method I had suggested here?

14

Yes I was able to find a log file with keyhash values. Not sure what to do with it though.

Note: I’m mainly a Firefox user. I only used Chrome to test login (I had previously been signed into the extension as I used to use Chrome a long time ago). I am not sure if I had logged into the Chrome extension since the last time I changed my master password.

15

If you copy down the keyHash value (in case the .log files are wiped), and if your most recent Chrome login was after your most recent master password change, then you may be able to use brute-force guessing to recover your master password (since you said you were certain about all words except for one).

16

So I understood you to mean: try logging in and seeing what the password you use hashes to, and comparing that to what was in the log files, but on attempting to log in again in Chrome the new logs contained the same keyhash value as what I had copied.

Interestingly, the kdfIterations field reports the old value before I had changed it last night. Not sure what to make of that – wasn’t the whole point of logging me out of all my devices to force me to log back in using the new KDF iterations value?

17

OK, so now your Master Password works again?

18

No. I’ve edited my last message for clarification.

19

I think the .log file is updated only after a successful login.

If you want to do manual brute-force guesses, go to Bitwarden’s interactive cryptography tool.

If your keyHash value is from later than June 9, 2021, you will need to save a copy of the HTML code of this webpage. Then edit Line 481 of the HTML file — change the third argument of the pbkdf2 function from 1 to 2, so that it looks like this:

self.masterKeyHash = await pbkdf2(newValue.arr.buffer, self.masterPasswordBuffer, 2, 256)

Now open the HTML file in any browser.

If your keyHash value is older than June 9, 2021, then you do not need to download and edit the HTML, just use it directly on the webpage.

On the form, enter your email, the kdfIterations value from the .log file, and your best guess at the Master Password. Compare the Master Password Hash that was calculated on the webpage to the value of keyHash. If they match, you guessed correctly.

Of course, it would be much more efficient to automate all of the above, which you can do using a tool like Hashcat.

2 Likes
20

The keyHash value from the Chrome logs matched using that tool with my old password. I guess I’m out of luck. I appreciate all your help.

Going to see if support can at least tell me when my password was last changed (to rule out a very implausible theory), and at the very least see if it’s possible for them to roll my vault back to my old password, if they keep backups as somebody suggested.

1 Like