Master pass stopped working after increasing KDF

It doesn’t seem like the increased KDF iterations are the culprit, so the above appears to be the most likely possibility.

Also, to cover all the bases, are you sure that what you were using every day to unlock your vault was actually your master password, and not a “PIN” (which can also take the form of a passphrase, if you set it up that way)?

Looks like somebody recently experienced something very similar:

Oh, are you self-hosting a Vaultwarden server?

I am not, I was merely pointing out the similar experience. I do not understand the solution in that thread, and wasn’t expecting it to apply to my situation as I am not self-hosting. I was hoping to add a data point that corroborates my own experience (i.e., change KDF → get locked out).

I have increased my KDF twice in the last few days and I have experienced no issues. I assume many others have changed theirs as well.

It’s only similar on the surface. There are many reasons errors can occur during login. In the thread that you linked, the issue was that OP was running third-party server software that is not a Bitwarden product, and attempting to use a Bitwarden client app to log in to their self-hosted server that was running incompatible software.

In the meantime, did you try to find your keyHash value using the method I had suggested here?

Yes I was able to find a log file with keyhash values. Not sure what to do with it though.

Note: I’m mainly a Firefox user. I only used Chrome to test login (I had previously been signed into the extension as I used to use Chrome a long time ago). I am not sure if I had logged into the Chrome extension since the last time I changed my master password.

If you copy down the keyHash value (in case the .log files are wiped), and if your most recent Chrome login was after your most recent master password change, then you may be able to use brute-force guessing to recover your master password (since you said you were certain about all words except for one).

So I understood you to mean: try logging in and seeing what the password you use hashes to, and comparing that to what was in the log files, but on attempting to log in again in Chrome the new logs contained the same keyhash value as what I had copied.

Interestingly, the kdfIterations field reports the old value before I had changed it last night. Not sure what to make of that – wasn’t the whole point of logging me out of all my devices to force me to log back in using the new KDF iterations value?

OK, so now your Master Password works again?

No. I’ve edited my last message for clarification.

I think the .log file is updated only after a successful login.

If you want to do manual brute-force guesses, go to Bitwarden’s interactive cryptography tool.

If your keyHash value is from later than June 9, 2021, you will need to save a copy of the HTML code of this webpage. Then edit Line 481 of the HTML file — change the third argument of the pbkdf2 function from 1 to 2, so that it looks like this:

self.masterKeyHash = await pbkdf2(newValue.arr.buffer, self.masterPasswordBuffer, 2, 256)

Now open the HTML file in any browser.

If your keyHash value is older than June 9, 2021, then you do not need to download and edit the HTML, just use it directly on the webpage.

On the form, enter your email, the kdfIterations value from the .log file, and your best guess at the Master Password. Compare the Master Password Hash that was calculated on the webpage to the value of keyHash. If they match, you guessed correctly.

Of course, it would be much more efficient to automate all of the above, which you can do using a tool like Hashcat.

2 Likes

The keyHash value from the Chrome logs matched using that tool with my old password. I guess I’m out of luck. I appreciate all your help.

Going to see if support can at least tell me when my password was last changed (to rule out a very implausible theory), and at the very least see if it’s possible for them to roll my vault back to my old password, if they keep backups as somebody suggested.

1 Like

Hey @ddejohn I’ve been reviewing this one with the team and it sounds like this one is unrelated to the KDF change, but for official support you can follow up at https://bitwarden.com/contact/

As @bw-admin suggested, you should contact tech support to see if anything can be done, but I doubt they will be able to roll back your vault to an older version. Imagine that your master password is leaked and that you quickly change your master password to prevent anybody from accessing it using the leaked credentials. In such a scenario, it would be a security risk if there was a way for an attacker to have your vault restored to the old version (matching the master password that they are in possession of).

Addition info from the team, does this sound like the issue: [Android] When account it set to maximum 2,000,000 PBKDF iterations cannot log on · Issue #2295 · bitwarden/mobile · GitHub

Can you clarify you are/are not able to log in to the web vault?

1 Like

I changed my KDF from 100k to 300k, so nowhere near that limit, and I am unable to login to the web vault.

Can anybody maybe screenshot (if possible) the password changing process? I’m thinking I may have somehow managed to change my password, in which case I’m totally screwed. I’m wondering if I can remember what I saw the other night in the web vault (again I was going through the motions and wasn’t paying strict attention to what I was doing, so there’s a chance I walked all the way through a password change process without realizing, though I highly doubt it).

Correct, no way to see when/if I changed passwords, and no vault backups, per support.

 

Just before clicking Change master password:

 
When clicking the button, there is a brief animation of a circle of dots overlaid on the button (this may be very quick if your number of KDF iterations is low), then you are immediately kicked out to the login screen:

 
Note that the green box with the confirmation message remains visible only for a very short time (in fact, I had to repeat the password change process, because I was unable to grab a screenshot showing the confirmation message the first time that I did this).

An idea:

Perhaps you thought you were changing your KDF iterations, but by not paying attention, you actually changed your master password to be 300000 (or 300,000)? Try it, can’t hurt!

1 Like

Okay yeah I didn’t think I was that oblivious. Doesn’t look like I changed my password unless there’s some other UI flow. Also both 300000 and 300,000 would be invalid passwords, but thanks for the suggestion anyway.